Yandex.Cloud is responsible for managing vulnerabilities and security updates in managed services. The client is responsible for managing vulnerabilities and security updates for all other system components.
For an example of a scope of responsibility for managing vulnerabilities and security updates, see Requirement 5 of the PCI DSS responsibility matrix.
Scanning for vulnerabilities
We recommend that clients scan their own hosts for vulnerabilities. Cloud resources support the installation of custom virtual images of vulnerability scanners or software agents on hosts. There are many fee-based and free solutions for scanning.
Network scanners scan hosts that are accessible over a network. Generally, authentication can be configured on network scanners. Examples of free network scanners:
Example of a free scanner that operates as an agent on hosts: Wazuh. Wazuh can also be used as a host-based intrusion detection system (IDS).
Performing external security scans
Clients who host their own software in Yandex.Cloud can perform external security scans for the hosted software, including penetration tests. You can run your own scans or use contractors. For more information, see Rules for performing external security scans.
Managing security updates
A client must perform their own security updates within their scope of responsibility. Various automated tools are available for centralized automated OS and software updates.
Yandex.Cloud publishes security bulletins to notify customers of newly discovered vulnerabilities and security updates.
Web Application Firewall (WAF)
To mitigate risks associated with web attacks, we recommend using a Web Application Firewall (WAF). A client can install and maintain a WAF independently or use the Managed WAF service.
Installing a WAF on your own
WAF images are available from the Cloud Marketplace. License types and other required information are available in the product descriptions.
You can also install the Wallarm WAF in Managed Service for Kubernetes. See the instructions in the Wallarm documentation. This is a BYOL licensing model (a license purchased from a third-party vendor).
A client receives a cloud WAF as a service from Yandex Cloud. They are provided access to a personal account and the ability to view statistics and perform management. To activate the service and get detailed information, contact your sales department manager or support. The service is provided in partnership with Qrator.