Why Distributed Application Environments Need a Consistent Security Posture
Digital transformation and cloud adoption are rendering the traditional perimeter security strategy ineffective. Gone are the days when simply building a fence around applications delivered from on-premises data centers would suffice.
Distributed application environments require a different mindset when it comes to network security. And because most cyberattacks are directed against applications rather than the network, a multilayer approach to security is essential to protecting applications.
As organizations increasingly adopt hybrid and multicloud strategies for increased agility, redundancy and the flexibility to leverage the unique strengths of individual public cloud providers, their approach to securing applications often becomes fragmented because it is challenging to manage and secure disparate environments.
Despite the challenges, it’s imperative to ensure a consistent security posture for all your applications and APIs to defend against attacks.
The Underlying Causes of a Fragmented Security Posture
The use of hybrid environments — a mix of on-premises data centers and public clouds — creates a problem for security teams, because the traditional network perimeter is expanded and the surface area for potential attacks grows, making it more difficult to achieve comprehensive security, visibility and control. This challenge is compounded as each cloud provider has its own unique security features and protocols. The result is a fragmented security posture.
Adding to the problem, security teams often use one point solution to secure their on-premises workloads and another to secure cloud workloads. According to the Oracle and KPMG Cloud Threat report, 78% of organizations use more than 50 discrete cybersecurity products to address security issues, creating a patchwork of different, uncoordinated security tools. Each tool, operating in isolation, can contribute to overlaps or gaps in an organization’s approach to application and API security.
Ensuring a consistent security posture will help your organization achieve the same level of security no matter where your applications are delivered — whether on-premises, in the public cloud or across both.
How to Ensure a Consistent Security Posture
Choosing an application delivery solution with built-in security capabilities is a key way to ensure a consistent security posture across distributed environments. At the minimum, your application delivery and security solution should provide:
Centralized Application and API Security Management
Using multiple point products from different application and API security vendors creates complexity and unnecessarily increases software and staffing costs. Each security product or service — whether it is a web application firewall (WAF), bot management or API protection — will report threats in isolation, so you will not get a comprehensive picture of the problem.
This lack of holistic visibility means a lack of context. A comprehensive solution includes application security; authentication, authorization, and auditing; bot management and API security all encrypted with state-of-the-art TLS technology and managed with a single pane of glass. Ideally, a consolidated platform with intelligent software design should never sacrifice application performance to protect the application sufficiently, but it should offer other application optimization techniques to accelerate application delivery.
As data traverses multiple environments, not only is maintaining its confidentiality and integrity critical, but it can also be required by regulation. Strong encryption (SSL/TLS) is one of the most effective ways to safeguard transactions and protect against data leakage.
Traditionally, setting up strong Secure Sockets Layer/Transport Layer Security (SSL/TLS) configuration for a website required manually defining which SSL/TLS protocols to accept and which to reject, then setting the cipher suites accordingly. This process is time-consuming, prone to errors and leads to an inconsistent security posture because you need to do this on each server individually. SSL certificates also need to be updated every year, and an expired certificate effectively shuts down a website or application. It’s also crucial to manage encryption keys securely and uniformly.
The best way to avoid issues with your SSL certificates is to centralize the management of a single SSL/TLS profile configured for the best encryption and apply it across the board to all web resources including public-facing websites, internal web applications, intranet sites and other online services hosted within your organization’s network.
Consistent Authentication Experience
With applications and APIs being made available across clouds and on-premises data centers, a comprehensive approach to security must include an authentication platform that is flexible and extensible and that functions with the various clients required to use it. The zero trust security model framework requires per-application authentication instead of a single network-level authentication that gives access to all.
It doesn’t matter if you choose a third-party identity provider or go the service provider route, but it’s important to provide a consistent authentication experience. Application end users get confused when they encounter different login experiences across different applications, and this allows attackers to attempt to capture credentials from unsuspecting employees and customers.
Many developers build the authentication layer into their applications and APIs, which leads to security posture inconsistencies due to varying skill levels among developers, lack of standardization and haphazard policy enforcement, and also increases development time and costs significantly. With a single upstream authentication platform, the time to deliver is faster, which reduces costs, and security only needs to audit one authentication method instead of many.
Security Built into the Software Development Life Cycle
Incorporating security into every phase of the software development life cycle is now a fundamental requirement, not just a best practice. The rationale is clear: Security measures embedded from the start of development significantly reduce vulnerabilities and mitigate risks throughout the application’s life. It’s no longer about detecting vulnerabilities; it’s about creating a culture where security is a part of the design, not an afterthought.
Testing for security flaws can either mean looking for such things as buffer overflows and memory conditions in the source code, scanning the final product or external user interface (UI) of the product or both. While static application security testing (SAST) and software composition analysis (SCA) tools are commonly used by organizations for white box testing (accessing the source code and testing for vulnerabilities), it is equally important to perform black box testing on the finished product, the UI and the publicly exposed interfaces of an application.
For black box testing, organizations can use either their own or third-party web application security scanners to detect and analyze vulnerabilities in web applications. The scanners systematically scan for potential weaknesses, such as SQL injection, cross-site scripting (XSS) and other security threats. If the scanner flags web vulnerabilities, you can directly import a signature from the third-party scan report to virtually patch the hole.
Or you can decide to simply leave the virtual patch (aka signature) in place — a cheap and effective solution — or resolve the issue in your source code. Sometimes the source code is no longer available, or the developer has left or the contract has ended, so fixing the issue can potentially take a long time and be costly.
Alternatively, if your organization does not use third-party web application scanners, you can take advantage of scanning capabilities (if available) in the application delivery solution you already use.
NetScaler is one such application delivery and security solution that offers advanced scanning capabilities through its WAF. NetScaler WAF Recommendation Engine auto-detects your application-hosting environment and will suggest signatures for known vulnerabilities in your technology stack prior to application deployment.
Once your application is in production, NetScaler WAF Recommendation Engine will simulate a variety of attacks and examine the response data to suggest signatures and bespoke protections that you can review and deploy in a few clicks.
Takeaway: The Platform Approach to Achieving a Consistent Security Posture
The best-of-breed approach to choosing security solutions does not always lead to better security, because there is more to manage and a lack of holistic visibility, which can lead to gaps in your security posture. An application delivery platform that includes built-in security capabilities such as WAF, bot and API protection adds critical layers of defense to achieve comprehensive security across distributed application environments.
Ideally, you’ll want a platform that works the same in any environment so that the resulting operational consistency minimizes configuration errors that can expose your applications to attack. And to better understand the attack surface, you’ll want a platform with end-to-end observability that goes beyond simple monitoring to not only alert you that something is wrong, but to also tell you exactly where to find the issue — the client, the server or the internet connection in between — so you can fix it faster.