THE APPLICATION SECURITY CHALLENGE

Application security is challenging—and throwing more money at the problem doesn’t necessarily keep your apps and your data safer. Building a strong security posture wherever your applications live isn’t about spending more; it’s about investing in the right places. A multi-cloud application strategy is cost-effective and enables architectural flexibility, if you have a security posture that keeps your apps protected wherever they’re deployed.

MULTI-CLOUD, MULTI-PROBLEMS

Application security is commonly regarded as a necessary evil: managing risk often comes at significant cost without adding any obvious business value. So, if this investment must be made for your company to continue to operate, why not stretch that investment as far as you can? From an operating perspective, managing the minutiae of application security is time consuming and tedious. It’s probably not one of your core competencies, nor is it boosting your revenue.

While your business may need the operating flexibility and commodity pricing the cloud provides, you shouldn’t accept commodity security controls if that means those controls are only relevant to that single cloud provider. This is where errors are commonly introduced. Securing apps becomes even more difficult when you are trying to keep pace with the fluidity of modern cloud deployments, and changes in cloud providers.
 

The cultivation of strong, effective application security controls requires time and energy; and no matter how diligent you are, your adversaries will continue to find gaps in your application’s armor. For years, OWASP Top 10 has listed “Security Misconfiguration” as one of the most critical application security risks. If you are constantly rebuilding and re-engineering your security controls as you move apps from cloud to cloud, how can you possibly refine said controls and reduce the likelihood of error? What about variances in the efficacy of the actual controls themselves from cloud to cloud?

Cloud Security Solutions

One of the striking things about security solutions in the cloud (such as a web application firewall, or WAF) is that they don’t have to be cost sinks—they can actually improve operational ROI. When you are paying for every inbound request, and a significant portion of your traffic consists of scanners, bots, denial of service, and fraud, it actually pays to be diligent about implementing security controls.

Why? Because you probably don’t want to absorb the costs incurred when controls from cloud provider to cloud provider can’t be made uniform. Building and rebuilding your defenses over and over again is itself a costly and error-prone process. It’s the same reason cross-site scripting (XSS) and SQL injection are still effective attack vectors: managing mitigations for constantly changing threats takes time and energy and requires specialized expertise that can be hard to come by. By building apps with cloud-agnostic security infrastructure once, you reap the benefits of integrated, flexible, and portable security controls that follow your apps wherever they are deployed.

The cloud has matured from the hype cycle and the “Wild West” stages into what is now called the Shared Responsibility Model. Now, cloud providers are responsible for security of the cloud, whereas the cloud customer is responsible for security in the cloud. Essentially, the tenant is always (regardless of service model) responsible for data security. The challenge with this model is that the security provided by each cloud provider differs. Organizations that adopt cloud services might find it difficult to keep up with those nuances, thus providing an attack vector for bad actors.

The burden on organizations to digitally transform and create compelling business value through applications is high. Adding to that burden by requiring expert knowledge of the different security provided by multiple cloud providers is simply impractical.

A better approach is to partner with a security vendor that can provide consistent application security in a multi-cloud world.