Using Best Practices to Secure Apps in Multi-Cloud Environments
From sophisticated e-commerce engines to cloud-based productivity solutions and personal tools on mobile phones, applications power how things get done. Organizations continue to transition these applications to the cloud at an accelerated rate.
According to Radware’s C-Suite Perspectives Report, 76% of survey respondents have accelerated their plans for migrating applications and infrastructure to the cloud. Not only are businesses transitioning to the cloud, they’re adopting a multi-cloud strategy. According to survey results by Flexera, 93% of organizations have adopted a hybrid cloud strategy.
Online presence is usually the lifeline of many businesses, so both security and availability of applications should be top-of-mind concerns for organizations.
Adopting a heterogenous cloud environment results in lack of continuity for management, security and reporting. Each public cloud environment has its own management tools, monitoring, application delivery and security services.
This lack of consistency creates a series of challenges for application security:
Application Protection – Today the application attacks are so diverse that it is no longer enough to protect them with just a Web Application Firewall (WAF). Protection is also needed for the Application Programming Interface (API) and against sophisticated BOTs. As hackers probe network and application vulnerabilities to launch application attacks and gain access to sensitive data, application protection becomes critical to protect the business and its brand.
Organizations often have to configure and manage multiple application security products with varying capabilities across different environments. Lastly, the attack surface increases once an application leaves the confines of an organization’s on-premise data center.
Complexity – Moving applications to the cloud further complicates cybersecurity. Cloud vendors do not provide comprehensive security controls, nor are security constructs consistent across vendors.
Cross-domain services that span networking, application and security require domain expertise and collaboration across teams, creating conflicts and delays in testing and provisioning.
This leads to poorly protected applications.
Actionable Visibility – As applications are deployed across private and public clouds, monitoring their performance, the user experience, identifying SLA breaches, managing application security events and diagnosing root cause are all critical. A single pane of glass that provides visibility and analysis into all these factors are critical to ensuring an organization’s applications are providing a superior digital experience.
Unexpected Costs – The ability to control costs when dynamically allocating application delivery and protection services across heterogenous environments when needed is critical. Why? Because many organizations that deploy within public cloud environments often experience unexpected costs once services scale with increased usage.
Automation – Automating the deployment of services quickly, or scaling application resources dynamically, becomes critical in a public cloud environment because pricing is structured around usage/resource consumption. Any component in this supply chain requires automation to transform manually-driven processes into automated steps that don’t require expertise.
Service Availability – Availability to serve user requests and automatically scale is critical for companies looking to automate backend operations. This means having the ability to add and remove services on-demand without manual intervention for licensing and to reclaim capacity when no longer in use. This saves time and money.
Lock-In – This can occur because one cloud provider might provide application security and scalability capabilities that another does not. In addition, lack of standardization across clouds may require value-added advisory services, such as technical and consulting.
Any solution to address the above challenges must include the following elements to transition, secure and manage apps in the cloud:
- Full set of app security technologies integrated in an easy manner
- Same solution and capabilities across various physical, virtual and cloud environments
- Provide KPIs across various environments and make it easy to troubleshoot across environments
- Lastly, the adoption of multi-cloud should not be at the expense of cost, which was a reason to adopt cloud to begin with!
Integrated App Security: The solution of choice must include a complete set of application protection modules to provide best security coverage across all application threat surfaces:
- Web Application Firewall to protect from web-based attacks (OWASP Top 10 and beyond).
- Bot Manager to protect from bad bot-based automated threats.
- Comprehensive API Protection to protect APIs and provide full visibility on API targeted threats.
- Threat Intelligence to protect from unknown and active attackers.
Faster Deployment: Must be simple to deploy, manage and maintain without needing experts. As an example if you have multiple constituents such as NetOps, SecOps and DevOps, the solution must be easy to deploy on Day 1 likely by NetOps. On Day 2, the DevOps and SecOps teams would use prebuilt security policies as a self-service template. You would use security experts to create these simple to use templates. The Day 3 and ongoing should be about ongoing optimization and evolving of deployed policies. Make sure that any solutions you deploy allows for learning.
Standardized and Consistent: When you had control of apps in your premise it was easy. Across multi clouds make sure that you are able to deploy the same policies consistently. Have a centralized control plane to manage and update policies across all environments.
Actionable: It’s very important to keep track of KPIs and security posture. The information should be something you can act upon and is actionable. For example lets say you have too many false positives. You shouldn’t have to depend on security experts to refine a policy.
Cost Optimized: The world is already going toward centralized cost controls and volume discounts. Make sure regardless of the separate technologies you use for application protection you get a elasticity in pricing where a decommissioned capacity can be reused in another environment without having to pay all over again.
Securing a hybrid or multi-cloud deployment doesn’t need to be complex or expensive for organizations. With the right solution and tools, it’s possible to benefit from on premise, public and private cloud to drive value for your business.