It is widely believed that medieval castles fell out of favor because of gunpowder, which could force a cannonball through stone walls. This isn’t quite true. Fortifications could protect castles from cannon fire, but changing political structures and populations spreading to more remote areas made castles impractical to defend the way people wanted to live and rule. Application security is going through a similar change now. It isn’t a new threat, but new ways of working that require security strategies to change.
Accelerated migration to the public cloud has put many enterprises in hybrid or multi-cloud configurations that expose a weak spot in their legacy security strategies. It is simply not practical to protect every instance of every application component as if it was a discrete application running in the data center. Retrofitting traditional application security for heterogeneous environments results in degrading application performance, security and flexibility. That defeats many of the benefits of employing the cloud in the first place.
In the words of Gartner’s Neil MacDonald, “simply running agents designed for on-premise servers and hoping these will work in IaaS is not sufficient.” It’s time to look at the current state of application security and establish the requirements for a modern approach.
- First, and most intuitively, public cloud server workload interactions are far more visible than their counterparts inside private data centers. Workload interaction patterns are well known or can be discovered quickly, making it easier to map security rules to policies, and easy to map new policies to discovered inter-server communication requests.
- Threat models are also changing. Advanced threats bypass traditional perimeter and signature-based protection. Application control is the strategic basis for cloud workload protection strategy. Restrict what applications can perform to a set of predetermined policies so that all other code, malicious or not, is blocked by default.
- Finally, more modern cloud-native workloads scale up and down elastically, putting similar scaling demands on their protection mechanisms. The right security model needs to be both infrastructure and scale independent because workloads span both public clouds and private data centers, and because of the potentially elastic nature of cloud workloads.
Given the requirements above, rather than hardening servers and the paths between them, it makes better sense to understand how these computational components communicate and allow each to restrict incoming calls to those that fit policies. Policies based on application intent and observed permissible activity allow encrypted communication to occur while all other traffic is simply ignored.
This approach allows limitless scale, application and policy changes, which mirror the benefits of using the cloud rather than fighting them. Deployment is as easy as developing policies and pushing them to the endpoints, which is especially useful in microservices environments where the rate of change is further accelerated.
In practice, the benefits are quite clear. We work with a prominent financial services firm that merged its existing private data center infrastructure with new cloud-native capabilities operating in three different availability zones for redundancy and product resilience. A traditional approach would prescribe a mix of networking overlays, firewalls, VPN tunnels, access control lists, and so forth. The system complexity of this strategy would add significant transaction latency, reduce scalability and impede application innovation.
Instead, the firm replaced all of that complexity with an approach designed for the demands of a hybrid computing approach that builds security policy into the application components. It is operating on flat L3 networks no overlay networks, east-west firewalls, or VPN tunnels. Furthermore, north-south firewall rules and access control lists are radically simplified. This model’s simplicity is possible because of a default-deny application logic that is controlled centrally by predetermined or discovered policies.
In far more simple terms, another customer said he could replace the workload of two full-time staff with five lines of code because simply-worded policy instantly becomes part of the security posture. These are the costs that are saved by not carrying outdated data center security strategies to the cloud. People didn’t buy horses to pull the first cars.
As with open-field warfare replacing castle walls, the right strategy for cloud, multi-cloud and hybrid system security isn’t doubling down on traditional protection. The era of fortification is over. It’s time to understand security as a natural part of how applications should perform, regardless of where those applications run.