Are your cloud applications safe from hackers?

There is no magic bullet to obviate the need for cybersecurity. One of the tenets of the Internet is freedom – to publish (mostly), to express oneself, to represent oneself online without private details being learned by others, and to do business.

The Internet was invented not necessarily in gentler times, but with certainly with motives that didn’t foresee the rise of Internet crime, hacking, data compromise and unpleasant personal and monetary blackmail. Reality prevails, of course, and today, modern Internet security issues present, largely, for three types of reason:

  1. Roguishness: so-called ‘grey hats’, working not for any particular aim or profit, but rather just mischievous types who wish to make trouble for whatever reason, be that experimentation or mere childishness.
  2. Ideology: hacker groups such as Anonymous and the Syrian Electronic Army have specific motives. These are sometimes political, or socio-economic, or even anarchic. Ideologies with similar aims are promoted online by governmental or quasi-governmental bodies trying to exploit systems for political or power gain. Rogue states such as North Korea or global players like Russia (allegedly) and China (allegedly) are known to be active online, as is every government in one form or another – the USA’s National Security Agency (NSA) being a case in point.
  3. Profit: well-funded and well-resourced, organized groups or individuals have found that crime for profit is monetarily worthwhile. The returns (such as those derived from the recent WannaCry attacks) represent considerable sums to an individual, and will always still be there for the taking unless every data instance online is sufficiently protected.

Pranks will always exist in the world as part of human nature – we have adolescence (and adolescents) to thank for that at least in part, but problems caused by such mischief are usually low-level irritations.

Those attackers funded by governments, however covertly, or ideologically-driven organizations, are probably instigating some of the most effective attacks, but while these sometimes affect the private sector, most business organizations are not at too much risk – unless they happen to be private TV production companies making a documentary about North Korea, for example.

Criminal hacking, extortion (by DDoS, ransomware etc.) or exploitation remain the enterprise’s biggest threats, and it is here that most organizations focus their remediation activities.

While many exploits can be mitigated easily by simple software upgrades, OS upgrades or basic firewalling and antivirus, new exploits come to light every day. Of late, WPA 2’s inherent insecurity has become known, and even the systems design to protect us, such as SSL, have been found to be lacking.

Security analysts learn and develop exploits as quickly as their foes on ‘the other side’, in a never-ending ballet of intellectual brinksmanship, backed by powerful computing systems that can distribute attack or defensive mechanisms to new attack vectors within seconds.

No silver bullets for this werewolf

While backbone-level data scrubbing may remove many threats before they reach end-nodes, the privacy concerns of many will ensure that third parties of whatever color, even with the best intentions in the world, will never be allowed to rake through the world’s data.

Implementation of tech such as IPv6 will make some types of attack more difficulty (man in the middle attacks, for instance), but the protocol was not created for reasons of online protection – rather, to cure the problem of our finite IP address pool. In some ways, IPv6 will make cybercrime easier, not more difficult: the IP address blacklist as a first line of defense will be useless overnight after the protocol’s mass adoption, should that ever come to pass, for instance.

Some point to ISPs as being useful to help clean up rogue traffic at the data layer. But, as this type of action will come with a potentially high cost, who will pay? Additionally, the same data privacy issues are present at any level of the Internet’s structure, from backbone down. Who will police the police force?

The nature of the Internet ensures there is no overarching, organizational body overseeing to ensure we are safe. The system was designed to be a structurally egalitarian multiplicity for reasons that were practical, not ideological. It’s a dog-eat-dog world online as a result, like it or loathe it.

Keeping us safe from harm

Many articles on this site and elsewhere have covered the rise of the cloud and cloud-based services in today’s business world.

Gone are the days of app installs across every workstation in an organization. Rather, we are all now in the habit of buying into the software-as-a-service (SaaS) model, effectively renting out others’ computing cycles, storage, and code skills in order to achieve our ends, be that email, scheduling, business transformation or grid-computing to crunch trillions of bytes of data a second.

What we need to be sure of – and any CIO worth his or her salt will lose sleep over this – is the safety of the services we rent out (if we supply), buy in (if we’re SaaS users), and access on bare metal, in-house.

Data safety is absolutely key in every area of organization and commerce, and it is paramount that the web applications we use and other data silos are properly protected: either from the mischievous ‘pen’ testing (penetration) of the would-be hacker, or full-scale assault by highly skilled experts with financial gain in mind.

Some estimates state bot traffic (automatically-generated traffic, often by compromised computers) makes up around 50 percent of total Internet data traffic. What’s indubitably true is that if a system is placed online, sooner rather than later it will be probed, its systems routinely tested and some form of exploitation will be attempted.

Thankfully, some of those systems placed online are so-called honeypots, installed deliberately by Internet security experts to gather data on the ever-shifting methods used by bot armies and their hacker programmers in order to compromise machines – especially badly-patched and ill-protected systems.

A few years ago, enterprise IT personnel would be relied upon to try to ensure, to the best of their abilities, that the data infrastructure in-house was safe. Today, however, the reliance on SaaS means that the security provision needs to be also based at the point of the application – web application security.

It is in the nature of SaaS suppliers that security is paramount – if their systems go down, the knock-on effects for their clients would be disastrous, both financially and from a PR perspective. We need to be assured that our SaaS suppliers are using the best solutions to protect themselves, and therefore by proxy, us.

Here are two suppliers of web-based application security solutions that we feel will be of interest to our readers:

BARRACUDA

The first line of defense in an array of web application security measures for any business application is, by definition, its front end. This is protected by a web application firewall (WAF).

Barracuda’s WAF solutions are considered highly relevant by CIOs across the globe (the company protects ) as they reflect the current business practice of hybrid cloud deployment.

Possible infrastructure combinations in the hybrid cloud are only limited by the imagination of the systems architect. However, any changes made to the structure of an IT provision have quickly to be followed by an update to the protection systems.

In today’s business world, change needs to come quickly, and it sometimes needs to come often. As provision changes are dictated by strategic direction, the IT department can easily find itself chasing its own tail, trying to hastily keep security intact as data centers utilizations changed, points of presence move from continent to continent and overall scale moves up or down – all according to business dictates.

What Barracuda offers is effectively the ability to have one security policy that’s applicable whatever changes. The system functions on an AWS deployment in the same way as it functions in a private cloud and also Microsoft Azure. Deployments can be created when required, utilized and then just as quickly scaled, changed or even dropped.

The company also offers a pricing option that’s based on data quantities protected, not the number of application instances. Read more here.

 A10 NETWORKS

The US-based company was founded in 2004. It acquired Appcito in July 2016, enabling much more of a cloud-native solution for A10’s clients.

The company’s headline product is cloud-native, microservices/container-based controller called the A10 Harmony Controller, but its portfolio also includes the Thunder family of hardware and virtual appliances which cover application delivery, NAT, threat protection, SSL traffic inspection, and firewalling.

Today’s enterprise uses multiple locations to house applications, for example, some SaaS applications as well as apps running in the datacentre. Applications have become more agile, and an IT manager likewise needs to be light on their feet – A10’s product line empowers this ability.

With the Harmony Controller, customers get a uniform management and analytics combination, independent of the infrastructure the technologies are running on. This may be public cloud, bare metal (in-house) or private cloud.

Specific features of the A10 Harmony Controller include:

-SaaS or on-premises deployment

-per-application analytics across A10’s Lightning and Thunder ADC products

-open-source HAProxy load balancing

-web application firewalling

Kamal Anand, vice-president of A10’s cloud business unit, summed up the IT department’s concerns:

“I need infrastructure that’s easily available and can be provisioned on demand; it means applications and code that can be updated on a weekly or daily basis rather than once a year. Digital transformation strategies are evolving because there are so many technology changes, so you have to react fast. DevOps is critical for digital transformation, but I would say as an enabler rather than a definite requirement – it allows you to be more agile, deliver things faster and react to market conditions quicker.”