Most organisations today either already run workloads in the cloud or plan to experiment with cloud in the very near future. And it’s up to businesses to decide whether they choose cloud infrastructure provided by public cloud providers like AWS, Microsoft Azure and Google Cloud Platform, or cloud infrastructure maintained by their organisation’s IT team.
In compliance heavy businesses, such as financial institutions, a new trend has emerged: organisations are running an isolated virtual private environment on public cloud infrastructure. Duncan Hughes, Systems Engineering Director, EMEA at A10 Networks delves into the issue of application security in the cloud and how to solve these challenges.
Securing the App
No matter where an application is hosted, securing the application delivery remains the primary concern. Some believe that applications are secure simply because they’re deployed in the cloud, which would make application security the sole responsibility of the cloud infrastructure provider. Others feel that security is the responsibility of the application owners – and as such, applications should not be deployed in the cloud due to security risks or unless security is properly baked in.
It is well documented by public cloud providers like AWS and Azure that application security is a shared responsibility between the cloud infrastructure providers and the application owners. However, the lines are blurred and the division of ownership is not clearly defined.
Applications deployed in cloud infrastructure are accessed via the network. In this case, viewing the security responsibility from the network infrastructure point of view makes more sense. Traditionally, application owners have an established set of best practices, and setting up network security is a no-brainer. Because the network is part of the infrastructure, cloud providers will provide tools for virtual network security and also for the implementation.
Cloud providers, however, have no visibility into what happens at the application layer and have no way to help the application owners in this area. The application security layer is the responsibility of application owners. Before we can evaluate a solution for application security, we need to understand challenges including security monitoring, application vulnerabilities, malware and ransomware, application layer DDoS attacks (volumetric or protocol exploits).
Solving These Challenges
Fortunately, there are solutions available to overcome the security challenges associated with cloud applications. Web Application Firewalls (WAFs), for example, can handle the common vulnerabilities listed by OWASP. And IP reputation and other signature databases have been created to combat malware and bad BOTs. Many Application Delivery Controllers (ADCs) bundle application security solutions with load balancing and other key application services. Having a complete set of application delivery tools along with security and visibility in a DDoS resilient architecture can create a complicated deployment architecture. Consider a solution that unifies all aspects of the application traffic management, application security with traffic and security analytics into a single system and layers central management and control on top of it. This type of solution will alleviate most of your cloud application security concerns.