By Shira Sagiv, VP of Product at Radware
As employees increasingly worked remotely during the pandemic, businesses quickened their pace toward the cloud. Already, the need for application agility was driving cloud adoption. As such, according to Radware’s The State of Web Application and API Protection report, 70% of production web applications now run in cloud environments. Keeping these hybrid environments safe from cyber threats requires a new way of thinking about application and cloud security.
Complexity is the Enemy of Security
Application development and deployment are becoming increasingly diverse, resulting in the majority of organizations dealing with hybrid, heterogenous environments that span public clouds, private cloud and on-premise data centers. According to the Radware report, some 71% of application development occurs either on-premise or in private clouds, while the remaining balance is mostly housed in single public cloud environments.
When it comes to applications released to production, nearly half of organizations that deploy applications in public clouds deploy them across multiple environments. The remainder of companies deploy them across private clouds or on-premise data centers.
To complicate matters, most organizations do not trust the security offered by their public cloud providers. According to Radware’s C-Suite Perspectives: Accelerated Cloud Migration but Lagging Security report, 73% of organizations “do not completely trust” the security provided by their cloud vendors.
And no wonder. A recent IDC technology spotlight noted that complexity “is the enemy of security—every cloud has its own capabilities, APIs, management and reporting.” Moreover, relying on the native tools of each individual cloud environment “can result in security silos, with each cloud platform having its own security bubble, with disparate security tools, varying levels of protection, and inconsistent reporting.” As a result, maintaining control, consistency and security of these hybrid environments has never been more challenging.
Five Critical Challenges to Securing Hybrid Environments
Emerging attack vectors, agile software development/DevOps and multi-cloud deployments have conspired to create an environment that leaves data vulnerable, and the digital experience undermined.
Organizations now face five key challenges for securing hybrid environments.
- Emerging threat vectors: Hackers are continuously refining existing and developing new attack vectors that circumvent existing protections. This exposes applications and cloud environments to attacks and data breaches.
- Broader threat surface: In the past, organizations had direct control over the backend infrastructure of the application; only the customer-facing side of the application was exposed externally. In a cloud environment, both the application surface and the application infrastructure are exposed. Both require protection.
- Agile software development and DevOps culture: The primary driver of cloud migration is the need for increased application development agility. The catalyst for this is agile development and DevOps processes that speed the development and enhancement of applications, but often leaves security as a secondary priority. Applications might be changing more frequently but must be kept secure.
- Multi-cloud deployments: Companies now deploy applications across on-premise, hybrid and public clouds. This broadens the threat surface, convolutes the implementation of coherent security policies, and further complicates the task of cloud security because organizations are now required to protect multiple cloud platforms, each with its own capabilities, APIs, management, and reporting.
- Ownership by non-security stakeholders: Although security staff are commonly tasked with protecting cloud environments, they frequently have no authority over the choice or management of cloud environments. According to C-Suite Perspectives: Accelerated Cloud Migration but Lagging Security, in 92% of organizations, decisions about cloud platforms are made by stakeholders other than security staff.
A viable security strategy must start with visibility, control, and address application security holistically, consistently, anywhere. However, organizations struggle with gaining control. According to The State of Web Application and API Protection report, 31% of respondents anticipate that their organization’s most significant application security concerns over the next two years will be maintaining a coherent security policy across heterogenous environments. Nearly as many respondents believe that their most significant concern will be gaining visibility into the security events impacting their organization.
These statistics underscore one of the key overarching issues of application security: despite the implementation of new security technologies, organizations continue to struggle maintaining visibility and consistency of security policies across the heterogenous collection of platforms, infrastructures, and technologies. To ensure coherent, comprehensive cybersecurity in an environment that is as diverse as it is evolving, organizations must begin thinking about security differently.
Application and cloud security are converging. Why? Because application protection in the age of hybrid clouds requires a holistic approach that combines protection against both application vulnerabilities and exploits, as well as security of the underlying cloud infrastructure. Moreover, application and cloud environments require frictionless security that can support the pace of innovation organizations now demand. Security needs to be “frictionless” and automated to ensure defenses are up-to-speed and automatically adapt to changes to either the application or cloud environment while not becoming a roadblock to innovation and change.
Securing this “out-of-control” environment requires a security strategy that delivers visibility, control and addresses application and cloud security holistically, consistently, and anywhere.
Six Capabilities to Keep Applications and Hybrid Environments Secure
Here then are the six key security capabilities needed to keep applications and hybrid environments secure:
- Holistic, agnostic application protection: Security must span all environments – providing 360-degree application protection for both the application surface and the cloud application infrastructure.
- Adaptive and automated: Security must leverage behavioral-based and machine-learning algorithms to proactively manage frequent changes to the application, their underlying environments, new security threats and more.
- Frictionless: Security should be integrated as much as possible with the development cycle and not interfere with business processes. It needs to be adaptive so it can change with the frequent changes to applications and the underlying deployment platform. As application development and deployment processes become more agile, security must be tightly integrated with the application development process. This seamless integration must rely on automated algorithms that can identify changes to the application and automatically adapt security policies.
- Consistency: Security needs to feature uniform, advanced security for applications everywhere to enable the same level of holistic protection agnostic to the application infrastructure, whether private or public clouds.
- Visibility and control via security and development dashboards. These dashboards must provide actionable analytics, automation, and customized controls.
- A broad range of solutions: Security should provide multiple deployment options, including cloud services, software, and hybrid.
Our dependence on hybrid, heterogenous environments that span public clouds, private cloud and on-premise data centers isn’t going away anytime soon. Because of this, organizations must be able to adapt to these complex ecosystems with a solid security strategy that can keep vital applications and hybrid environments secure.