Cloud

3/22/2018
07:00 PM
50%
50%

New Survey Illustrates Real-World Difficulties in Cloud Security

Depending on traditional models makes cloud security more challenging for organizations, according to a Barracuda Networks report.

Cloud security is not as simple as picking up traditional network perimeter appliances and converting them into cloud services, a new study shows. But security may ultimately be better for the change.

Barracuda Networks surveyed 608 participants from organizations around the world. A majority (57%) say that their on-premises security is superior to cloud security, with the percentage answering that way growing in lock-step with the size of their organization.

That's a problem for many organizations when they begin planning for security in the cloud. 83% say they have concerns about deploying traditional firewalls in the cloud, with 39% naming "pricing and licensing not appropriate for the cloud," and 34% citing "lack of integration prevents cloud automation" as their primary concerns.

The report is based on a survey conducted by Dimensional Research on behalf of Barracuda. 

Tim Jefferson, vice president of public cloud at Barracuda, says these organizations have reason to be concerned. "Companies that are trying to cut and paste into the public cloud are having trouble. Security has always been around the network and a lot of appliances are built around architectures centralized in the data center," he says. "Firewalls tend to scale vertically and that's an anti-pattern for the cloud, where best practice is to keep everything federated and elastic. The tools don't fit."

The bigger issue, Jefferson says, is that many of the tools that companies struggle to place into the cloud aren't really needed for cloud security. "In a public cloud you don't need a lot of those functions," he says. "A next-generation firewall isn't required in the cloud - you don't have to match the user to the function and filter on that because a properly architected cloud application will do that for you."

APIs Over Firewalls

Relying on the cloud applications - and to put a finer point on it, the cloud application APIs with their controls and logging capabilities - allows forward-thinking security professionals to have better security in the cloud than they have in their traditional data center architecture, Jefferson says. According to the report, 74% of respondents cite "Integration with cloud management, monitoring, and automation capabilities" as the most beneficial cloud-specific firewall capability.

Integration is key, but organizations are finding it difficult to fully integrate cloud security into their DevOps or DevSecOps, with 93% saying they have faced challenges integrating security into those practices. Jefferson is blunt when he talks about the changes needed for organizations to move past the current difficulties: "All the visibility that's so difficult to instrument in the data center is built in with the public cloud. It's all done by API and that can be instrumented to police and monitor security."

He says it all depends on perspective. "It's really the lens you look through," he says. "The traditional enterprise architect has thought of visibility as the instrumentation to see into ports and packets."

But the problem is that public cloud "can't provide span ports and access to layer 2. So they see public cloud and say there's no visibility," he says.

The public cloud, however, provides a better management tool. The management plane of the cloud can allow a security professional to track every interface and every record - every query, every response. The hard part is that the security professionals must re-think the means to the end of infrastructure security.

Security Hurdles

There are two huge hurdles standing between organizations and security in the cloud. The first is a human component that lies between security professionals' ears. "It makes the professional uncomfortable," Jefferson says, referring to security using APIs. "They want the tools they've always used."

The second hurdle may be higher because it involves money. Jefferson says that the traditional licensing model for firewalls and other network security appliances just doesn't work in a cloud environment where best practice is to spin up many federated instances rather than a handful of highly vertical compute centers.

"Now that things are federated and people may want to deploy hundreds of firewalls, vendors can't charge vast sums per license," Jefferson says. If they do, they "end up deploying bad things because they feel they can't afford the licenses."

Ultimately, in order to move security to a point where companies feel that cloud security is on a par with or better than on-premises security, both the deployment model and the licensing structure must be based on what works best for the application - not just what the licenses force a company to do.

Following genuine best practices in the cloud provides better security for an organization than pure on-premise environments, he says.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Microsoft President: Governments Must Cooperate on Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/8/2018
To Click or Not to Click: The Answer Is Easy
Kowsik Guruswamy, Chief Technology Officer at Menlo Security,  11/14/2018
Veterans Find New Roles in Enterprise Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Online Malware and Threats: A Profile of Today's Security Posture
Online Malware and Threats: A Profile of Today's Security Posture
This report offers insight on how security professionals plan to invest in cybersecurity, and how they are prioritizing their resources. Find out what your peers have planned today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19279
PUBLISHED: 2018-11-14
PRIMX ZoneCentral before 6.1.2236 on Windows sometimes leaks the plaintext of NTFS files. On non-SSD devices, this is limited to a 5-second window and file sizes less than 600 bytes. The effect on SSD devices may be greater.
CVE-2018-19280
PUBLISHED: 2018-11-14
Centreon 3.4.x has XSS via the resource name or macro expression of a poller macro.
CVE-2018-19281
PUBLISHED: 2018-11-14
Centreon 3.4.x allows SNMP trap SQL Injection.
CVE-2018-17960
PUBLISHED: 2018-11-14
CKEditor 4.x before 4.11.0 allows user-assisted XSS involving a source-mode paste.
CVE-2018-19278
PUBLISHED: 2018-11-14
Buffer overflow in DNS SRV and NAPTR lookups in Digium Asterisk 15.x before 15.6.2 and 16.x before 16.0.1 allows remote attackers to crash Asterisk via a specially crafted DNS SRV or NAPTR response, because a buffer size is supposed to match an expanded length but actually matches a compressed lengt...