If you’re like many businesses, you’re moving applications into public and private cloud infrastructures. You’ve seen how the cloud’s agility, resiliency, and scalability drives business growth. Fortunately, rolling out new apps in the cloud is easy when you have containers, microservices, and DevOps supporting your efforts. But what’s not always as easy to figure out is application security—especially if you’re in the midst of migration and need to keep apps secure both on-premises and in the cloud.
Make no mistake: your apps will be attacked. According to the 2017 Verizon Data Breach Investigations Report, web app attacks are by far the number one cause of data breaches—with denial of service attacks the most common of these security incidents.
The good news? You can secure your apps as easily as you can roll them out when you have a flexible, scalable security solution in place.
In this article, we’ll discuss what you need to take into consideration to securely migrate apps to the cloud, and how Imperva FlexProtect can keep your applications secure wherever they live.
Security Model in the Public Cloud
Leading cloud vendors introduced a shared responsibility model for security in the cloud. Amazon states that AWS has “responsibility for security of the cloud,” while customers have “responsibility for security in the cloud.” Microsoft Azure, Google Cloud and other vendors also adopted this model. What does it mean for you? Cloud vendors provide the tools and services to secure the infrastructure (such as networking and compute machines), while you are responsible for things like network traffic protection and application security.
For example, cloud vendors help to restrict access to the compute instances (AWS EC2/Azure VM/Google CE) on which the web server is deployed (by using security groups/firewalls and other methods); they also deny web traffic from accessing restricted ports by setting only the needed HTTP or HTTPS listeners in the public endpoints (usually the load balancer).
But public cloud vendors do not provide the necessary tools to fully protect against application attacks such as the OWASP Top 10 risks or automated attacks. It’s your responsibility to establish security measures that allow only authorized web traffic to enter your cloud-based data center—just as with a physical data center. Securing web traffic in physical data centers is typically done by a web application firewall (WAF) and fortunately, a WAF can be deployed in the public cloud as well.
Choose Flexible Application Security for the Cloud
When choosing solutions to mitigate different web application threats, it’s important to make sure that they offer flexibility to choose the tools you need. The first mitigation layer is usually common for all attackers, it denies access from badly-reputed sources (“malicious IPs”) and blocks requests based on predefined signatures. This solution could be useful against generic types of attacks, like a botnet attack looking for known vulnerabilities. The more targeted the attack is though, the more fine-grained the tools required to mitigate it—and the higher the level of control your security team needs. When an attacker tries to launch an attack tailored to a specific web service, you need customizable tools to block it.
An ideal solution would offer both generic and customizable tools with the flexibility to be deployed within the private network and public cloud while giving your security administrator full control, including deployment topology and security configuration. An application security solution that is deployed in the public cloud should support several key attributes:
Burst capacity: Automatically spawn new security instances which then register with the existing cluster of gateways.
Multi-cloud security: A security solution should support all the major public cloud infrastructures (AWS, Azure or Google Cloud Platform) and your own data center so you can secure applications wherever they live—now and in the future.
DevOps ready: Security solutions should employ machine learning to automatically understand application behavior.
Automation: Dynamic cloud environments require automation to launch, scale, tune policies and handle maintenance operations.
High availability: Business continuity demands that your security solution be highly available.
Centralized management for hybrid deployment: A security solution should have a centralized management solution that can control hybrid deployments in both the physical data center and in the cloud.
Pricing for Applications
Applications are moving to a more automated architecture and they’re being developed and rolled out faster than ever. If any of the following apply to you, then you need a flexible licensing solution for security:
- Moving to a microservices architecture
- Planning to use serverless computing such as AWS Lambda
- Deploying containers instead of traditional virtual machines
- Have a dedicated application DevOps team in your organization
- Concerned about your API security
- Moving your applications from on-premises to public cloud infrastructure like AWS, Azure or Google Cloud Platform
- Need to keep certain applications on-premises and need security for both cloud and on-premises
Imperva FlexProtect offers a single subscription with the flexibility to mix and match application security tools so you can secure applications wherever they live. FlexProtect security tools protect in-the-cloud and on-premises application portfolios, and keep your applications safe while you navigate the uncertainties of moving to a virtual, cloud-centric architecture.
Imperva application security solutions are available in a flexible, hybrid model that combines cloud-based services with virtual appliances to deliver application security and DDoS defense for the cloud. With FlexProtect, you can choose from the following Imperva security solutions:
- Imperva Incapsula combines security with performance optimization and load balancing to provide complete cloud-based protection for your business.
- Imperva SecureSphere Web Application Firewall (WAF) protects business critical applications from sophisticated cyberattacks.
- Imperva ThreatRadar is an advance-warning system that stops emerging threats before they impact your business.
Your organization needs a simple and flexible solution to facilitate a smooth transition from on-premises to the cloud. Imperva offers a solution that scales with your business while allowing you to choose tools based on your application security requirements. With FlexProtect, Imperva removes the dilemma associated with cloud migration planning and future proofs application security investments.
Contact us today to find out how the FlexProtect licensing model can help you keep your apps safe wherever they live, now and in the future.