State of Application Delivery 2018: Security in the cloud, yes! Confidence, not so much.

Lori Mac VittieDistinguished Engineer and Chief Evangelist

Digital transformation is a forcing function, encouraging automation and orchestration across IT and driving organizations to the decision to deliver apps from the public cloud.

In fact, digital transformation permeates so thoroughly across IT that just about every aspect of our State of Application Delivery 2018 data showed signs of being impacted. Including security.

That impact is clear when we start looking at the relationship between confidence and cloud, and the drive to deploy the application services that keep apps safe – no matter where they might be.

Now to be fair, in general, confidence has been trending downward over the four years we’ve conducted this survey.

In 2015, nearly half of organizations (49%) had high confidence in their organization’s ability to withstand an application layer attack.

This year we saw that drop to 41%. Conversely, the relatively minor percentage of respondents with low confidence in 2015 – a mere 8% – has more than doubled to 17% in 2018.

The “we’re neither confident nor lack confidence” crowd has remained largely static.

What makes this statistic even more disconcerting is the breakdown of confidence when public cloud is introduced into the picture.

There is a significant difference between respondents with high confidence in their security fu between protecting apps on-premises (59%) and in the public cloud (37%). Low confidence shows the same relationship – fewer respondents have low confidence with respect to on-premises (14%) compared to those with respect to public cloud (25%).

Now, it would be easy to blame the difference on cloud, but fundamentally the majority of public cloud environments have little to no impact on application security. Certainly infrastructure and network security is a factor that can lead to the compromise of an application, but for the most part the protection of applications - regardless of location - lies squarely on the shoulders of its owner. So we looked at other factors such as the technologies and application services organizations deploy in both environments to protect and defend applications. Perhaps it wasn’t the location but a difference in approach to protecting them.

We found that the majority use three different application services to protect and defend applications: network firewall (83%), application access control (75%), and web application firewall (57%). Just over one in four (26%) also use user-behavioral analysis.

It’s a good mix of application services – watching the network, controlling access, and filtering/scrubbing for malicious content. So perhaps the use (or lack thereof) of these services was contributing to waning confidence levels.

What we discovered is that yes, the application services you rely on to protect applications against attack do have a positive impact on confidence to withstand an attack.

In the case of the top three, there were dramatically positive gains in confidence by those who employed the service. Then we looked at the impact of those same service deployments in the context of public cloud versus on-premises.

Two things stand out in this comparison: clearly, those using application services are far more confident than their counterparts that eschew their valuable protections.

The second is the slight differences – about 3% consistently – in confidence between on-premises and public cloud but not enough to explain the significant gap between general confidence levels to protect apps in the different environments. One concludes, then, that the environment (cloud) is a contributing factor to decreasing confidence with respect to withstanding application layer attacks.

The reason why may be found in the resurgence of complexity of security solutions as a top security challenge for 2018. The challenge had been decreasing – dropping out of the top three in 2017 with only 30% tagging it as a top challenge – but reared back up this year with 34% to reclaim its spot. Cloud necessarily introduces some of that complexity, with a dizzying array of foreign services and APIs. Cloud is not a traditional environment, and adapting to new architectures and new services contributes to complexity. Atop that is the reality that application services in the cloud may or may not achieve parity with the protection offered by on-premises services.

For example, a basic web application firewall service from a cloud provider may not provide the same robustness of protections as a web application firewall service on-premises. The difference in capabilities could be a contributing factor to confidence. As we did not dive into whether the application services on-premises were the same as those in the public cloud, we can’t definitively point to differences in capabilities as a source of declining confidence, but it seems one of several likely culprits.

Security is definitely moving to the cloud along with the applications it strives to protect, but the confidence to do so is not.

And with this, we wrap up our initial series on the State of Application Delivery 2018. For more insights on digital transformation, multi-cloud, application services, security, automation, and the continuing NetOps transformation, feel free to grab your own copy of our 2018 State of Application Delivery report and follow along on the Twitters with @f5networks and/or the hashtag #soad18.

About the Author

Lori Mac VittieDistinguished Engineer and Chief Evangelist

More blogs by Lori Mac Vittie