Consistent Security in the Cloud Requires Consistency
For the past four years running, we've asked global respondents about the challenges faced on their journey to a modern, multi-cloud operating model.
For the past three years, we've consistently been told the top challenge is "consistent security across all applications". Now certainly part of that challenge is due to way in which organizations have come to operate in a multi-cloud reality - accidentally. Most have fallen into it by way of developers and business units that adopted cloud to 'get around the inefficiencies of traditional IT'. Today, multi-cloud is a conscious decision, driven primarily by the type of application being deployed.
But the challenge of consistent security across all those applications remains. One of the culprits appears to be that application services aren't always moving with the applications they protect. Consider these points from our State of Application Services 2019:
Disparity between on-premises and public cloud app services deployments leads to security concerns. While the average number of application services in use overall is 14, that drops by half for public cloud deployments. This means that organizations are deploying apps in the public cloud, but they are not matching application services deployments at the same rate.
While 66% of respondents deploy a WAF, only 33% indicate that they use a WAF for production applications deployed in a public cloud. Other security-related application services suffer the same decline in use in the public cloud, which is troubling, because it is nearly impossible to achieve security policy parity without the application services that enforce it.
Nearly half of organizations (48%) with a digital transformation initiative are troubled by the difficulty of achieving consistent security for applications distributed among multiple cloud platforms—while 45% say that protecting their apps from existing and emerging threats is their greatest challenge.
There are three things to note here. First, there is a lack of deployment of security-related application services with the applications they are designed to protect in the public cloud. That makes an answer to the 45% of respondents challenged by the ability to protect apps from existing and emerging threats fairly easy: start with deploying security application services to protect those apps. While they aren't foolproof - modern application services like advanced web application firewalls, behavioral DDoS protection, and bot defenses can dramatically decrease the risk of being caught off guard by an emerging threat. Given the rates at which such services are deployed today, it seems that a good approach to addressing to the challenge of consistent security is to be consistent about the application services you're deploying to protect apps in every environment.
Second - and perhaps less obvious - is that consistency goes beyond the application service. There are many web application firewalls, after all, but their capabilities are not necessarily equal. Even assuming consistency of capabilities, it's a fairly monumental task to try to take policies from ON-PREM WAF A and convert them to something usable by OFF-PREM WAF B. It's like handing someone a "how to" document written in a language they don't understand. So it has to be translated, first, and that takes time - and expertise in both languages. So yes, it will be easier to apply security policy consistently across all applications if you standardize on a single provider for that application service. One service, one language, one policy.
It's somewhat ironic that the number one application service respondents won't deploy an application without is security, and yet digging into the deployment details shows that perhaps that's not entirely true. In the cloud, at least, it seems security is being shoved to the side more often than it should be.
Lastly - and least obvious - let's not ignore the operational burden of manually managing application services across multiple clouds and data centers. It is significantly more challenging to manage anything manually - even the same things - when dispersed in multiple locations. Treating policies like code artifacts and approaching deployment of the services and associated policies with an eye toward automation can reduce mistakes, errors, and omissions that might otherwise occur. Automation and orchestration achieve consistency by the very nature of scripts and code that is able to replicate the same result over and over again. As the ancient Greek philosopher Aristotle noted, "We are what we repeatedly do. Excellence, then, is not an act, but a habit." Automation and orchestration, then, should be considered an important habit (practice) to acquire in the quest for multi-cloud consistency.
To achieve consistent security across all applications in a multi-cloud world requires consistency:
- Consistency in deploying the application services that protect and defend applications
- Consistency in the application service capabilities across all environments
- The use of automation and orchestration to facilitate fast, frequent, and consistent deployment of application services and security policies
Consistent security requires consistent behavior, practices, and tooling. By combining all three organizations can achieve consistency in security practices by getting into the habit of protecting applications as well as the business and consumers that rely on them.