Application Security in Today’s Multi-Cloud World
Source : securityboulevard.com
Managing applications in heterogeneous cloud environments introduces new challenges for IT, DevOps and application owners. One of these challenges of is that each environment offers different capabilities, resulting in inconsistent management and deployment of application delivery and security services, policies and configurations.
As applications migrate to the cloud, gaining actionable visibility into application health and service-level agreements (SLAs) becomes critical since each application may require a different tool to monitor performance.
In such a dynamic environment where each application has its own set of requirements, it is almost impossible to accurately plan for the application delivery and security licenses required for each environment. As a result, IT departments face risks when budgeting for application delivery and security solutions.
Microservice & Security
As organizations transition to the cloud, many are adopting microservice architecture to implement business applications as a collection of loosely coupled services. Some of the reasons to move to this architecture is to enable isolation, scale, and continuous delivery for complex applications. Many of these loosely coupled services are also Function-as-a-Service (FaaS) and use Representational State Transfer (ReST) APIs.
That’s a lot of attack surface which wasn’t exposed when the applications were monolithic. Adopting microservices doesn’t remove the traditional security and application availability concerns.
Hackers are also taking advantage of internet turning dark – increasing adoption of SSL encrypted traffic.
Attacks are More Successful
The recent ransomware attacks highlight the need to secure against denial of service and application attacks. The primary goal of cyber‐attacks is service disruption, followed by data theft. Service disruption creates poor customer experience, and perpetrators know that and use a broad set of techniques to cause harm. These include bursts of high traffic volumes, which do not leave time for mitigation teams to get a grip, usage of encrypted traffic to overwhelm security solutions resource consumption, and crypto‐jacking that reduces the productivity of servers and endpoints by enslaving their CPUs for the sake of mining cryptocurrencies.
Attacks are also more targeted and more successful – more result in a complete outage rather than merely service degradation. According to Radware research, data breaches are expensive, and the costs are only going up. Those reporting attacks that cost 10 million USD/EUR/GBP or more almost doubled last year — from 7% in 2018 to 13% in 2019. Half of the respondents estimated that an attack cost somewhere between 500,001 and 9.9 million USD/EUR/GBP.
Every cloud has a different options, product offering and ways of securing applications. This is one critical area where you MUST standardize profiles and policies for your applications. Application protection is a lot more than just preventing OWASP Top 10 attacks. In addition to protecting applications against XSS, SQL Injection, and others it is also about protecting against API abuse, bad bots, vulnerability exploits and application denial of service.
To ensure secure application delivery the best practices include:
- Applying consistent policies across multiple deployments
- Preventing configuration errors from creeping in during deployment by automating as much as possible
- Addressing issues such as phishing and social engineering that play a large part in human failures
- Ensuring that the applications are accessed by the right users that are authorized and authentic
- Keeping all attacks out of the corporate / virtual private networks
- Gaining actionable visibility
As many of us are now working remotely, organizations have moved many of their applications to the cloud to take advantage of the flexibility. This does address the immediate need to scale access but creates many security challenges that must be addressed to keep both customer data and corporate IP and businesses safe from hacking attempts. Part of the solution is to address the human aspects of security weakness by educating and automating, the other aspects are to adopt best practices and implement multi-layered approach to securing these applications.