We’ve all heard about the cloud infrastructure benefits: improved productivity, cost savings, efficiency, agility and these are only a few of the terms advocating this technology as the be all and end all.
Today, most companies have already implemented cloud infrastructure in their workspaces or are planning to test it out in the near future. And it’s up to businesses to decide whether they choose cloud infrastructure provided by public cloud providers like AWS, Microsoft Azure and Google Cloud Platform, or cloud infrastructure maintained by their organisation’s IT team.
Yet, a new trend has arisen in compliance heavy businesses, such as financial institutions: organisations are running an isolated virtual private environment on public cloud infrastructure.
No matter where an application is hosted, securing the application delivery remains the number one concern. And it is security that is causing a great deal of confusion in the industry. It raises the question: who owns application security in the cloud? Is it the cloud service provider or application teams?
Some feel that security is the responsibility of the application owners – and as such, applications should not be deployed in the cloud due to security risks or unless security is properly baked in.
Others believe that applications are secure simply because they’re deployed in the cloud, which would make application security the sole responsibility of the cloud infrastructure provider.
Public cloud providers like AWS and Azure openly document that application security is a shared responsibility between the cloud infrastructure providers and the application owners. However, the lines are blurred and the division of ownership is not clearly defined.
Applications deployed in cloud infrastructure are accessed via the network. In this case, viewing the security responsibility from the network infrastructure point of view makes more sense.
For example, if the cloud providers control and manage the physical infrastructure resources, it’s their job to make sure the application that runs on that infrastructure is secure.
However, with virtual and software-defined networks (SDNs), application owners define the virtual networks as per application architecture, referred to infrastructure as code. Thus, virtual network security resides with the application owners. Traditionally, application owners have an established set of best practices, and setting up network security is a no-brainer. Because the network is part of the infrastructure, cloud providers will provide tools for virtual network security and also for the implementation.
Cloud providers, however, have no visibility into what happens at the application layer and have no way to help the application owners in this area. The application security layer is the responsibility of application owners.
So how can we find a solution? Well, there are many challenges we need to understand first:
BOTs – approximately 30 per cent of traffic comes from non-useful BOTs (i.e. bad BOTs). While some people don’t consider them a security issue, yet, bad BOTs can waste 30 per cent in server resources, resulting in a huge loss of productivity.
Application Vulnerabilities – these are susceptible to attackers looking to exploit and attack an application, either to gain complete control over it, deform it or steal data. OWASP analyses such vulnerabilities and exploits, and regularly publishes a list of its top 10 identified vulnerabilities.
Malware and ransomware – another well-known security problem that impacts a lot of users and should be addressed prior to deploying an application in the cloud.
Application layer DDoS attacks (volumetric or protocol exploits) – are also a concern as DDoS attacks evolve in size, scope and sophistication. DDoS protection is a serious consideration for both application owners and cloud infrastructure providers.
Security monitoring – there are numerous questions about the solution’s capability, but monitoring the security should not be one of them. Security monitoring is imperative; it’s a must-have.
Fortunately, there are solutions available to overcome the security challenges associated with cloud applications.
Web application firewalls (WAFs), for example, can handle the common vulnerabilities listed by OWASP. And IP reputation and other signature databases have been created to combat malware and bad BOTs.
Many application delivery controllers (ADCs) bundle application security solutions with load balancing and other key application services. Having a complete set of application delivery tools along with security and visibility in a DDoS resilient architecture can create a complicated deployment architecture.
Consider a solution that unifies all aspects of the application traffic management, application security with traffic and security analytics into a single system and layers central management and control on top of it. This type of solution will alleviate most of your cloud application security concerns.
Duncan Hughes is systems engineering director for EMEA at A10 Networks