How to Secure Your Apps and APIs in the Cloud Without Compromising Speed
In this article
In a digital world, attackers exploit vulnerabilities in apps and APIs to perpetrate increasingly sophisticated breaches and fraud. The only way to fully protect your organization is to have comprehensive, consistent security that covers all of your digital assets and works with all your apps and APIs, whether they are modern or legacy, and wherever they are in the cloud. WWT and F5 can help you do just that—without sacrificing speed or any other business outcomes.
The growth of multicloud—running applications on-premises, at the edge, in the cloud, and in SaaS—creates significant complexity and much larger attack surfaces, which present greater challenges for organizations trying to secure apps and APIs. In a 2020 study, 70% of companies said they were tied to one cloud service provider, according to Bain; but by 2023, reports show that 84% of mid-to-large companies and 90% of large enterprises have adopted a multicloud strategy.
While the multicloud offers significant opportunities and benefits, it brings many risks and cyber threats. In fact, Gartner predicts that the cloud security posture management market will increase from $1.06 billion in revenue in 2022 to $3.32 billion in 2027.
One of the major challenges is that every cloud, platform, or environment that your applications run on has security controls that may be widely divergent. If you're using AWS and Azure, you must understand how both cloud platforms work, how they are configured, their reporting methods, and their security needs—resulting in an untenable cognitive load on your developers, security people, and cloud engineers. You may not have the consistency and deep knowledge you need for all the native controls you are using. That makes it very difficult to have a homogeneous security posture across these clouds.
When it comes to apps and APIs, you need consistent policy control no matter where your applications are located, and regardless of whether they are legacy or modern. This means having consistent application delivery and security that provide visibility and control to application traffic across the multicloud. You can integrate existing approaches and solutions, such as F5's platform and solutions.
F5's fundamental approach involves a distributed platform topped off with the necessary tools that enable you to be secure everywhere your applications and APIs are. Think of the F5 Distributed Cloud as the largest managed Kubernetes cluster in the world; you can deploy F5 Distributed Cloud for any environment you have. It's a SaaS platform that can be extended into managing your private and public clouds, and it functions seamlessly. This is important for agility because it provides a single centralized control point for solutions running in different tech ecosystems, providing the consistency you need.
To successfully secure your apps and APIs in the multicloud, consider the following principles:
Companies today must respond to heightened customer demand and to a market that has become hyper-aligned to differentiation. In a digital-first world, the first to market typically comes out strong and sets the stage, with followers trailing behind. The pace of innovation is now driving overall digital transformation—and the business is outpacing security in many ways.
Enforcing a strong security posture requires an understanding of where data rests and how it is transmitted. To keep pace with the business, teams responsible for securing data are now focusing on data transmission through APIs to manage risk to data at scale. A key component of data transmission is visibility to ensure that approved APIs are maintained and that rogue or zombie APIs—old, forgotten APIs that are still running—are discovered and closed.
Expanding attack surfaces upon applications and APIs attract more data breach attempts and attacks. Organizations must include data as a core metric in their cloud posture assessments. All formats, methods, and services in support of transmitting data must be accounted for, including APIs and the authentication and authorization of API requests.
Security has traditionally been considered from the outside in. We're finally seeing a transition in the market with greater awareness of app and API security, code-to-cloud security, and cloud-native security. In some markets, the shift is happening quickly, while others are slower to adapt. Overall, the focus is now on the nucleus of the business, and security is considered by design, starting at the applications and data and propagating outward.
This shift in security focus is impacting the role of security practitioners. While their mandate is still to protect the organization, their traditional function as a gatekeeper has been dramatically eroded. In the past, security practitioners could embargo risky actions others wanted to take by refusing to open firewalls or whatever tools they had.
Today, with the agility that is needed in a multicloud world, two things have changed. First, organizations no longer have an appetite for that type of gatekeeper function. Secondly, in purely technical terms, that role may no longer be entirely within the security team's control. The result—exacerbated by the explosion of APIs that comes with modernization efforts—is that security teams now must perform an investigative function to discover the risks their organizations face. That includes discovering what the organization is doing in terms of which APIs and applications they are publishing, how often they are being updated, and which new code frameworks, API protocols, or languages are being used.
This approach of identifying the risks in their organization is a real challenge because it's extremely labor-intensive. As a result, security professionals need tools that can inform them specifically about APIs, answering questions like:
- What APIs do I have?
- Where are they?
- Are they well-formed?
- Are they well-structured?
- Are the specifications accurate and hardened?
Most security professionals don't have this information readily available, so they need tools to discover and contextualize it efficiently.
If you decide to take a fresh look at securing your apps and APIs in the cloud, you should start by developing a point of view shared by the major groups involved.
With multicloud, you can potentially have discrete architecture groups for each cloud, which may not share a singular view of how you should holistically handle security. To develop a shared perspective, the best place to start is with discovery and communication, asking essential questions to determine commonality:
- Do you have a cloud operations and governance model?
- Do you have a cloud center of excellence?
- Do you have a consistent security posture for the cloud, applications, and data?
- Do you have standards and a framework that you follow?
Once you have that point of view, you can identify gaps in the unified view. Consider where you currently are compared with where you need to be, and any particular challenges your organization may face in that journey. A Cloud Center of Excellence (CCoE) is essential in ensuring alignment across your organization and an important organizational step in securing your apps and APIs in the multicloud.
