Achieving Effective Application Security in a Cloud Generation


Today’s modern applications are designed for scale and performance. To achieve this performance, many of these deployments are hosted on public cloud platforms like Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) for their benefit of elasticity and speed of deployment. The challenge is that effectively securing cloud hosted applications to date has been difficult. There are many high-profile security events involving successful attacks on cloud-hosted applications in the media, and these are only the examples that were disclosed to the public.

In reality, traditional security deployment patterns do not work effectively with applications hosted on public cloud platforms. Organizations should not try to push their previous on-premises application security deployments into cloud environments for several reasons. 

Cloud application security requires new approaches, policies, configurations, and strategies that both allow organizations to address business needs and security risks in unison. Not incorporating these will no doubt deliver an insufficient security posture and cost unnecessary time and money. 

The balance of performance and security  

Whether your organization is a one-person startup, a global enterprise, or anything in between, you depend on applications to operate effectively. You cannot afford down time with these applications, and for many the cloud is still a confusing space when it comes to who is responsible for security. Unfortunately, a single unpatched vulnerability in an application can let an attacker penetrate your network, steal or compromise your data along with that of your customers—causing significant disruption to your operations. According to a recent report, “Unlocking the Public Cloud,”74 percent of respondents stated that security concerns restrict their organization’s migration to public cloud. Public cloud adoption is rapidly growing, yet security is the largest area of resistance when moving to the cloud. 

Many organizations still rank performance well over security, but they should be in a balance with equal importance given the risks. For example, in a May 2018 report from Ponemon Institute, 48 percent of the 1,400 IT professionals who responded said they value application performance and speed over security.

While deploying layer 7 protections is extremely paramount to securing applications, it’s also essential that any security technology integrates deeply with existing cloud platforms and licensing models.

Security measures should be deeply coupled with the dynamic scalability of public cloud providers such as AWS, Azure and GCP, ensuring that performance handling requirements are addressed in real-time without any manual interventions. Also, organizations should direct access to the native logging and reporting features available to cloud platforms.

Fixing application vulnerabilities in the cloud

You wouldn’t necessarily think this, but application vulnerabilities are pervasive and often untouched until it is too late. Unfortunately, fixes or patches are a reactive process that leaves vulnerabilities exposed for far too long (months isn’t uncommon). The problem is clear and vulnerability remediation on an automated and continuous basis is paramount in ensuring application security both on-premise and in the cloud.

In reference to the Ponemon research, 75 percent of organizations experienced a material cyber-attack or data breach within the last year due to a compromised application. Interestingly, only 25 percent of these IT professionals say their organization is making a significant investment in solutions to prevent application attacks despite the awareness of the negative impact of malicious activity.

Because of frightening statistics like these, it is essential to implement a set of policies that provide continued protection of applications with regular vulnerability management and remediation practices, which can even be automated to ensure that application changes don’t open up vulnerabilities.  

Security aligned with the cloud

Here are some best practices for effective application security in a cloud generation:

  1. Application security must provide the ability to satisfy the most demanding use-cases specific to cloud hosted applications. Also, do this without carrying the management overhead of your legacy on-premises architectures.
  2. Fully featured API that provides complete control via orchestration tools already used by DevOps teams.
  3. Security needs to be deployable in high-availability clusters and auto-scaled with the use of cloud templates. Also, they should be managed and monitored from a single pane of glass user interface.
  4. It is imperative they integrate directly with native public cloud services including Elastic Load Balancing, AWS CloudWatch, Azure ExpressRoute, Azure OMS and more.
  5. It is essential security technologies provide complete licensing flexibility including pure consumption-based billing. This allows you to deploy as many instances as needed and only pay for the traffic that is secured through those applications.

Basically, securing applications effectively in the cloud means adopting new ways of thinking about security, and it is critical to look at the security technology stack you have deployed today. Assess what is lacking and adopt what is required for regular monitoring and vulnerability remediation on those applications. It is key to focus on protecting each application with the right level of security. This means deploying security that is aligned with your current cloud consumption and leveraging tools designed for those cloud environments that allow you to build security controls.

About the author: Jonathan Bregman has global responsibility for leading Barracuda's web application security product marketing strategy. He joins Barracuda from Seattle, WA where he worked with Microsoft, Amazon and their ISV partners to build innovative marketing programs focused on driving awareness and demand for emerging products in enterprise software, cloud services and cybersecurity.

Copyright 2010 Respective Author at Infosec Island via Infosec Island Latest Articles "https://ift.tt/2Komo1F"

Comments

Post a Comment

Popular posts from this blog

Evernote cuts staff as user growth stalls

Image
Note-taking app Evernote has fallen on hard times of late, culminating in its latest spate of job cuts impacting 15 percent of its workforce (54 employees). CEO Chris O' Neil -- an ex-Googler who took the reins in 2015 -- announced the firings at an all-hands meeting earlier today, reports TechCrunch . In a message on the Evernote blog , O' Neill admitted he'd set "incredibly aggressive goals" for the company in 2018. He continued: "Going forward, we are streamlining certain functions, like sales, so we can continue to speed up and scale others, like product development and engineering." The layoffs follow an exec exodus just weeks ago and the company's recent brand refresh (complete with a refined logo and wordmark). But critics are more concerned about its product, especially the free tier, which they claim lacks the perks to
Read more

The best air conditioner

Image
By Liam McCabe This post was done in partnership with Wirecutter . When readers choose to buy Wirecutter's independently chosen editorial picks, it may earn affiliate commissions that support its work. Read the full article here . After six summers of researching, testing, and recommending window air conditioners, we've learned that quiet and affordable ACs make most people the happiest—and we think the LG LW8016ER will fit the bill in most rooms. This 8,000 Btu unit cools as efficiently and effectively as any model with an equal Btu rating, and runs at a lower volume and deeper pitch than others at this price. Little extra features like a fresh-air vent, two-axis fan blades, and a removable drain plug help set it apart, too. The LG LW8016ER is a top choice for an office or den, and some people will find it quiet enough for a bedroom, too. If our main pic
Read more

We won't see a 'universal' vape oil cartridge anytime soon

Image
Pre-loaded cartridges of cannabis concentrate are currently among the most popular means of consumption, and for good reason. They're discreet to use and easy to handle, a far cry from the dark days of 2016 when we had to dribble hash oil or load wax into narrow-mouthed vape pens by hand. But, frustratingly, an ever increasing number of oil cartridge manufacturers employ one-off design standards so that their products won't work with those of their competitors, thereby locking customers into proprietary ecosystems. We've already seen this with nicotine vaporizers -- which has a seen a massive rise in "pod systems" in the last few years, each outfitted with a unique canister and battery built to be incompatible with those of their competition. Is it too late for the burgeoning cannabis industry to set a universal standard for their product designs?
Read more