Andrew Senior, Customer Success Manager, Nutanix, on what organisations can do to prevent cloud application attacks.
Cloud has become the first choice for modernised applications, which we now term cloud-native applications. These dynamic applications are designed with high scalability and elasticity in mind to meet the requirements of a highly competitive and digitally transforming world. With the ever-improving ease of access to cloud-services and low barrier to entry, it is easy to deploy your applications and then overlook their security.
Designing your cloud-native applications with security in mind is essential, clearly understanding all of the end-points that you’re exposing. Containerisation and the move to micro-services architectures has added complexity to the application security landscape. Having a clear understanding and visibility into these applications is vitally important as cloud-native implies a dispersed and dynamic application architecture and with that there is potential for attack on more fronts. Visibility could be provided by application monitoring, network monitoring, Intrusion Detection System (IDS) and Security Information and Event Management (SIEM) tools.
The ability to react to and address an attack is of vital importance too, so understanding what mechanisms and contingencies you may activate is vitally important too. With the risk that an entire cloud platform could be compromised, it would be wise to mitigate this through the use of multiple clouds, both private and public. A significant cloud attack could constitute a disaster and invoke a DR plan.
Cloud providers enable you with a platform to deliver your applications and hardening them for security remains your responsibility. Each provider has services and features within their platforms to ensure security for your applications, and there are several third-party tools which are able to measure security and policy compliance for your deployments. Two examples of these policies are Sarbanes-Oxley (SOX) and PCI DSS. Whilst clouds and tools provide this functionality to you, it’s again your responsibility to make sense of these recommendations and then use these services and features to take action and implement the required measures to secure your applications.
Traditional network security skills and understanding are an absolute necessity, but there are also security skills required and learned in the application space. Organisations are not only practicing DevOps now, but DevSecOps to ensure that applications are built with security as top of mind. Best practices are documented and available for all of the well-known technologies in use by modern cloud-native applications, but making sense of these along with implementation and governance will require skills and expertise which may be in short supply.