Many businesses are scrambling to refocus security strategies around cloud applications and workloads over which they have little or no control.
Their previous network-based security approach, based on hosting and securing applications from a single data centre, is outdated.
That should be concern to business and IT leaders, considering the rise distributed denial of service (DDoS) attacks Radware has recorded. It observed a 44 per cent increase year-on-year in the number of blocked DDoS events in the first three quarters of 2021.
Such attacks can overwhelm corporate data centres, which are restricted by the capacity of the connections to the corporate data centre.
“It doesn’t matter if you are a bank and have a channel of 1Gbps,” explains Yaniv Hoffman, Radware vice president of APJ. “If a DDoS attack is 2Gbps, it doesn’t matter that you have the best security in the world; your line will be saturated, and you will be done.”
Cybercriminals have shifted their attention to the cloud-based applications scattered across cloud platforms. Radware found that attacks on web applications doubled every quarter this year, with banking and finance companies by far the most often-attacked – accounting for nearly 23 percent of blocked web application security events. Also in attackers’ sights were government (16 percent), technology (15 percent) and retail (12 percent) organisations.
Predictable resource location and injection attacks dominate cybercriminals’ attack methods. This has exposed weaknesses in conventional telemetry, which is often blind to new attacks targeted at applications, services, and data spread across different environments and running under different processes.
“In the past, because [applications, workloads and data] were in your data centre, you had access to everything,” Hoffman explains. “But when you move to the cloud, you don’t control anything,” he says, referring to IT resources and data.
Regaining the control
IDC has argued that rapid transformation has created a “strategic opportunity to realign security tools and practices”.
With publicly available APIs making cloud applications more interconnected, companies need fine-grained security they can enforce close to core applications, and they must protect those APIs from abuse by cybercriminals.
Network monitoring tools used to provide key security control points, but those control points are being moved out of the data centre to the application and cloud workloads.
IDC notes the evolution from conventional web application firewall (WAF) platforms – which meet the specific security needs of web-exposed applications – to web application and API Protection (WAAP), which provides more granular control at application and API level.
WAAP may better suit cloud environments, but CIOs must ensure that it doesn’t interfere with the smooth operation of heavily-integrated cloud application environments – and that security doesn’t slow down application development and deployment.
This need for “frictionless” security, Hoffman notes, has driven the creation of holistic, agnostic application protection that spans all kinds of cloud applications and the clouds themselves.
“We have uniform security for applications everywhere,” Hoffman explains, “to enable the same level of protection whether it’s for software, for microservices, or the cloud.”
“On top of that, we provide visibility and control across environments with a single pane of glass.”
Automating for frictionless security
To deal with large volumes and highly diverse network traffic, frictionless security uses machine learning-based security automation.
Adaptive security tools continually scan the WAAP environment for threats and behavioural anomalies, immediately blocking or neutralising threats as they are detected and saving security staff from trying to keep up with a flood of security alerts.
This approach can rapidly and effectively respond to changes in applications, code, or the underlying operating environment – securing customers’ environments in a way that complements cloud operators’ security architectures.
Businesses “are changing their risk management and building incident response plans to have procedures in case of an attack,” Hoffman says. “They understand that security is a multi-layered approach, and that manual protection is not enough.”
The key, he says, is to build holistic protections combining application protection, protection of cloud infrastructure, cross-cloud coverage, and frictionless security.
Architected properly, such security architectures can help CIOs regain control of their multi-cloud environments – and support continued business growth in the cloud without the compromises of legacy security frameworks.
“Business continuity is mandatory these days,” says Hoffman, “and it’s not a question of if you will face an attack, but when.”
“As companies look on next-generation threats that are coming in, there is much more awareness today about what’s going on, and how frictionless security can help them protect themselves against it.”
Learn more by downloading the IDC Technology Spotlight: “Understanding the next security control points: applications and workloads”.