How to Secure Applications in Hybrid Cloud Environments

The explosive growth of applications hosted in the cloud creates a world of opportunities—and a multitude of challenges for federal agencies that must now deploy and manage a vast portfolio of applications in multi-cloud environments.

Government agencies are becoming savvier about moving to the cloud. Rather than viewing it as a one-size-fits-all approach, agencies have come to understand that different kinds of clouds are appropriate for different kinds of applications.

This is a primary reason for the growth of hybrid cloud deployments. A combination of public and private clouds affords agencies the best of both worlds. They can keep their most sensitive data and mission-critical applications in private clouds while moving applications such as public-facing websites that do not gather citizen information to public clouds, thereby benefitting from the cost savings offered by hosted providers.

Agencies view hybrid cloud deployments as a highly strategic way to connect their networks and data, and survey data shows they are carefully considering this strategy. F5 Networks’ fourth annual State of Application Delivery revealed that 42 percent of public-sector respondents indicate they are moving to deliver more applications from the public cloud, while 57 percent said their cloud decisions are made on a case-by-case, application-by-application basis.

More Cloud Means More Challenges

Clearly, agencies are becoming more sophisticated in their understanding of the value of the cloud and working to use the right environments for hosting their applications. With these new choices, as so often happens, arise new challenges, such as applications that must be managed, monitored, secured against intrusion, and protected against attack in multiple locations and environments.

Something as simple as authenticating to the cloud can be challenging without the right tools and policies in place. For example, the use of stolen credentials has consistently been one of the top attack vectors over the last three years. Ensuring that the users and software-as-a-service applications connecting to the cloud are who they say they are is critical, especially for federal agencies.

Implementing a solid multi-factor authentication strategy mitigates this risk because it requires users to present something—such as an RSA Token, common access card, biometrics information, or password—prior to accessing an application This in-house strategy can alleviate much of the pain associated with cloud security, but it does not abdicate cloud providers from having to share some of the burden.

The 'Shared Responsibility' model

The duty protecting these environments is not borne alone by federal agencies. There is a shared responsibility model emerging; cloud providers tend to be responsible for infrastructure security while agencies focus on securing their applications and data.

This can be seen most clearly in the distinction between SaaS and infrastructure as a service. In SaaS, the vendor is responsible for the security of the software; the customer agency has to accept the loss of control over security, and trust the vendor will meet all government standards, regulations and reporting requirements.

Understanding the distinction gives the agency the ability to focus on security—whether provided by the agency or a vendor—and assess the tools that are available and appropriate for each environment. For instance, agencies can use security automation tools to simplify and speed up changes, patches, and upgrades to applications, or assess which tools the vendor is using to accomplish those tasks.

The Emergence of WAFs

Getting security right is critical. Across all governments globally, 51 percent of survey respondents find applying consistent security policies across all clouds challenging. Another 46 percent of government respondents ranked protecting applications in a multi-cloud environment, from both existing and emerging threats, a challenge. Fifty-three percent are concerned about the growing sophistication of attacks.

One way these concerns are being addressed is through the increasing deployment of web application firewalls, or  WAFs. A properly configured WAF can protect against zero-day vulnerabilities, the top 10 Open Web Application Security Project (OWASP) attacks, and advanced web-based credential attacks. Sixty-five percent of government respondents have deployed a WAF, and 62 percent said that more than a quarter of their applications are now protected by a WAF.

Organizations with applications deployed in the cloud—or the clouds, given the predominance of hybrid solutions—are beginning to move from network-focused security to application-centric solutions, as shown in this emergence of WAFs. By leveraging a WAF, which can operate in the cloud and on-premises with the same protection and automation, organizations are able to increase security while creating the standardization of environments, through the automation and orchestration of security.

Greater Peace of Mind

Standardizing and automating security policies and procedures will streamline the adoption of hybrid cloud solutions while maintaining or even improving an agency’s security postures. Enforcing multi-factor authentication to applications wherever they reside and using a properly configured WAF are two approaches that can be used to automate, orchestrate and standardize security measures across these hybrid cloud environments. Both provide administrators and users with greater peace of mind about the security of their applications, regardless of where they reside.

Pete Kersten is a vice president for F5 Networks.