Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


// // //
10:00 AM
Praveen Patnala
Praveen Patnala
Connect Directly
E-Mail vvv

The Role of Visibility in Securing Cloud Applications

Traditional data center approaches aren't built for securing modern cloud applications.

We are living through an application development renaissance. Organizations are changing both where applications live and how they are built.

Apps Live in the Public Cloud
Apps are being built on public cloud platforms at a rapid pace as enterprises accelerate their cloud migrations. Public clouds offer developers enormous flexibility in how apps are built and deployed. This has resulted in architectures that consist of one or more of the following:

Related Content:

Cloud-Native Apps Make Software Supply Chain Security More Important Than Ever

Special Report: Building an Effective Cybersecurity Incident Response Team

New From The Edge: DDoS's Evolution Doesn't Require a Security Evolution

  • Virtual machine or instance-based apps
  • Container-based apps
  • Serverless apps

Apps Are Services-Based
Coincidentally, another tectonic shift is taking place in how apps are built, namely via a services-based approach. Increasingly, apps are built as microservices communicating over well-defined APIs. Often, these APIs are remote or external. This means an app can use several methods to accomplish a task, including:

  • Twilio to send text messages
  • AWS S3 to store and retrieve images
  • Mailchimp to send emails
  • Snowflake to store and retrieve rows of data
  • Datadog to log events

A New Category of Traffic
This collision of where apps live (public cloud) and how they are built (services-based) is creating a massive new category of traffic: app-initiated connections to software-as-a-service (SaaS), platform-as-a-service (PaaS), and the wide-open Internet. Typically, the service endpoints that apps are connecting to (e.g., https://api.datadoghq.com for Datadog) are identified by a fully qualified domain name (FQDN) or URL, which can translate to hundreds or thousands of Internet Protocol (IP) addresses during resolution. Those IP address lists are dynamic. At the same time, cloud service providers' native security controls, such as access control lists (ACLs), security groups, and route tables, are all IP-address-based.

Thus, to reliably enable these kinds of connections in public clouds, security controls must be relaxed to allow communication to any IP address. This produces a significantly larger exposed attack surface than what enterprises really want opened.

Before enterprises relaxed these controls, communications to external destinations were restricted to safe-listed IP addresses and ranges. So, if an application or a compute resource was compromised, its communication graph was limited to the safe-listed destinations. Now, if those egress security controls are relaxed to allow communications to any IP address, a compromised instance could result in:

  • Being part of a command-and-control (C2) server and carrying out nefarious activities, such as malware distribution, cryptocurrency mining, disrupting operations, DDoS attacks, etc.
  • Exfiltrating data out of the virtual private cloud (VPC)

Needless to say, enterprises need better management and control of egress traffic to allow these kinds of app- and machine-initiated connections. To put it simply, they must be able to enable a full spectrum of security policies that can be directly used by app and DevOps teams without making it too complicated or requiring constant back-and-forth with security teams for every app and situation.

Want to Secure? Start with Visibility
Given that you cannot secure what you cannot see, how can you gain visibility into egress traffic in public clouds? In the old data center world, there is a clear perimeter for deploying a network security solution. These architectures usually offer a well-defined solution that achieves visibility and enforcement by being in the network path of all traffic.

Public clouds, on the other hand, don't have a defined perimeter. Every single resource can be exposed to the Internet with a single click — an open security group rule or an ACL, an open route table entry, a public IP address attached to an interface, or some combination of these.

Being in the network path of all traffic in public cloud resources is not only non-trivial — in certain cases, it's impossible. For example, when apps initiate connections to external destinations, the first step is to resolve the destination's DNS. In public clouds, no other resource can be in the path of that traffic because the cloud provider always handles that DNS resolution. Thus, any solution that was designed to operate and excel in the traditional data center will be ineffective in a public cloud for visibility. This is why the traditional network monitoring and security vendors can't provide a coherent solution consisting of both visibility and enforcement in public clouds.

Solving Visibility and Control Problems With the Right Assumptions
The future of application development and infrastructure is in public clouds — and for many organizations, it's not just the future; it's today. Securing data, apps, and services in this new environment is critical for enterprises to defend against breaches, data exfiltration, and the resulting economic losses. Old data center approaches, based on too many assumptions that are no longer true, can't achieve these goals in public clouds. Enterprises must adopt and develop solutions that are born in the cloud and for the cloud with the correct assumptions for the public cloud era.

Praveen Patnala is co-founder at Valtix, a cloud security company. Prior, he was an engineer for Google Cloud Platform. He previously worked at Andiamo before joining as an early employee at BloomReach and then LaserLike. Praveen focuses on infrastructure, security, ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The Promise and Reality of Cloud Security
Cloud security has been part of the cybersecurity conversation for years but has been on the sidelines for most enterprises. The shift to remote work during the COVID-19 pandemic and digital transformation projects have moved cloud infrastructure front-and-center as enterprises address the associated security risks. This report - a compilation of cutting-edge Black Hat research, in-depth Omdia analysis, and comprehensive Dark Reading reporting - explores how cloud security is rapidly evolving.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-02-01
Versions of the package mt7688-wiscan before 0.8.3 are vulnerable to Command Injection due to improper input sanitization in the 'wiscan.scan' function.
PUBLISHED: 2023-02-01
Dell BIOS contains a heap buffer overflow vulnerability. A local attacker with admin privileges could potentially exploit this vulnerability to perform an arbitrary write to SMRAM during SMM.
PUBLISHED: 2023-02-01
Dell Rugged Control Center, versions prior to 4.5, contain an Improper Input Validation in the Service EndPoint. A Local Low Privilege attacker could potentially exploit this vulnerability, leading to an Escalation of privileges.
PUBLISHED: 2023-02-01
Dell Command | Update, Dell Update, and Alienware Update versions prior to 4.7 contain a Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in download operation component. A local malicious user could potentially exploit this vulnerability leading to the disclo...
PUBLISHED: 2023-02-01
Dell Command | Update, Dell Update, and Alienware Update versions prior to 4.7 contain a improper verification of cryptographic signature in get applicable driver component. A local malicious user could potentially exploit this vulnerability leading to malicious payload execution.