For the past four years running, we've asked global respondents about the challenges faced on their journey to a modern, multi-cloud operating model.
For the past three years, we've consistently been told the top challenge is "consistent security across all applications". Now certainly part of that challenge is due to way in which organizations have come to operate in a multi-cloud reality - accidentally. Most have fallen into it by way of developers and business units that adopted cloud to 'get around the inefficiencies of traditional IT'. Today, multi-cloud is a conscious decision, driven primarily by the type of application being deployed.
But the challenge of consistent security across all those applications remains. One of the culprits appears to be that application services aren't always moving with the applications they protect. Consider these points from our State of Application Services 2019:
Disparity between on-premises and public cloud app services deployments leads to security concerns. While the average number of application services in use overall is 14, that drops by half for public cloud deployments. This means that organizations are deploying apps in the public cloud, but they are not matching application services deployments at the same rate.
While 66% of respondents deploy a WAF, only 33% indicate that they use a WAF for production applications deployed in a public cloud. Other security-related application services suffer the same decline in use in the public cloud, which is troubling, because it is nearly impossible to achieve security policy parity without the application services that enforce it.
Nearly half of organizations (48%) with a digital transformation initiative are troubled by the difficulty of achieving consistent security for applications distributed among multiple cloud platforms—while 45% say that protecting their apps from existing and emerging threats is their greatest challenge.
There are three things to note here. First, there is a lack of deployment of security-related application services with the applications they are designed to protect in the public cloud. That makes an answer to the 45% of respondents challenged by the ability to protect apps from existing and emerging threats fairly easy: start with deploying security application services to protect those apps. While they aren't foolproof - modern application services like advanced web application firewalls, behavioral DDoS protection, and bot defenses can dramatically decrease the risk of being caught off guard by an emerging threat. Given the rates at which such services are deployed today, it seems that a good approach to addressing to the challenge of consistent security is to be consistent about the application services you're deploying to protect apps in every environment.
Second - and perhaps less obvious - is that consistency goes beyond the application service. There are many web application firewalls, after all, but their capabilities are not necessarily equal. Even assuming consistency of capabilities, it's a fairly monumental task to try to take policies from ON-PREM WAF A and convert them to something usable by OFF-PREM WAF B. It's like handing someone a "how to" document written in a language they don't understand. So it has to be translated, first, and that takes time - and expertise in both languages. So yes, it will be easier to apply security policy consistently across all applications if you standardize on a single provider for that application service. One service, one language, one policy.
It's somewhat ironic that the number one application service respondents won't deploy an application without is security, and yet digging into the deployment details shows that perhaps that's not entirely true. In the cloud, at least, it seems security is being shoved to the side more often than it should be.
Lastly - and least obvious - let's not ignore the operational burden of manually managing application services across multiple clouds and data centers. It is significantly more challenging to manage anything manually - even the same things - when dispersed in multiple locations. Treating policies like code artifacts and approaching deployment of the services and associated policies with an eye toward automation can reduce mistakes, errors, and omissions that might otherwise occur. Automation and orchestration achieve consistency by the very nature of scripts and code that is able to replicate the same result over and over again. As the ancient Greek philosopher Aristotle noted, "We are what we repeatedly do. Excellence, then, is not an act, but a habit." Automation and orchestration, then, should be considered an important habit (practice) to acquire in the quest for multi-cloud consistency.
To achieve consistent security across all applications in a multi-cloud world requires consistency:
- Consistency in deploying the application services that protect and defend applications
- Consistency in the application service capabilities across all environments
- The use of automation and orchestration to facilitate fast, frequent, and consistent deployment of application services and security policies
Consistent security requires consistent behavior, practices, and tooling. By combining all three organizations can achieve consistency in security practices by getting into the habit of protecting applications as well as the business and consumers that rely on them.
About the Author
Related Blog Posts
F5 accelerates and secures AI inference at scale with NVIDIA Cloud Partner reference architecture
F5’s inclusion within the NVIDIA Cloud Partner (NCP) reference architecture enables secure, high-performance AI infrastructure that scales efficiently to support advanced AI workloads.
F5 Silverline Mitigates Record-Breaking DDoS Attacks
Malicious attacks are increasing in scale and complexity, threatening to overwhelm and breach the internal resources of businesses globally. Often, these attacks combine high-volume traffic with stealthy, low-and-slow, application-targeted attack techniques, powered by either automated botnets or human-driven tools.
F5 Silverline: Our Data Centers are your Data Centers
Customers count on F5 Silverline Managed Security Services to secure their digital assets, and in order for us to deliver a highly dependable service at global scale we host our infrastructure in the most reliable and well-connected locations in the world. And when F5 needs reliable and well-connected locations, we turn to Equinix, a leading provider of digital infrastructure.
Volterra and the Power of the Distributed Cloud (Video)
How can organizations fully harness the power of multi-cloud and edge computing? VPs Mark Weiner and James Feger join the DevCentral team for a video discussion on how F5 and Volterra can help.
Phishing Attacks Soar 220% During COVID-19 Peak as Cybercriminal Opportunism Intensifies
David Warburton, author of the F5 Labs 2020 Phishing and Fraud Report, describes how fraudsters are adapting to the pandemic and maps out the trends ahead in this video, with summary comments.
The Internet of (Increasingly Scary) Things
There is a lot of FUD (Fear, Uncertainty, and Doubt) that gets attached to any emerging technology trend, particularly when it involves vast legions of consumers eager to participate. And while it’s easy enough to shrug off the paranoia that bots...