A vast majority of large enterprises don't yet have a well-defined security posture for the cloud; it's still evolving. This is mainly because organizations, especially very large enterprises, still have a sizable on-premise environment and most likely will continue to have it for many years. As a result, they handle on-premise security exceptionally well but may not have thought about how that will carry over to their cloud operating model.
If your organization doesn't have a unified point of view, you may craft a journey to the cloud that is not as careful and deliberate from the onset as it should be. As an example, you may end up deploying things that are attributes of legacy applications that are difficult to secure in terms of controls or reporting requirements. In fact, lacking a unified point of view may ultimately require you to stop your initiative or repatriate the application back to the private cloud—which can be a blow to your cloud efforts.
What are your main challenges in terms of time, cost, or features? Once you determine the primary issue, you can drill down and figure out possible solutions. Determine which workloads or use cases apply to this issue. One of those workloads can be used as a POC for the more extensive approach and solution. To provide developers with the path of least resistance, the POC can be done in a lab, such as WWT's unparalleled Advanced Technology Center (ATC).
APIs, applications, and cloud all require a multi-layered approach to security that starts well before runtime. When developing or standing up an application, focus on the business outcome you're driving for from the beginning, whether it is an API with a first or third party. The process includes scanning for misconfigurations, developing a layer of network access with role-based access controls for authorization, assessing and testing vulnerabilities, and many other things that come into play in these real-time applications before you even get to runtime.
Developers and their workstations are heavily under attack, given that all an attacker needs is the source code of an application. You need to protect development as well as production environments.
Developers are closely aligned with the business so they are focused on delivering services to customers as quickly as possible. Their only requirement is to know the parameters they have to work within. Security teams are responsible for providing developers with a secure application environment, while operations is in charge of making it repeatable.
For developers, speed is the name of the game, along with as much self-service as possible. They expect provisioning within hours not weeks or months. Documentation is crucial and must be easy to consume with little friction. Microservices are a huge push in architectures, requiring APIs to function. Environments must be agnostic with few (if any) dependencies and friendly to open-source tools.
When implementing security for apps and APIs, it's essential to prove to your developers that the process is fast and that whatever is introduced will have low latency and will not introduce headaches for customers. The right tool and approach can make this possible. The F5 Distributed Cloud is perfectly designed to work within this mindset, providing extremely easy-to-use, easy-to-consume, low-friction solutions that enable developers to be more efficient and move more quickly.
Make sure the tools or platforms you choose are accessible, flexible, and consumable for the entire organization, not just developers. Using F5 solutions simplifies the process by:
- Streamlining operations by uniformly defending your digital fabric
- Enabling you to deliver secure digital experiences at scale in the architecture you have today and will have in the future
- Incorporating AI and machine learning techniques in their tools to take over tedious manual tasks
- Helping you move much more quickly and with fewer people because you have simple tools to assist you
- Allowing you to start getting insights and begin working on the level of your specific application and business needs simply by pressing a button, instead of spending valuable time on configuration
Today's organizations need a bewildering array of tools to develop, validate, publish, and secure APIs. The key to simplifying the complexity in this space is to publish services to your developers that are secure out of the box. This typically requires a large tool and service integration effort.
WWT has helped many customers identify and integrate the tools that fit their needs and integrate with their existing infrastructure. Our goal is to provide a seamless integration experience between developers and the infrastructure you present to them.
With API Security, you need solutions that require minimal configuration. Moving from familiar legacy security controls to a new control mechanism or adding new capabilities requires significant configuration and new skill sets for your analysts to learn—which could compromise speed or security. F5 solutions help you avoid that. F5 has automated the process of deploying an app into production, considering security upfront, and is inclusive of all cloud environments.
WWT has the deep and broad experience and vast OEM relationships to help clients from strategy to execution. Application delivery is a whole ecosystem, and while F5 can play a significant part, WWT can integrate their offering with other tools that meet different needs within that ecosystem.
WWT can assess your needs from end to end, with both a short-term and long-horizon perspective, and help you understand how and where the most appropriate solutions fit and then integrate them into an overall solution that best meets your needs.
WWT's ATC gives you the ability to try before you buy, test, and compare F5 solutions in environments built like yours, so you can reach the best decision faster and with more confidence that you are picking the right technology for your organization. Our engineers have deep F5 expertise, as well as expertise with everything it needs to integrate with.
Our teams of consultants and post-sales resources can help you implement and get the most value out of the solutions you select.
A very large global retail enterprise needed the flexibility and agility to securely scale a deployment into the public cloud domain during its busiest time of year—the holiday season.
WWT built a solution that included automating with Terraform the provisioning of numerous F5 appliances in the public cloud. WWT used Ansible to sync all of the retailer's existing on-premises security policies within the customer's Web App Firewall across its data centers and into the public cloud.
The retailer was able to scale so fast that it immediately exceeded their initial goal of sending 5% of the holiday internet traffic through the public cloud. It ultimately moved over 33%—and then shrank right back when the season ended, concluding in a true expression of scale.
Since that time, other business units have also leveraged the solution to securely scale when they need it, and the relationship continues to expand.
About the Authors
- Clint Huffaker, Practice Manager, WWT
- Anthony Glackmeyer, Principal Security Architect, WWT
- Todd Barron – Technical Solution Architect, WWT
- David Remington, Director of Product Management, F5