Full Report
There are various approaches to managing vulnerabilities on cloud workloads, and knowing which vulnerability scan method to use is critical to your success. However, there isn’t a universally correct choice. How can you identify the best approach for you?While network-based, agent-based, and agentless vulnerability scans all identify vulnerabilities, there are tradeoffs, and the ideal approach depends on your specific use case, requirements and constraints. This blog explores the different methods and discusses their application to virtual machines and containerized workloads.Cloud vulnerability management overview(Tenable Cloud Security: Vulnerability management dashboard widgets)Cloud vulnerability management focuses on scanning the base operating systems, such as Linux and Windows, and other software installed on cloud instances to identify vulnerabilities. Although vulnerability management has been done for decades, your public cloud workloads may benefit from a different approach.Traditional scan methods like network scans and agent installations, such as Tenable’s Nessus Agents, may be viable options for long-lived virtual machines in some public cloud environments. However, these methods are not ideal for short-lived virtual machines and containerized workloads. It all comes down to understanding the best approach for acquiring vulnerability data for a given use case.Scanning public cloud virtual machinesYou may have public-cloud virtual machines that closely resemble on-premises virtual machines in their deployment method, configuration and lifespan. Conversely, you may have virtual machines that have more cloud-native characteristics. Many organizations have both. This is often determined by where on the cloud security maturity journey that deployment is.Choosing the best vulnerability scanning method for your public-cloud virtual-machine use case will depend on factors like the lifespan, size and accessibility of the virtual machine. (Tenable Cloud Security: Virtual machines with vulnerabilities)Network-based scanningNetwork-based scanning entails deploying a separate scanner virtual machine within each virtual private cloud or virtual network, thereby ensuring isolation while providing necessary access. Administrative credentials are necessary for comprehensive results; otherwise, scans are limited to external views, such as those provided by open ports, service versions and operating system versions. This approach is suitable for public-cloud virtual machines with OS-level administrative credentials and network accessibility such that the scanner can reach targets on all ports and protocols. Each network scanner is typically deployed as a large, long-lived virtual machine. These scanner virtual machines add to a customer’s cloud operational costs.Advantages:The most comprehensive scan type when administrative credentials are providedNo agents to deploySupports devices that can’t be scanned with agents, such as network devicesConsistent scanning method for those also scanning on-premises workloadsConsiderations:It requires administrative credentials for each scan target.Scanner virtual machines must be deployed in cloud accounts, usually per Virtual Private Cloud (VPC) / Virtual Network (VNET), which can be costly.Scans can impact scan target performance, though this can be tuned.Requires wide-open port and protocol access from the scanner to the scan targets.Targets must be running and available via IP address at scan time.Network-based scans are manually scheduled activities.Common use case:Long-lived virtual machines with administrative access and network accessibilityAgent-based scanningAgent-based scanning involves installing agents, such as Nessus agents or cloud-provider agents, on each target virtual machine. Agents run within each cloud virtual machine and report findings only for the virtual machine on which they are running.This approach is suitable for larger virtual machines where agents are permitted but OS credentials are not provided. Agents eliminate the need for hosting separate scanner virtual machines, thus reducing complexity and costs. Agents’ installation and configuration can usually be automated during the deployment of public-cloud virtual machines. Advantages:No scanner virtual machines to deploy and maintainReduced cost compared with deploying a scanner virtual machine per VPC/VNETNo credential management requiredMicrosegmented environments supportedConsiderations:Agents are required on each workload and they must be managed.Agents require connectivity to an agent manager (usually outbound TCP:443).Targets must be running and available at scan time.They’re not ideal for ephemeral workloads.Agents cannot perform remote-only checks.There are minimum system requirements (2CPU/1GB RAM).Agent-based scans are manually scheduled activities.Common use cases:Long-lived virtual machines where OS-level credentials are not providedVirtual machines in highly segmented/microsegmented environmentsAgentlessAgentless scanning is a cloud-native approach leveraging the cloud service provider’s public APIs to gather information about virtual machines. This method entails creating cloud entitlements that permit access to authenticated cloud provider APIs. Agentless eliminates the need for network scanners and agents.This approach is suitable for most public-cloud virtual machines, regardless of credential management or segmentation level. Agentless leverages APIs to connect to your virtual machines and to create a snapshot of their storage volumes. These volumes are then mounted to an ephemeral virtual machine that runs the vulnerability scan. It provides visibility into all virtual machines and their flaws without impacting running virtual machines. OS-level credentials and port accessibility are not necessary, which reduces operational overhead and increases scalability.Advantages:Cloud-native and API-drivenNo scanners or agents to deploy and manageNo credential management or port accessibility requiredWorks with virtual machines