Welcome!

SDN Journal Authors: Elizabeth White, Yeshim Deniz, Liz McMillan, Pat Romanski, TJ Randall

Blog Feed Post

Security in the Cloud. Developers, About Face!

image There is a theory in traditional military strategy that goes something along the lines of “take land, consolidate your gains, take more land…” von Moltke the Elder found this theory so profound that he suggested a defender could trade land for time – advice that Russia managed pretty well in The Great Patriotic War (known in the west as World War II), and German General Kesselring practiced against the allies in Italy during the same war. By giving up land, the enemy is forced to occupy it before they can begin forward movement again, buying you time to build your defenses at a new location, and often forcing them to change their tactics and strategic goals.

There are a lot of reasons why comparisons between warfare and security exist, and I’m going to continue the long-standing tradition here. We are ready to move into the cloud… But there’s a problem. We have to change some of our tactics before we can take overall advantage of cloud infrastructure. At least in the short-term.

People like myself, some with more experience in the space than others, have been recommending that developers leave large swaths of security implementations to firewalls and web application firewalls. This was sound advice, I’ve been a developer, I know the way that code is crafted, I know that it doesn’t take much to leave a gaping hole in one little tiny bit of code. Web application firewalls offer a layer of protection in case you missed something, and can be expanded to lighten the amount of code required to do many mundane tasks.

And there’s the problem. We’ve been telling developers to largely remove themselves from the security business, but now we’re moving to the cloud, where the infrastructure of the corporate datacenter is not necessarily available. Which means the weight of all that redundant security coding falls right back  onto developers’ shoulders for  the short term. Companies like F5 are moving an increasing amount of high-caliber infrastructure to VMs that can be deployed to the cloud and restore access to the datacenter infrastructure either with manual separate configuration or by slaving the VM appliances to your corporate appliances, which will then put us back where we are today.

von Moltke the Elder

But until your organization has web application firewalls and other security devices on-par in the cloud with what is in the datacenter, I’m afraid there’s going to be a return to the good old “is field all alphanumeric?” “Is field < 8 characters” type checking all over your source code. But it really is a temporary situation, before you know it, you will be able to  say “my datacenter device has all the information for this application, share it with my cloud VM appliance”, and you’ll be off and running.

So dig out the security books from a few years back, study up on web application security, schedule extra time for writing and testing your application… And then be prepared to put things back under the umbrella of web application firewalls.

You still won’t be completely out of the security business. No one knows your application and its most glaring security weaknesses better than the developer that wrote it, but that’s the status quo for in-datacenter applications today – developers in shops making use of all of the great network-based security products on the market are able to focus their security efforts on the one or two areas that must have extra protection instead of all possible security vulnerability points.

The bigger problem is deploying purchased applications to the cloud, where you can’t lock it down without tools to help, and those tools have to run in VMs. This is an aspect that I’m not certain has gotten all the attention it deserves yet, but is definitely going to be a problem in the near-term.

I’d say “you could delay deploying to the cloud…” I could also say “You could wait for the sun not to come up tomorrow…” because generally speaking, developers do not get to choose deployment methodology, only influence it, and cloud has taken on a life (or a hype) all its own.

So be careful, have a plan for how to address application-specific security in the cloud, check out VM security offerings as they become available, and keep rocking the apps. Consolidate, reconsider tactics, move to a new attack.


Connect with Don: Connect with F5:
linkedin rss facebook twitter   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]

Related Articles and Blogs:

Read the original blog entry...

More Stories By Don MacVittie

Don MacVittie is founder of Ingrained Technology, A technical advocacy and software development consultancy. He has experience in application development, architecture, infrastructure, technical writing,DevOps, and IT management. MacVittie holds a B.S. in Computer Science from Northern Michigan University, and an M.S. in Computer Science from Nova Southeastern University.

CloudEXPO Stories
Dynatrace is an application performance management software company with products for the information technology departments and digital business owners of medium and large businesses. Building the Future of Monitoring with Artificial Intelligence. Today we can collect lots and lots of performance data. We build beautiful dashboards and even have fancy query languages to access and transform the data. Still performance data is a secret language only a couple of people understand. The more business becomes digital the more stakeholders are interested in this data including how it relates to business. Some of these people have never used a monitoring tool before. They have a question on their mind like "How is my application doing" but no idea how to get a proper answer.
DXWorldEXPO LLC announced today that Big Data Federation to Exhibit at the 22nd International CloudEXPO, colocated with DevOpsSUMMIT and DXWorldEXPO, November 12-13, 2018 in New York City. Big Data Federation, Inc. develops and applies artificial intelligence to predict financial and economic events that matter. The company uncovers patterns and precise drivers of performance and outcomes with the aid of machine-learning algorithms, big data, and fundamental analysis. Their products are deployed by some of the world's largest financial institutions. The company develops and applies innovative machine-learning technologies to big data to predict financial, economic, and world events. The team is a group of passionate technologists, mathematicians, data scientists and programmers in Silicon Valley with over 100 patents to their names. Big Data Federation was incorporated in 2015 and is ...
All in Mobile is a place where we continually maximize their impact by fostering understanding, empathy, insights, creativity and joy. They believe that a truly useful and desirable mobile app doesn't need the brightest idea or the most advanced technology. A great product begins with understanding people. It's easy to think that customers will love your app, but can you justify it? They make sure your final app is something that users truly want and need. The only way to do this is by researching target group and involving users in the designing process.
Whenever a new technology hits the high points of hype, everyone starts talking about it like it will solve all their business problems. Blockchain is one of those technologies. According to Gartner's latest report on the hype cycle of emerging technologies, blockchain has just passed the peak of their hype cycle curve. If you read the news articles about it, one would think it has taken over the technology world. No disruptive technology is without its challenges and potential impediments that frequently get lost in the hype. The panel will discuss their perspective on what they see as they key challenges and/or impediments to adoption, and how they see those issues could be resolved or mitigated.
CloudEXPO New York 2018, colocated with DevOpsSUMMIT and DXWorldEXPO New York 2018 will be held November 12-13, 2018, in New York City and will bring together Cloud Computing, FinTech and Blockchain, Digital Transformation, Big Data, Internet of Things, DevOps, AI and Machine Learning to one location.