Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

4/1/2021
10:00 AM
Praveen Patnala
Praveen Patnala
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

The Role of Visibility in Securing Cloud Applications

Traditional data center approaches aren't built for securing modern cloud applications.

We are living through an application development renaissance. Organizations are changing both where applications live and how they are built.

Apps Live in the Public Cloud
Apps are being built on public cloud platforms at a rapid pace as enterprises accelerate their cloud migrations. Public clouds offer developers enormous flexibility in how apps are built and deployed. This has resulted in architectures that consist of one or more of the following:

Related Content:

Cloud-Native Apps Make Software Supply Chain Security More Important Than Ever

Special Report: Building an Effective Cybersecurity Incident Response Team

New From The Edge: DDoS's Evolution Doesn't Require a Security Evolution

  • Virtual machine or instance-based apps
  • Container-based apps
  • Serverless apps

Apps Are Services-Based
Coincidentally, another tectonic shift is taking place in how apps are built, namely via a services-based approach. Increasingly, apps are built as microservices communicating over well-defined APIs. Often, these APIs are remote or external. This means an app can use several methods to accomplish a task, including:

  • Twilio to send text messages
  • AWS S3 to store and retrieve images
  • Mailchimp to send emails
  • Snowflake to store and retrieve rows of data
  • Datadog to log events

A New Category of Traffic
This collision of where apps live (public cloud) and how they are built (services-based) is creating a massive new category of traffic: app-initiated connections to software-as-a-service (SaaS), platform-as-a-service (PaaS), and the wide-open Internet. Typically, the service endpoints that apps are connecting to (e.g., https://api.datadoghq.com for Datadog) are identified by a fully qualified domain name (FQDN) or URL, which can translate to hundreds or thousands of Internet Protocol (IP) addresses during resolution. Those IP address lists are dynamic. At the same time, cloud service providers' native security controls, such as access control lists (ACLs), security groups, and route tables, are all IP-address-based.

Thus, to reliably enable these kinds of connections in public clouds, security controls must be relaxed to allow communication to any IP address. This produces a significantly larger exposed attack surface than what enterprises really want opened.

Before enterprises relaxed these controls, communications to external destinations were restricted to safe-listed IP addresses and ranges. So, if an application or a compute resource was compromised, its communication graph was limited to the safe-listed destinations. Now, if those egress security controls are relaxed to allow communications to any IP address, a compromised instance could result in:

  • Being part of a command-and-control (C2) server and carrying out nefarious activities, such as malware distribution, cryptocurrency mining, disrupting operations, DDoS attacks, etc.
  • Exfiltrating data out of the virtual private cloud (VPC)

Needless to say, enterprises need better management and control of egress traffic to allow these kinds of app- and machine-initiated connections. To put it simply, they must be able to enable a full spectrum of security policies that can be directly used by app and DevOps teams without making it too complicated or requiring constant back-and-forth with security teams for every app and situation.

Want to Secure? Start with Visibility
Given that you cannot secure what you cannot see, how can you gain visibility into egress traffic in public clouds? In the old data center world, there is a clear perimeter for deploying a network security solution. These architectures usually offer a well-defined solution that achieves visibility and enforcement by being in the network path of all traffic.

Public clouds, on the other hand, don't have a defined perimeter. Every single resource can be exposed to the Internet with a single click — an open security group rule or an ACL, an open route table entry, a public IP address attached to an interface, or some combination of these.

Being in the network path of all traffic in public cloud resources is not only non-trivial — in certain cases, it's impossible. For example, when apps initiate connections to external destinations, the first step is to resolve the destination's DNS. In public clouds, no other resource can be in the path of that traffic because the cloud provider always handles that DNS resolution. Thus, any solution that was designed to operate and excel in the traditional data center will be ineffective in a public cloud for visibility. This is why the traditional network monitoring and security vendors can't provide a coherent solution consisting of both visibility and enforcement in public clouds.

Solving Visibility and Control Problems With the Right Assumptions
The future of application development and infrastructure is in public clouds — and for many organizations, it's not just the future; it's today. Securing data, apps, and services in this new environment is critical for enterprises to defend against breaches, data exfiltration, and the resulting economic losses. Old data center approaches, based on too many assumptions that are no longer true, can't achieve these goals in public clouds. Enterprises must adopt and develop solutions that are born in the cloud and for the cloud with the correct assumptions for the public cloud era.

Praveen Patnala is co-founder at Valtix, a cloud security company. Prior, he was an engineer for Google Cloud Platform. He previously worked at Andiamo before joining as an early employee at BloomReach and then LaserLike. Praveen focuses on infrastructure, security, ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21553
PUBLISHED: 2021-08-03
Dell PowerScale OneFS versions 8.1.0-9.1.0 contain an Incorrect User Management vulnerability.under some specific conditions, this can allow the CompAdmin user to elevate privileges and break out of Compliance mode. This is a critical vulnerability and Dell recommends upgrading at the earliest.
CVE-2021-21562
PUBLISHED: 2021-08-03
Dell EMC PowerScale OneFS contains an untrusted search path vulnerability. This vulnerability allows a user with (ISI_PRIV_LOGIN_SSH or ISI_PRIV_LOGIN_CONSOLE) and (ISI_PRIV_SYS_UPGRADE or ISI_PRIV_AUDIT) to provide an untrusted path which can lead to run resources that are not under the application...
CVE-2021-21563
PUBLISHED: 2021-08-03
Dell EMC PowerScale OneFS versions 8.1.2-9.1.0.x contain an Improper Check for Unusual or Exceptional Conditions in its auditing component.This can lead to an authenticated user with low-privileges to trigger a denial of service event.
CVE-2021-21565
PUBLISHED: 2021-08-03
Dell PowerScale OneFS versions 9.1.0.3 and earlier contain a denial of service vulnerability. SmartConnect had an error condition that may be triggered to loop, using CPU and potentially preventing other SmartConnect DNS responses.
CVE-2021-26085
PUBLISHED: 2021-08-03
Affected versions of Atlassian Confluence Server allow remote attackers to view restricted resources via a Pre-Authorization Arbitrary File Read vulnerability in the /s/ endpoint. The affected versions are before version 7.4.10, and from version 7.5.0 before 7.12.3.