Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


// // //
10:00 AM
Praveen Patnala
Praveen Patnala
Connect Directly
E-Mail vvv

The Role of Visibility in Securing Cloud Applications

Traditional data center approaches aren't built for securing modern cloud applications.

We are living through an application development renaissance. Organizations are changing both where applications live and how they are built.

Apps Live in the Public Cloud
Apps are being built on public cloud platforms at a rapid pace as enterprises accelerate their cloud migrations. Public clouds offer developers enormous flexibility in how apps are built and deployed. This has resulted in architectures that consist of one or more of the following:

Related Content:

Cloud-Native Apps Make Software Supply Chain Security More Important Than Ever

Special Report: Building an Effective Cybersecurity Incident Response Team

New From The Edge: DDoS's Evolution Doesn't Require a Security Evolution

  • Virtual machine or instance-based apps
  • Container-based apps
  • Serverless apps

Apps Are Services-Based
Coincidentally, another tectonic shift is taking place in how apps are built, namely via a services-based approach. Increasingly, apps are built as microservices communicating over well-defined APIs. Often, these APIs are remote or external. This means an app can use several methods to accomplish a task, including:

  • Twilio to send text messages
  • AWS S3 to store and retrieve images
  • Mailchimp to send emails
  • Snowflake to store and retrieve rows of data
  • Datadog to log events

A New Category of Traffic
This collision of where apps live (public cloud) and how they are built (services-based) is creating a massive new category of traffic: app-initiated connections to software-as-a-service (SaaS), platform-as-a-service (PaaS), and the wide-open Internet. Typically, the service endpoints that apps are connecting to (e.g., https://api.datadoghq.com for Datadog) are identified by a fully qualified domain name (FQDN) or URL, which can translate to hundreds or thousands of Internet Protocol (IP) addresses during resolution. Those IP address lists are dynamic. At the same time, cloud service providers' native security controls, such as access control lists (ACLs), security groups, and route tables, are all IP-address-based.

Thus, to reliably enable these kinds of connections in public clouds, security controls must be relaxed to allow communication to any IP address. This produces a significantly larger exposed attack surface than what enterprises really want opened.

Before enterprises relaxed these controls, communications to external destinations were restricted to safe-listed IP addresses and ranges. So, if an application or a compute resource was compromised, its communication graph was limited to the safe-listed destinations. Now, if those egress security controls are relaxed to allow communications to any IP address, a compromised instance could result in:

  • Being part of a command-and-control (C2) server and carrying out nefarious activities, such as malware distribution, cryptocurrency mining, disrupting operations, DDoS attacks, etc.
  • Exfiltrating data out of the virtual private cloud (VPC)

Needless to say, enterprises need better management and control of egress traffic to allow these kinds of app- and machine-initiated connections. To put it simply, they must be able to enable a full spectrum of security policies that can be directly used by app and DevOps teams without making it too complicated or requiring constant back-and-forth with security teams for every app and situation.

Want to Secure? Start with Visibility
Given that you cannot secure what you cannot see, how can you gain visibility into egress traffic in public clouds? In the old data center world, there is a clear perimeter for deploying a network security solution. These architectures usually offer a well-defined solution that achieves visibility and enforcement by being in the network path of all traffic.

Public clouds, on the other hand, don't have a defined perimeter. Every single resource can be exposed to the Internet with a single click — an open security group rule or an ACL, an open route table entry, a public IP address attached to an interface, or some combination of these.

Being in the network path of all traffic in public cloud resources is not only non-trivial — in certain cases, it's impossible. For example, when apps initiate connections to external destinations, the first step is to resolve the destination's DNS. In public clouds, no other resource can be in the path of that traffic because the cloud provider always handles that DNS resolution. Thus, any solution that was designed to operate and excel in the traditional data center will be ineffective in a public cloud for visibility. This is why the traditional network monitoring and security vendors can't provide a coherent solution consisting of both visibility and enforcement in public clouds.

Solving Visibility and Control Problems With the Right Assumptions
The future of application development and infrastructure is in public clouds — and for many organizations, it's not just the future; it's today. Securing data, apps, and services in this new environment is critical for enterprises to defend against breaches, data exfiltration, and the resulting economic losses. Old data center approaches, based on too many assumptions that are no longer true, can't achieve these goals in public clouds. Enterprises must adopt and develop solutions that are born in the cloud and for the cloud with the correct assumptions for the public cloud era.

Praveen Patnala is co-founder at Valtix, a cloud security company. Prior, he was an engineer for Google Cloud Platform. He previously worked at Andiamo before joining as an early employee at BloomReach and then LaserLike. Praveen focuses on infrastructure, security, ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The 10 Most Impactful Types of Vulnerabilities for Enterprises Today
Managing system vulnerabilities is one of the old est - and most frustrating - security challenges that enterprise defenders face. Every software application and hardware device ships with intrinsic flaws - flaws that, if critical enough, attackers can exploit from anywhere in the world. It's crucial that defenders take stock of what areas of the tech stack have the most emerging, and critical, vulnerabilities they must manage. It's not just zero day vulnerabilities. Consider that CISA's Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilitlies in widely used applications that are "actively exploited," and most of them are flaws that were discovered several years ago and have been fixed. There are also emerging vulnerabilities in 5G networks, cloud infrastructure, Edge applications, and firmwares to consider.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-03-27
In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use URL decoding to retrieve system files, credentials, and bypass authentication resulting in privilege escalation.
PUBLISHED: 2023-03-27
In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use Lua scripts, which could allow an attacker to remotely execute arbitrary code.
PUBLISHED: 2023-03-27
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contains an improper access control vulnerability in which an attacker can use the Device-Gateway service and bypass authorization, which could result in privilege escalation.
PUBLISHED: 2023-03-27
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 are affected by a deserialization vulnerability targeting the Device-DataCollect service, which could allow deserialization of requests prior to authentication, resulting in remote code execution.
PUBLISHED: 2023-03-27
Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.4.0.