Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

// // //
4/1/2021
10:00 AM
Praveen Patnala
Praveen Patnala
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv

The Role of Visibility in Securing Cloud Applications

Traditional data center approaches aren't built for securing modern cloud applications.

We are living through an application development renaissance. Organizations are changing both where applications live and how they are built.

Apps Live in the Public Cloud
Apps are being built on public cloud platforms at a rapid pace as enterprises accelerate their cloud migrations. Public clouds offer developers enormous flexibility in how apps are built and deployed. This has resulted in architectures that consist of one or more of the following:

Related Content:

Cloud-Native Apps Make Software Supply Chain Security More Important Than Ever

Special Report: Building an Effective Cybersecurity Incident Response Team

New From The Edge: DDoS's Evolution Doesn't Require a Security Evolution

  • Virtual machine or instance-based apps
  • Container-based apps
  • Serverless apps

Apps Are Services-Based
Coincidentally, another tectonic shift is taking place in how apps are built, namely via a services-based approach. Increasingly, apps are built as microservices communicating over well-defined APIs. Often, these APIs are remote or external. This means an app can use several methods to accomplish a task, including:

  • Twilio to send text messages
  • AWS S3 to store and retrieve images
  • Mailchimp to send emails
  • Snowflake to store and retrieve rows of data
  • Datadog to log events

A New Category of Traffic
This collision of where apps live (public cloud) and how they are built (services-based) is creating a massive new category of traffic: app-initiated connections to software-as-a-service (SaaS), platform-as-a-service (PaaS), and the wide-open Internet. Typically, the service endpoints that apps are connecting to (e.g., https://api.datadoghq.com for Datadog) are identified by a fully qualified domain name (FQDN) or URL, which can translate to hundreds or thousands of Internet Protocol (IP) addresses during resolution. Those IP address lists are dynamic. At the same time, cloud service providers' native security controls, such as access control lists (ACLs), security groups, and route tables, are all IP-address-based.

Thus, to reliably enable these kinds of connections in public clouds, security controls must be relaxed to allow communication to any IP address. This produces a significantly larger exposed attack surface than what enterprises really want opened.

Before enterprises relaxed these controls, communications to external destinations were restricted to safe-listed IP addresses and ranges. So, if an application or a compute resource was compromised, its communication graph was limited to the safe-listed destinations. Now, if those egress security controls are relaxed to allow communications to any IP address, a compromised instance could result in:

  • Being part of a command-and-control (C2) server and carrying out nefarious activities, such as malware distribution, cryptocurrency mining, disrupting operations, DDoS attacks, etc.
  • Exfiltrating data out of the virtual private cloud (VPC)

Needless to say, enterprises need better management and control of egress traffic to allow these kinds of app- and machine-initiated connections. To put it simply, they must be able to enable a full spectrum of security policies that can be directly used by app and DevOps teams without making it too complicated or requiring constant back-and-forth with security teams for every app and situation.

Want to Secure? Start with Visibility
Given that you cannot secure what you cannot see, how can you gain visibility into egress traffic in public clouds? In the old data center world, there is a clear perimeter for deploying a network security solution. These architectures usually offer a well-defined solution that achieves visibility and enforcement by being in the network path of all traffic.

Public clouds, on the other hand, don't have a defined perimeter. Every single resource can be exposed to the Internet with a single click — an open security group rule or an ACL, an open route table entry, a public IP address attached to an interface, or some combination of these.

Being in the network path of all traffic in public cloud resources is not only non-trivial — in certain cases, it's impossible. For example, when apps initiate connections to external destinations, the first step is to resolve the destination's DNS. In public clouds, no other resource can be in the path of that traffic because the cloud provider always handles that DNS resolution. Thus, any solution that was designed to operate and excel in the traditional data center will be ineffective in a public cloud for visibility. This is why the traditional network monitoring and security vendors can't provide a coherent solution consisting of both visibility and enforcement in public clouds.

Solving Visibility and Control Problems With the Right Assumptions
The future of application development and infrastructure is in public clouds — and for many organizations, it's not just the future; it's today. Securing data, apps, and services in this new environment is critical for enterprises to defend against breaches, data exfiltration, and the resulting economic losses. Old data center approaches, based on too many assumptions that are no longer true, can't achieve these goals in public clouds. Enterprises must adopt and develop solutions that are born in the cloud and for the cloud with the correct assumptions for the public cloud era.

Praveen Patnala is co-founder at Valtix, a cloud security company. Prior, he was an engineer for Google Cloud Platform. He previously worked at Andiamo before joining as an early employee at BloomReach and then LaserLike. Praveen focuses on infrastructure, security, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Machine Learning, AI & Deep Learning Improve Cybersecurity
Machine intelligence is influencing all aspects of cybersecurity. Organizations are implementing AI-based security to analyze event data using ML models that identify attack patterns and increase automation. Before security teams can take advantage of AI and ML tools, they need to know what is possible. This report covers: -How to assess the vendor's AI/ML claims -Defining success criteria for AI/ML implementations -Challenges when implementing AI
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-3074
PUBLISHED: 2022-09-26
The Slider Hero WordPress plugin before 8.4.4 does not escape the slider Name, which could allow high-privileged users to perform Cross-Site Scripting attacks.
CVE-2022-3076
PUBLISHED: 2022-09-26
The CM Download Manager WordPress plugin before 2.8.6 allows high privilege users such as admin to upload arbitrary files by setting the any extension via the plugin's setting, which could be used by admins of multisite blog to upload PHP files for example.
CVE-2022-3098
PUBLISHED: 2022-09-26
The Login Block IPs WordPress plugin through 1.0.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
CVE-2022-3119
PUBLISHED: 2022-09-26
The OAuth client Single Sign On WordPress plugin before 3.0.4 does not have authorisation and CSRF when updating its settings, which could allow unauthenticated attackers to update them and change the OAuth endpoints to ones they controls, allowing them to then be authenticated as admin if they know...
CVE-2022-3135
PUBLISHED: 2022-09-26
The SEO Smart Links WordPress plugin through 3.0.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)