There has been a lot of talk about cloud security and how to monitor SaaS and IaaS access and usage, both sanctioned and unsanctioned. However, one thing that needs to be talked about more is how applications that are known, tracked and managed are being deployed in the cloud, via IaaS.
When deploying applications on premise, either in a datacenter or in a DMZ, there are firewalls, network monitoring and various security controls that are known and already in place before an application even enters the discussion. However, when moving an application to the cloud via IaaS, none of those security controls exist by default, despite what customers might believe. This specifically applies to application hosting front ends such as ADC/WAFs.
Unfortunately, many cloud hosting deployments are being managed by development teams, not network or security teams. And while developer teams know what they are doing and are professionals, they often are not even aware of what network and security teams have done before they deploy their applications. An example of this is how many development teams are deploying default application delivery controllers offered up by IaaS providers. These ADCs appear to be point and click and cheap. And they are.
The problem is that they lack the performance and security that typical enterprise ADC/WAF appliances, virtual or otherwise, offer. Some of the clearest examples are features like DAST that allows an application to be scanned and resulting vulnerabilities be virtually patched by the application. Another example is the ability to automate security controls and requirements through industry standard DevOps tools like Ansible, Puppet, Chef as well as classic scripting languages like python and PowerShell. Further, using a product like F5 ASM that leverages broad industry support, application templates can be deployed with little or no customization or for custom applications, creating a custom security policy that can be accomplished with little or no user interaction with a Rapid Deployment Policy interface.
The final value, and probably the most critical, is a must-have for any government agency. A true enterprise virtual ADC/WAF offers FIPS level data encryption for application data in-flight. Without integrating with physical FIPS hardened appliances, the private keys necessary to do secure SSL transit data cannot be stored properly. Default ADC/WAFS supplied by the major IaaS providers do not have the ability to do this. Therefore, an enterprise software version is required.
Besides the added functionality, using a software enterprise ADC/WAF like F5 also provides consistency across on premise physical, on premise virtual and cloud application hosting. First and foremost, no new learning is required to ensure that the ADC/WAFS in the cloud are meeting security policy and are configured correctly. Any security issue can be resolved in the same manner that is currently used and probably will be used for on premise applications in most agencies that are going to persist to be hybrid computing for some time. A single management can be used for all and no additional training or risk of misconfiguration is added into the application life-cycle.
This consistency can be the difference between resolving a security issue with a few clicks in the proxy of an enterprise solution, and scrambling to figure out how to patch or fix code in an application that now has a major vulnerability and is in production. A common example is Heartbleed. When that hit enterprises, F5 front ended applications were able to resolve all applications, in some cases hundreds by simply pushing out a mitigation at the proxy, and then mapping out the patching and code fixes of the applications with more time and planning.
For a deeper dive into the differences between default IaaS ADC/WAFS, HSM integration to secure application traffic in-flight and how to securely move application to the cloud, join GuidePoint Security, F5 and Thales Security on Feb 27th for our live webinar. Click here to register.
About the Author
Jean-Paul Bergeaux, Federal CTO, GuidePoint Security
With more than 18 years of experience in the Federal technology industry, Jean-Paul Bergeaux is currently the Federal CTO for GuidePoint Security. JP’s career has been marked by success in technical leadership roles with ADIC (now Quantum), NetApp and Commvault and SwishData. Jean-Paul focuses on identifying customers’ challenges and architecting innovative solutions to solve their complex problems. He is also a thought leader on topics that are top of mind for Federal IT Managers like Cyber Security, VDI, Big Data, and Backup & Recovery.