How Do You Ensure Operational Security Across a Multicloud Environment?
Security considerations around confidentiality, integrity and availability when building a multicloud environment.
Organizations are racing towards digital transformation in efforts to differentiate themselves from their competition. Yet one thing remains constant across each of these efforts — the need to consider security throughout the entire process.
If building and running applications that fully exploited cloud services increased risk, would cloud-native services still be a priority? Or would you step back, assess the risk and make an informed decision?
The answer should seem obvious. Deploying applications without security is a risky business. It's like building a car without brakes — drive at your own risk.
This is the first of a two-part series in which we identify ways to best protect your applications and data from threats, and then comparing level of protection provided by F5's Advanced WAF versus AWS WAF and Azure WAF in a future post.
For now, let’s discuss best-practices organizations can deploy to protect your assets in a multicloud environment.
Consider the CIA triad
Organizations need to balance the three components of the CIA triad — confidentiality, integrity and availability — in order to create safe and efficient access to their applications. In a perfect world, everything would be equal, but that’s not realistic. In order to create balanced operations, we must consider solutions that minimize impact while maximizing the overall security posture. Often, when functionality and usability are improved, security suffers. It is essential to ask yourself the following questions:
- How balanced is our organization today?
- Where do we want to be in six, 12, 24, 36 months?
- How can we improve day by day?
- What will it take to get there?
- Do we have the right people in place and the time to do this on our own?
Weighing impact, effort and risk
If you were to choose speed to market over operational efficiency, and a deployment causes an outage or breach, what’s the real cost? It might be faster to market, but many times, the operational cost and burden aren't worth the investment because they don't improve the overall security posture and the impact on availability is too great.
There's a significant upside to cloud adoption, such as reduced operational expenditures (opex) and capital expenditures (capex), and increased efficiencies through inter-connectivity. However, evaluating the challenges of cloud adoption is beneficial when assessing the risk and creating a change-management plan. It’s important to consider the following:
- Security: The fluidity of data can expose sensitive information to malware and other cybersecurity threats.
- Data loss: Outages can occur and risks become more prevalent as the attack surface expands. Data loss occurs due to system malfunction, misconfiguration, data mapping and human error.
- Compatability/scalability: Legacy environments supporting applications are most likely incompatible with native cloud services. IT decision-makers need to do the necessary research to evaluate the various cloud computing technologies to see what application security platforms work best for their organization.
When it comes to cybersecurity, what's the real cost of mediocrity?
It is essential to consider security throughout the project lifecycle, where the tools you use are just as important as the code you deploy. You need tools that automatically adapt to changes and are the same across all environments, and can be customized quickly and easily to meet the changing demands of your applications. Having an application architecture that’s similar across all environments will also decrease operational burden and cost while decreasing risk.
Firewalls have always been considered the preferred edge security device, and today’s next-generation firewalls (NGFWs) are more advanced than ever.
But there’s one problem. Applications are the new edge, and they are the path to your data. With modern architectures, you must take a layered approach to security. I know, I know. You’ve heard it before, but if organizations were actually doing this, I’m sure we’d see fewer breaches.
Historically, security operations have focused on the edge of the network, but that is no longer enough. Application security is essential in today's digital market. It starts with code, but it doesn’t end there, and WWT is here here to help make the journey to securing your applications simpler for you.
Fact-based, data-driven decisions
As a solutions integrator, we recommend customers make their buying decisions based on facts to drive the right business outcomes. In this case, we're talking about improving customer experience, securing customer data and providing a level of visibility that decreases risk.
Having been in IT for 15 years, I know first hand what it's like to have manufacturers trying to sell the “best” solution for your problems. Unfortunately, every manufacturer has the “best” solution. As a trusted advisor, WWT uses our Advanced Technology Center (ATC) to help you determine which solution is best for you and your organization. Dealing with individual manufacturers can be very one sided, and you have to take everything at face value, which is very difficult to do with cloud-native services.
The OEM struggle is real. It's something I dealt with throughout my career, and quite frankly, I was never 100 percent sure about a decision until I found Silicon Valley in St. Louis. In my own words, I tell customers that the ATC can quickly turn a data sheet into a fact sheet.
Using the ATC, we can show the level of protection provided by F5's Advanced WAF versus AWS WAF and Azure WAF.
At first glance, the results are surprising. But they don't tell the whole story. To understand our customers’ experiences better, we wanted to know the operational complexities and management of each environment. After all, there is a lot to be considered when choosing cloud-native services over other proven technologies you may be using today.
Things to consider when moving to the cloud
Are cloud-native application services right for all of your applications? Probably not, but they definitely have a purpose and place. Our customers have better business outcomes when they take a holistic approach to securing their data and applications. Using toolsets that make sense for individual applications, instead of blanketing a tool across all applications just because it’s the easy thing to do.
Would you consider it more efficient to manually customize and build a WAF policy with every code update, or would it make more sense to have a system that learns automatically and evolves into a policy over time? This is where F5 makes sense, because it can adapt to application traffic and the policy can evolve over time to maximize security while minimizing false-positives.
Does it make sense to have point solutions across multiple environments, or would it be better to have consistency? When securing applications, both on-prem and in the cloud, you should favor consistency for a number of reasons. Having the same security standards and policies across all environments results in consistent logging and management practices. It simplifies audits, but it really decreases risk and complexity. This can also lead you towards a conversation around DevSecOps, so you can make security everyone's responsibility.
A lot of people are considering cloud, but why? Are you considering the many risks associated with adopting a multicloud strategy?
Cloud adoption: Where do we even start?
- Change management: Create a solid CMP (Change Management Plan). There are risks associated with every change, but our goal is to minimize risk and ensure availability throughout migrations or deployments.
- Testing: Create and carry out documented test plans. Some tests may be more general, while others may be more specific. Regardless, they need to be carried out with every change or deployment to ensure availability.
- Adoption strategy: How will we effectively communicate cloud wins to our internal teams? There needs to be an advocate for cloud adoption, which includes training and implementation plans that help set everyone up for success. Think about ways to make a cloud-friendly culture, where security is everyone's responsibility.
- Standardization: Understand how to mitigate risk and deploy a solution that aligns with the organizations' policies and goals. Work to standardize on a platform that is used across the organization, regardless of where the application lives. Standards decrease risk and increase operational efficiency. By doing this, you are saving time and resources from trying tools that don't work or meet organization requirements.
What risks am I facing?
Understanding the risks associated with having disparate technologies protecting applications across multiple environments is essential. As I mentioned before, we wanted to test some cloud-native WAF solutions against F5’s Advanded WAF.
We'll dive into those results and solution comparisons in a future blog. For now, I want to point out some potential business impacts for not protecting your web applications.
- Add, delete, edit or read content in databases.
- Read source code from files on a database server.
- Write files to the database server.
- Stealing credentials.
- Exfiltrate sensitive data (personally identifiable information or cardholder data).
- Drop a drive-by download onto a corporate website.
- Launch port scans of an internal network.
The list goes on, which makes securing your applications more critical than ever before.
Digital: Modern applications demand smart business decisions
It cannot be stressed enough: Security must remain at the forefront of all technical and business conversations.
With digital transformation top-of-mind for many organizations, applications are inherently the leading cause for change. As web content and services are decentralized, the risks associated with high-value data go up. Similarly, visibility can be decreased, making it harder to identify threats or data breaches.
You must do everything you can to protect your applications and data from malicious actors, regardless of where your applications and data live.