Cloud Services / Security / Contributed

Taking Advantage of the Public Cloud without Compromising Security

30 Jul 2019 6:00am, by

Lior Cohen
Lior Cohen is Senior Director of Products and Solutions for Cloud Security at Fortinet. He has over 20 years of experience working in the information security, data center network and cloud computing spaces. Lior serves as Fortinet’s lead for cloud security solutions with a focus on securing enterprise public cloud-based deployments and private cloud build-outs. Lior previously held a variety of vendor and customer side positions in the cloud security space, including cloud solutions architect, information security consultant and subject matter expert for SDN, virtualization and cloud networking for leading industry vendors.

Public clouds have completely transformed how organizations conduct business. They have expanded compute resources, enabled unprecedented scalability and elasticity, and provided access to growing volumes of data generated by a rapidly expanding army of IoT devices and users. All of this is then integrated into increasingly business-critical web applications designed to increase customer loyalty, enhance worker productivity, and lower overhead.

As a result, migration to the cloud has been one of the fastest and most sweeping business transitions in history. Today, shortly after public cloud services first became widely available, virtually every organization uses them in some way or another. Rightscale’s 2018 State of the Cloud Report also indicates that 81 percent of enterprises now have a multi-cloud strategy in place, with organizations using an average of five clouds.

According to the 2018 Cloud Computing Survey from IDG, 30% of all IT budgets are allocated to cloud computing this year, with the majority being SaaS (48%), IaaS (30%), and PaaS (21%).

However, what is less frequently talked about is the growing concern of cloud security. According to that same IDG survey, respondents said they plan to move 50 percent of their public cloud installed applications to either a private cloud or non-cloud environment over the next two years, primarily due to security concerns.

Cloud Security Is YOUR Responsibility

The challenge is that cloud consumers often have a misconception about the security provided in a public cloud, mistakenly believing that cloud providers deliver security services natively. The reality, however, is that cloud providers are only obligated to secure the underlying cloud infrastructure shared by all customers. However, and despite the fact that cloud providers also offer customers security services to attach to their applications, securing corporate data, web applications, and compute resources are the responsibility of the client.

The challenge for those considering expanding to another cloud platform, even a private cloud, is that those same security issues will follow them. Regardless of whether a cloud environment is public, private, or some hybrid, securing a highly scalable and elastic cloud environment — especially a multicloud environment — requires more than what traditional security solutions can provide.

Securing a Public Cloud Deployment

Part of the challenge is that even if an organization has a full cybersecurity staff — according to the 2018 (ISC)2 Cybersecurity Workforce Study, the cybersecurity workforce is approaching a shortfall of nearly 3 million globally — it is unlikely that those individuals can keep up-to date with all the issues related to implementing security in the cloud.

And yet, even in spite of these challenges, organizations that will manage to overcome their cloud security challenges will reap huge benefits to their business. Taking advantage of the public cloud — which usually involves developing and deploying business-critical web applications by utilizing highly flexible and scalable compute resources — without compromising security is a matter of putting all of the right resources together. These include:

  1. Shifting from DevOps to DevSecOps. By adding a cybersecurity specialist to a DevOps team, web application developers leveraging IaaS/PaaS can more quickly come up to speed on the unique needs and challenges of cloud environments, and identify critical areas in an infrastructure deployment or application development where security needs to be implemented.
  2. Providing DevSecOps teams with the right tools. DevSecOps teams need security tools designed specifically for their operating environments, but that don’t require them to become security experts knowing the ins and outs of every tool. Instead, they want to be able to quickly attach security to applications and then let actual security professionals monitor and manage the result.

Speed is another critical component of DevOps efforts. It is what justifies their existence. Any security tool that requires the DevOps team to stop what they are doing to configure and modify a security tool is going to be a problem. Unfortunately, one of the biggest challenges of any cloud-based network virtual appliance (NVA)  product, such as a Web Application Firewall (WAF), is the time and skill required to properly integrate it into the infrastructure as well as configure and fine-tune it to weed out false positives and accurately block bad traffic. It also requires time to configure it properly, scale its defenses as websites and applications grow, and adjust configurations as applications change so it doesn’t drop legitimate traffic. This process takes time and skill that most DevOps teams don’t have.

The answer is to replace re-evaluate the use of network virtual appliances and utilize them when needed as wsell as leverage SaaS as appropriate. A dynamic SaaS based WAF solution, by nature of being managed by a team of experts and leveraging the cloud infrastructure is auto-scalable, and because there are no performance-related issues, allowing web applications to grow as needed. And unlike a traditional or cloud-based solution, a SaaS WAF enables you to place your web application API security gateway as close to your application control as possible, allowing rapid inspection while reducing processing overhead.

A SaaS WAF solution is also pre-deployed and pre-configured, enabling it to be easily stitched into an application transaction with minimal effort because all of the expertise required for deployment, maintenance, scaling, and fine-tuning is already included.

  1. Selecting solutions that work consistently across different cloud and non-cloud environments. Every network environment is different — even between cloud providers. As a result, many security tools don’t work the same when deployed in different environments, which makes implementing and enforcing consistent security policies a real challenge.

Using a SaaS-based Security solution enables security to be applied consistently across and between clouds. This also allows policies to be centrally managed and orchestrated by the IT team, which reduces their security overhead, prevents “weakest link” security issues, where inadequate security in one area becomes an attack vector for the rest of the network, and enables DevOps teams to focus on their primary objectives around application development and improvement.

  1. Identifying and managing security gaps. Even with the right tools in place, however, organizations are likely to encounter challenges with integrating security into their DevOps process. One of those challenges is the managing and monitoring of security compliance — especially as the scope and scale of cloud environments, applications, and the data they access and share change, and the resulting failure of not understand how existing or new regulations apply to a new cloud capability or service. This and similar challenges can be addressed with a DevOps/IT partnership resulting in a DevSecOps approach to application development.

The Advantages of SaaS Security Services

One of the most effective ways to integrate consistent security across multiple environments is to implement security as a SaaS solution. SaaS means that DevOps teams do not need to stand up their own infrastructure in their own data centers, or have any hardware or software to maintain — virtual or otherwise — which means they can remain focused on their most critical job. Deployment can be done in minutes, with minimal initial configuration, to deliver maximum scalability.

A SaaS-based WAF is especially beneficial as it removes a wide range of security friction that can slow down the deployment of a new application in a single solution, allowing your DevSecOps team to focus on delivering business value, while ensuring that applications are protected against known and zero-day threats.

Conclusion

Maintaining a cloud infrastructure and effective web application security strategy is critical for today’s businesses. Consuming a SaaS-based WAF security solution enables your team to take full advantage of the agility of public cloud environments while eliminating routine security maintenance and management tasks while enjoying full-featured security can be deployed with minimal configuration and management. This unique approach enables you to enjoy the benefits of a cloud-based business environment without ever having to compromise on performance, agility, or security. Deliver faster value with lower operational overhead.

Feature image via Pixabay.

A newsletter digest of the week’s most important stories & analyses.

View / Add Comments

Please stay on topic and be respectful of others. Review our Terms of Use.