The challenges of protecting the hybrid cloud [Q&A]

With more and more companies storing apps in the cloud and others remaining in-house, security can become something of a headache. On-site security tools are ineffective against web attacks leaving organizations with multiple protection solutions in place.

The launch of hybrid cloud solutions such as Radware's WAF (Web Application Firewall) means it’s possible to protect all systems with just one application but what implications does this have for the enterprise? We spoke to Carl Herberger, VP of Security Solutions at application delivery and security specialist Radware to find out more about the benefits of hybrid WAF solutions and how they can be implemented.

BN: With the rapid rise of cloud use is it fair to say that many companies have taken the leap to the cloud first and only thought about security later?

CH: It sometimes seems that security has become almost an afterthought. IT managers have left a secure, premise-based operating environment in search of agile and cheaper alternatives, but leave with hopes that security would somehow also improve. The overall responsibility of network security for today’s cloud delivered services is still left to those who write the checks for the services and hold those delivering the services accountable. Unfortunately, those security practitioners often fall behind the evolving threat landscape.

BN: Why don't the security practices applied to in-house solutions work for the cloud?

CH: There are three basic principles which help illustrate why an enterprise-security solution will not work easily or at all in the cloud. First, enterprises don’t often concern themselves with tenants. Cloud and managed service environments must isolate an operating environment from other customers, and in-house environments drive feature sets, which are not available in most security tools, such as tenanted reporting, self-service provisioning and various configurations per tenant. Second, Enterprises benefit by having predictable routing and an ability to see 'state' and 'symmetry' on traffic patterns. This provides enterprises with knowledge of their networks, and thus, security. Many Cloud companies don't always have these luxuries, and in as such are at a disadvantage with their ability to learn baselines and take actions. Lastly, enterprises know how to distinguish their legitimate traffic and block the rest. Cloud companies need to be much more tolerant on the types of traffic they allow into their environments, as they have to take into account network traffic patterns of their entire customer base.

BN: Do public and private clouds need a different approach?

CH: It is generally accepted that private and public clouds are different and the intimacy of a private cloud affords the opportunity for better security. It is also generally agreed that as time marches on, the lines between these two environments will blur as new technologies are adopted and the rise of automation and orchestration between various cloud providers becomes paramount.

BN: What are the main challenges of introducing a WAF in hybrid environments?

CH: Generally speaking, there have been two main problems with WAF introductions to environments: introducing network and application disruption (e.g. breaking something which wasn't broken) and the introduction of latency (e.g. slowing the application down). This has been a perennial problem which is now being solved by many powerful out-of-path solutions, however the basic WAFs are still wrought with these 'security' problems. Managing and maintaining the solution has also been a problem. Typically the best WAFs required heavy 'hand-holding' and expert knowledge and don't integrate with solutions in the cloud.

BN: How can companies ensure their systems remain protected during the transition to the cloud?

CH: When transitioning to the cloud, a hybrid approach is the way to go to remain protected. Most businesses simply aren’t positioned to move all legacy applications to the cloud, and starting a hybrid cloud approach does not require a complete migration of traditional IT infrastructure to a public or private cloud. Most companies will retain some internal application delivery infrastructure. Dedicated infrastructures are a luxury and will make most companies uncompetitive vis-à-vis hybrid competitors. The verdict is in about the merits of virtualization and cloud. It unleashes hidden efficiencies that have been elusive to the traditional datacenters of the past. At its core, cloud was designed to take the complexity of virtualization away from the end user and fully enable self-provisioning and speed to service delivery.

BN: What additional challenges do the rise of mobile devices and BYOD present?

CH: Mobile devices, BYOD and the Internet-of-Things will forever extend the attack landscape and operating environments. Soon enough, these devices will soon become centers of processing themselves and they will be conscripted (often without knowledge) to be part of future 'botted' armies. This movement to 'things' which process IT and are connected/interconnected will increase the threat level of the attack landscape and require an immeasurable amount of new security controls.

Photo credit: allepu / Shutterstock