of all sizesNo impact on virtual machinesSaves money by eliminating the need for scanner virtual machinesAccess granted via cloud entitlementsCan be used on stopped virtual machinesConsiderations:Agentless is typically a capability of cloud security tools, not traditional vulnerability management tools.Agentless results are typically CVE-based.Agentless usually does not provide the same level of detail as network-based or agent-based approaches.Agentless scans are automatically performed, usually once daily.Common use cases:Virtual machines where OS-level credentials are not provided and agents are not permitted or desiredShort-lived virtual machinesScanning public cloud containerized workloadsContainerized workloads are very different from virtual machines and scanning them for vulnerabilities requires adapting to their ephemeral nature. Choosing the best vulnerability scanning method for your public cloud containerized workload use case will depend on factors like how the containers are orchestrated and your vulnerability management requirements. (Tenable Cloud Security: Containerized workloads with vulnerabilities)Network-based scanningNetwork-based scanning is usually not applicable to containerized workloads. Some vendors, including Tenable, detect if a scanned host is running Docker, but they do not scan the containers running on the Docker host for vulnerabilities. Kubernetes agent-based scanningAgent-based scanning takes on a different meaning when referring to containerized workloads. Traditional vulnerability scanning agents are not well suited to running on a container due to the agent size, resource requirements, and network connectivity requirements. However, Docker containers are typically managed by a container orchestration platform such as Kubernetes. Kubernetes agent-based scanning provides deep visibility and real-time security by deploying a lightweight sensor on each Kubernetes workload via a Helm chart, making it ideal for continuously monitoring containerized workloads. Advantages:No thick agent software to deploy or manageDeployed via Helm chartWorks with cloud-managed Kubernetes (e.g., EKS, AKS, GKE) as well as self-managed Kubernetes and Red Hat OpenShift environmentsKubernetes agent-based scans are automatically performed, usually hourly Considerations:Kubernetes agent-based scanning is typically a capability of cloud security tools, not traditional vulnerability management toolsKubernetes agentless results are typically CVE-basedCommon use cases:Containerized workloads within a Kubernetes or Red Hat OpenShift Container orchestration platformAgentlessContainerized workloads in public cloud environments are typically managed by a container orchestration platform such as Kubernetes. Kubernetes nodes – the hosts on which containers run – are virtual machines running in public-cloud environments. Therefore, the agentless method is the same as the one described earlier in the “Scanning Public Cloud Virtual Machines” section, with the added benefit of identifying the containers running on the Kubernetes nodes. This method will also identify the software bill of materials (SBOM), and the vulnerabilities associated with each container running on the Kubernetes node.Advantages:Cloud native and API drivenNo scanners or agents to deploy and manageSupports cloud-managed Kubernetes nodesAccess is granted via cloud entitlementsCan be used on stopped Kubernetes nodes (virtual machines)Considerations:Agentless is typically a capability of cloud security tools, not traditional vulnerability management tools.Agentless results are typically CVE-based.Agentless scans are less frequent than Kubernetes agent-based scans.Common use cases:Containerized workloads within a cloud-managed Kubernetes container orchestration platform (e.g., EKS, AKS, GKE)A note about container imagesContainers are the running instances of a container image. This blog is focused on public-cloud workloads, and container images are not workloads. However, it is worth noting that the images themselves can also be scanned. This is usually accomplished by scanning the container image within the CI/CD pipeline, and by integrating with a container image registry to scan all the container images stored within. SummaryChoosing the right vulnerability scanning method for public-cloud workloads is crucial and depends heavily on specific use cases and requirements. Each method offers unique advantages and considerations for both virtual machines and containerized workloads. It is essential to understand these differences and to align them with your workload lifespan, accessibility, and overall vulnerability management strategy. Tenable offers all these methods to help you identify, contextualize, prioritize and remediate vulnerabilities in any environment anywhere. For more information on vulnerability management in the cloud watch the webinar “A Cyber Pro’s Guide to Cloud-Native Vulnerability Management: Start, Scale, and Secure with Confidence” and read the data sheet, “Vulnerability Management Built for Multi-Cloud Environments”.
Analysis Summary
# Best Practices: Choosing Cloud Vulnerability Management Methods
## Overview
These practices focus on selecting the appropriate vulnerability scanning method (Network Scanners, Agents, or Cloud Security Posture Management/CSPM integration) for public-cloud workloads, tailored to asset lifespan, accessibility, and overall strategy. The goal is to ensure comprehensive vulnerability identification, contextualization, prioritization, and remediation across diverse cloud environments (VMs and containers).
## Key Recommendations
### Immediate Actions
1. **Assess Workload Lifespan:** Immediately map all existing cloud workloads (VMs, containers) to their expected operational lifespan (ephemeral, short-term, long-term/persistent).
2. **Determine Network Accessibility:** Identify which cloud assets are externally accessible and which are internal or isolated, as this strongly influences the necessity of traditional network scanning vs. agent-based scanning.
3. **Establish Container Visibility:** If using containers, immediately integrate scanning into the CI/CD pipeline (scanning container images before deployment) and integrate with container image registries to scan stored images.
### Short-term Improvements (1-3 months)
1. **Implement Agent Deployment for Persistent Assets:** Deploy security agents on all long-lived or persistent Virtual Machines (VMs) to ensure continuous, credentialed visibility into configuration and software vulnerabilities, irrespective of network accessibility.
2. **Configure Native Cloud Integration (CSPM):** Integrate vulnerability management solutions directly with cloud service provider APIs (using mechanisms similar to CSPM, though not explicitly named in the text) for comprehensive coverage of misconfigurations and inventory, particularly for serverless or highly ephemeral infrastructure not easily reachable by scanners or agents.
3. **Utilize Network Scanning for Specific Use Cases:** Use traditional network scanners selectively for external-facing assets or environments where agent deployment is technically prohibitive or restricted by policy.
### Long-term Strategy (3+ months)
1. **Adopt a Hybrid Scanning Model:** Strategically combine Network Scanning for external exposure checks, Agents for persistent deep visibility, and Cloud API integrations (CSPM-style) for configuration and inventory across the entire estate.
2. **Prioritize Remediation based on Context:** Implement a system that combines vulnerability data with asset context (e.g., application criticality, exposure path) to prioritize remediation efforts, moving beyond raw severity scores.
3. **Establish Full CI/CD Pipeline Security:** Embed image scanning into all build stages to prevent vulnerable container images from ever reaching registries or production environments, leveraging the pipeline scanning capability discussed.
## Implementation Guidance
### For Small Organizations
- Focus initially on leveraging native cloud provider security tooling or simple API integrations for asset inventory and basic configuration checking (CSPM-like functionality).
- If VMs are present, prioritize agent deployment for simplicity and continuous coverage over complex network scanning setups.
- Use network scanning as a targeted audit tool for externally facing endpoints initially.
### For Medium Organizations
- Implement a hybrid model using agents for primary coverage on persistent infrastructure.
- Dedicate resources to establishing CI/CD pipeline scanning for all new containerized workloads.
- Begin integrating multiple data sources (agents, network scan results, API findings) into a central platform for unified reporting and prioritization.
### For Large Enterprises
- Mandate a comprehensive, multi-faceted approach: Agents for all applicable workloads (VMs, potentially containers), integrated CSPM checks via API, and targeted network scanning where necessary.
- Leverage exposure management platforms that can unify data from these disparate sources to accurately track and communicate overall cyber risk.
- Develop standardized deployment pipelines for agents across heterogeneous cloud environments (multi-cloud).
## Configuration Examples
*(Note: The context provided primarily outlines *which* method to use rather than specific configuration syntax. The guidance below reflects implied configuration needs.)*
**Container Image Scanning Configuration:**
1. **CI/CD Integration:** Configure the CI/CD pipeline build step to trigger an image scan upon creation of a new artifact. *Action: Configure build scripts (e.g., Jenkinsfile, GitHub Actions workflow) to execute the vulnerability tool before promotion to the testing stage.*
2. **Registry Hook:** Configure the container image registry to ingest scan results upon image push or retention policies based on identified vulnerabilities. *Action: Set up webhooks or scheduled jobs to notify the vulnerability management solution of new images.*
## Compliance Alignment
While the text does not explicitly name frameworks, best practices for continuous cloud vulnerability management inherently align with:
- **NIST CSF:** Align with the Identify (Asset Management) and Protect (Configuration Management) functions.
- **CIS Benchmarks for Cloud Providers:** Coverage gaps identified by CSPM/API integration align directly with configuration compliance controls.
- **ISO/IEC 27002:** Clauses related to asset management and change control management require this level of continuous assessment.
## Common Pitfalls to Avoid
- **Over-reliance on Network Scanning Alone:** This is ineffective for ephemeral assets, fully patched internal systems, or environments lacking exposed IPs.
- **Ignoring Configuration Drift:** Assuming agents or scans cover misconfigurations; API/CSPM integration is necessary to monitor the underlying cloud setup itself.
- **Failing to Scan Images:** Deploying containers without scanning the underlying image in the CI/CD pipeline, leading to vulnerabilities reaching production unchecked.
- **Incomplete Asset Inventory:** Deploying scanning tools without accurate asset discovery leads to blind spots regarding which method covers which asset.
## Resources
- **Webinar:** *A Cyber Pro’s Guide to Cloud-Native Vulnerability Management: Start, Scale, and Secure with Confidence*
- **Data Sheet:** *Vulnerability Management Built for Multi-Cloud Environments*
- **General Tooling Concept:** Exposure Management Platforms capable of integrating multiple sensor types (Agents, Network Scanners, Cloud APIs).