F5 Blog

 
Archive Search Articles

Spotlighting Security when Deploying Apps in the Cloud

Everyone wants to say, “I don’t worry about that because it’s in the cloud.”

Today’s enterprises are rapidly adopting a “cloud first” strategy when it comes to their web applications. Apps are being developed to work seamlessly in the cloud. Workloads are being transferred to public IaaS cloud providers. Furthermore, organizations are rethinking their strategy for existing apps, and deciding whether to move them to the cloud, or leave them in the data center.

Given all the benefits cloud services offer, the decision to move to the cloud should be a no brainer, right? Hmm...well, on second thought, perhaps this decision should not be taken so lightly.

Moving apps to the cloud requires and in-depth understanding of how to maintain compliance, provide effective security, and ensure availability and delivery with acceptable performance for each application. Before you move apps to cloud (public or private), make sure you think through all the critical measures first and understand the impact on security, IT, development and operations teams.

Where Security Comes In

Many shine a light on security when it comes to moving applications to the cloud, and rightfully so. According to the 2014 Cloud Security Report, attacks on cloud environments have almost reached the same level as traditional IT. DDoS, brute force attacks, and vulnerability scans are becoming just as significant in the cloud as with traditional IT infrastructure. Even in the cloud, bad actors are looking for weaknesses in applications, protocols, and services that they can exploit. New hybrid environments must take into account on-premises infrastructure, IaaS providers (such as Amazon, Azure, or vCloud Air), PaaS services, and SaaS business applications—all of which have particular areas security effectiveness.

Many current security approaches and mechanisms used by cloud providers—network firewalls, advanced encryption, and other network security tools—do not adequately protect against sophisticated app vulnerability exploits, browser-based credential theft, and malware disguised as legitimate traffic. Enterprises are advised to be proactive at ensuring cloud security, make every effort to transition proven policies from the data center to the cloud, and not leave security up to cloud app and service providers.

Another area of concern with migrating to the cloud is compliance, regardless of where the app lives. Administrators and managers must have visibility into compliance status and ability to update protections in accordance with guidelines. This requires a fully up-to-date understanding of the compliance requirements for each app and related data assets, including standards for PCI DSS, HIPAA, and various ISO certifications. Maintaining compliance is resource-intensive. Failure to do so can result in hefty fines/penalties. For cloud services, organizations are advised to maintain compliance using effective, proven solutions and audit methodologies they already have in place for the data center. This enables efficiency and accuracy in maintaining adequate knowledge of compliance status, and remediation of deficiencies in a reasonable timeframe.   

App Development Practices Play a Role

DevOps is a critical piece to the puzzle as well. Despite higher awareness of common vulnerability exploits, DevOps teams are focusing more on getting business services running in production than they are on security. Their priorities are typically driving revenue, then competitive advantage, and improving customer and employee productivity. In-depth protection appears to be an afterthought and even assumed to be in place by many as they roll out cloud apps.

However, deploying a cloud app that is secure is a complex undertaking that requires consideration for security as part of the infrastructure and early on. New agile methods and the streamlined DevOps-driven approaches being adopted often do little to address this. Tools being leveraged can be poorly integrated with back-end systems or confusing in terms of how they actually play with apps. DevOps teams need a way to effectively ensure that agile development methodologies have a more comprehensive security focus from the onset, and that they work together to create policies for applications during development and throughout the application lifecycle.

So… When enterprises adopt a “cloud first” strategy, maybe there should be a “security first” strategy alongside that enforces consistent and proven corporate security practices and policies to bridge the gap in protecting and aligning with DevOp practices for effective app security— regardless of whether the app lives in a traditional, hosted, or cloud environment.

Recommendations for Cloud Protection

Defending applications in cloud is not always as difficult as you’d think. With F5 security solutions, organizations can implement protection for all critical business web-facing apps, wherever apps reside. Whether in the data center or a public/private cloud (Azure, AWS, etc.), IT can protect applications and the data they sit in front of with the highest level of security effectiveness and performance.  

F5 app protection solutions include a web application firewall (BIG-IP Application Security Manager – ASM), which is recognized as a leading WAF solution. ASM enables organizations to build policies, increase the speed with which new policies are deployed, and keep policies consistent for applications moving to—or from—the cloud. NSS Labs recommends BIG-IP ASM as a web application firewall based on high marks received in rigorous testing.

ASM is built on F5's TMOS architecture, which provides the flexibility, scalability, and agility needed to respond to new attacks in real-time. It includes tools like iRules datapath scripts, iControl REST API, and iApps deployment templates that allow organizations to expand protection capabilities, streamline policy enforcement, simplify deployment, and automate configuration management on the fly remotely across all cloud services. These tools have proven benefits for DevOps, Security, Network and IT teams, and are well-suited to agile deployments. Click to read more about F5 Technologies.

Additionally, F5 offers integrated security services including Web Fraud Protection, IP Intelligence, and DDoS Protection. These services extend ASM capabilities to effectively guard against known malicious actors and multi-channel threats attacking the network, applications and the end-user—stopping fraud, protecting end-users, and guarding against the most sophisticated DDoS attacks on the network and the application layers.  

F5 security solutions are available for Amazon AWS and other leading cloud providers. Deployed via BIG-IP virtual editions and Silverline cloud-based services, F5 enables all types of organizations to protect and deliver applications to anyone, at any time, and from anywhere. Standardizing with F5 solutions enables you to meet the strict demands for corporate security policy and compliance while reducing risks and costs, all without sacrificing control, application portability, or time-to-production when deploying apps to the cloud—wherever that may be.  

More with F5 at AWS re:Invent 2015

Let's continue the conversation. Join us next week in Las Vegas at AWS re:Invent, booth #830. Click here for a preview of what we will be showing to help you take your critical application services with you to the cloud.

Tags: