You are here
How to make sure cloud deployments are secure
THE global forecast is cloudy. In fact, rather than a forecast, it's a reality - practically everyone, everywhere uses cloud technology today.
Whether an organisation runs Office365 for email or virtualisation on-premises (private cloud), a public cloud provider such as AWS, Azure or GCP, or a combination of these in a hybrid setup, the cloud is ever present and pervasive.
Today the hybrid pattern is the most widely used. There is an implied promise of lower risk and more security in the hybrid model since it allows technology managers to adopt the public cloud to their own level of comfort. Another plus for hybrid cloud adoption is regulatory compliance.
To maximise the benefits from migrating to cloud-based solutions, consider that only an end-to-end, unified, holistic strategy can protect an organisation. Anything less will leave gaps and will be discovered by cybercriminals. So a security plan must be adaptable and agile to defend against the evolving threat landscape. And no security strategy is complete without data recovery.
Often security represents the most complex aspect of deployments that span one or more of the cloud types. So let's take a look at the issues clouding public and hybrid deployments.
Most organisations deploy a typical approach. First, they run productivity applications such as Office365. Then they move to new application deployments such as AWS or Azure. These are optimised for the cloud: they are containerised, capable of autoscaling and more. Finally, existing applications are moved to the cloud after extensive testing.
Most public cloud deployments involve moving an existing in-office application to the cloud. Organisations need only make minimal changes to have it cloud-ready - and most of these applications are hybrid deployments.
Hybrid setups have part of their application, typically the front-end, in the cloud, while the rest of the application sits in the business' data centres.
With the public cloud, users have a significant learning curve to identify the requirements. People tend to think that they only need to move their application to the cloud - everything else can be secured by default. How wrong they are!
A platform provider is responsible for securing the underlying infrastructure that it provides. Anything the user deploys on top of this is the user's responsibility. Organisations should carefully consider the services they choose, since their responsibilities vary depending on those services, their integration into the IT environment, and applicable laws and regulations. This shared responsibility also provides the flexibility and organisational control that permits the deployment.
Any application or database deployed is the responsibility of the user. When the user fails to understand this, their data gets exposed and stolen.
In April this year, Thailand's True Corp had to fix a data leak involving the exposure of identity records on up to around 45,000 customers. A 32GB data cache included 45,736 files, consisting mainly of JPG and PDF scans of identity documents including scanned ID cards, driver licences and possibly passports.
In July 2017, six million Verizon records were compromised by Nice Systems, a Verizon partner that facilitates customer service calls. The records, which held logs from residential customers who had called Verizon customer service, were accessed via an unprotected Amazon S3 storage server controlled by an employee of Nice Systems. The cause was a misconfigured security setting on the server. As a result, anyone who knew the web address could download the files.
Clearly, hybrid applications need additional security and reliability. It is essential to secure the flow of information between an organisation's data centre and the cloud. Full visibility into the flow of traffic is vital, and so is resiliency in case there is an internet outage. To avoid issues when customers access the application, traffic should have lower latency.
So what can be done to secure your hybrid cloud? The first step is to understand the cloud platform and plan for security right from the outset.
To secure application access from the outside, IT must consider whether or not a virtual private network (VPN) is required to protect their web or API-based applications from attacks. To protect against hackers hopping-in between various parts of the applications, access restrictions must be enforced between each of these areas.
With so many security rules in place, an organisation needs visibility into what traffic is flowing between the various layers to identify anomalies quickly. This is where they need help.
A survey of IT professionals responsible for cloud showed that 83 per cent have concerns about new generation firewalls (NFGs) in the cloud. Other concerns included pricing and licensing, lack of integration, and increased overheads due to a lack of centralised management. Yet 99 per cent saw value in cloud-specific firewall capabilities.
The cloud providers include some basic security capabilities for securing their deployments, but these tools lack significant security and visibility capabilities, and are complex to architect and deploy.
The Barracuda CloudGen Firewall and Barracuda Web Application Firewall fit perfectly into this gap. Easy to use and deploy, they provide complete protection against all threats and make it easy to deploy securely in the cloud. The Barracuda CloudGen Firewall has complete network protection and segmentation capabilities with unrivalled visibility. It protects applications against attacks and offers advanced VPN capabilities.
Inside the cloud, the firewall allows a business to segment its network easily and enforces access restrictions between each part of the application. It provides full visibility into all the traffic flowing between each layer. The Barracuda Web Application Firewall protects web, mobile and API-based applications against all application layer attacks. Together, they deliver complete security for cloud deployments.
For hybrid applications, the Barracuda CloudGen Firewall provides highly resilient VPN technology with intelligent traffic management and network optimisation capabilities. This reduces line costs, increases overall network availability, improves site-to-site connectivity, and ensures uninterrupted access to applications hosted in the cloud.
Moving to the cloud can be daunting. It takes time to understand and use the cloud effectively and efficiently. Barracuda's cloud generation solutions provide best-in-breed security, while maintaining ease of use to ensure complete security and peace of mind.
- The writer is vice president for the Asia-Pacific at Barracuda Networks.