3. Information Security and Compliance

From the inception of cloud delivery models, security has provided the anchor to adoption because of concerns of inadequacies. In the end, most companies who are “cloud-ifying” applications from more traditional deployments found themselves with fewer options and features in which to secure applications in the cloud. Also, cloud companies needs to be in lock-step with stringent compliance requirements of client companies such as PCI-DSS, HIPPA, and Patriot Act and Sarbanes-Oxley Act.

The task of keeping a business up and available while orchestrating cloud delivery service models is not trivial. Similar to the change of just-in-time inventory in manufacturing models, the cloud, with all its cost and agility benefits, ushered in a whole new era of requiring a high degree of uptime. The issue of uptime is multi-faceted. There is a need to cover numerous categories of security threats such as volumetric vs. non-volumetric attacks, bots vs. humans, multi-vector attack campaigns and web exhaustion techniques.

“The need to secure applications on-premise, in the cloud, and during the transition period from on-premise to the cloud, requires a hybrid solution”

Current technology shifts have changed business leaders' expectations of IT and disrupted many of the security models we’ve come to expect. These changes have resulted in complications for security professionals dealing with different operating environments and also a loss of visibility to the overall 'business' picture. Businesses are now looking for IT to respond in hours or even minutes compared to what used to be days or weeks. Organizations need to have the ability to detect threats with high quality in one location and react to those revelations in all operating environments in real time, and then orchestrate changes to the affected systems quickly and universally.

Until recently, no single web application firewall technology existed which addressed these problems. Solutions offered by security vendors did not include a web application firewall that integrated seamless on premise and cloud protection. This lack of integration led to limited visibility, a lack of policy orchestration, and muted attack responses. Organizations could also not differentiate attacks that occurred in the cloud from those on premise in a timely fashion. Was it the same vulnerability? Was it the same perpetrator in both attacks? Those questions could not be answered because the quality of detection was limited. The need was established that organizations needed to be able to mitigate a security problem both on-premise and in the cloud.

So, what needs to be coordinated and integrated between the cloud and premise-based applications to provide seamless protection? One needs to mitigate attacks in all environments, including behind a Content Delivery Network (CDN) or multiple CDNs. Powerful considerations need to be made for network latency and disruption as coordinating disaggregated devices will require high network fidelity and response. Moreover, compliance, and role-based-access-controls (RBAC) will be a key attribute to honing panoramic visibility.

In conclusion, the need to secure applications on-premise, in the cloud, and during the transition period from on-premise to the cloud, requires a hybrid solution. That will allow simple policy migration from the premise to the cloud while supporting a seamless migration without exposing the newly migrated applications to web attacks. The need for quick panoramic visibility to the entire delivered application infrastructure no matter where it is served is paramount. Quick and coordinated control and mitigation are essential to bring the balance of defense back into the defender’s court. The current path is clear—a hybrid solution is a must. The faster this architecture is migrated, the least amount of damage and harm will occur.