Cloud

3/22/2018
07:00 PM
50%
50%

New Survey Illustrates Real-World Difficulties in Cloud Security

Depending on traditional models makes cloud security more challenging for organizations, according to a Barracuda Networks report.

Cloud security is not as simple as picking up traditional network perimeter appliances and converting them into cloud services, a new study shows. But security may ultimately be better for the change.

Barracuda Networks surveyed 608 participants from organizations around the world. A majority (57%) say that their on-premises security is superior to cloud security, with the percentage answering that way growing in lock-step with the size of their organization.

That's a problem for many organizations when they begin planning for security in the cloud. 83% say they have concerns about deploying traditional firewalls in the cloud, with 39% naming "pricing and licensing not appropriate for the cloud," and 34% citing "lack of integration prevents cloud automation" as their primary concerns.

The report is based on a survey conducted by Dimensional Research on behalf of Barracuda. 

Tim Jefferson, vice president of public cloud at Barracuda, says these organizations have reason to be concerned. "Companies that are trying to cut and paste into the public cloud are having trouble. Security has always been around the network and a lot of appliances are built around architectures centralized in the data center," he says. "Firewalls tend to scale vertically and that's an anti-pattern for the cloud, where best practice is to keep everything federated and elastic. The tools don't fit."

The bigger issue, Jefferson says, is that many of the tools that companies struggle to place into the cloud aren't really needed for cloud security. "In a public cloud you don't need a lot of those functions," he says. "A next-generation firewall isn't required in the cloud - you don't have to match the user to the function and filter on that because a properly architected cloud application will do that for you."

APIs Over Firewalls

Relying on the cloud applications - and to put a finer point on it, the cloud application APIs with their controls and logging capabilities - allows forward-thinking security professionals to have better security in the cloud than they have in their traditional data center architecture, Jefferson says. According to the report, 74% of respondents cite "Integration with cloud management, monitoring, and automation capabilities" as the most beneficial cloud-specific firewall capability.

Integration is key, but organizations are finding it difficult to fully integrate cloud security into their DevOps or DevSecOps, with 93% saying they have faced challenges integrating security into those practices. Jefferson is blunt when he talks about the changes needed for organizations to move past the current difficulties: "All the visibility that's so difficult to instrument in the data center is built in with the public cloud. It's all done by API and that can be instrumented to police and monitor security."

He says it all depends on perspective. "It's really the lens you look through," he says. "The traditional enterprise architect has thought of visibility as the instrumentation to see into ports and packets."

But the problem is that public cloud "can't provide span ports and access to layer 2. So they see public cloud and say there's no visibility," he says.

The public cloud, however, provides a better management tool. The management plane of the cloud can allow a security professional to track every interface and every record - every query, every response. The hard part is that the security professionals must re-think the means to the end of infrastructure security.

Security Hurdles

There are two huge hurdles standing between organizations and security in the cloud. The first is a human component that lies between security professionals' ears. "It makes the professional uncomfortable," Jefferson says, referring to security using APIs. "They want the tools they've always used."

The second hurdle may be higher because it involves money. Jefferson says that the traditional licensing model for firewalls and other network security appliances just doesn't work in a cloud environment where best practice is to spin up many federated instances rather than a handful of highly vertical compute centers.

"Now that things are federated and people may want to deploy hundreds of firewalls, vendors can't charge vast sums per license," Jefferson says. If they do, they "end up deploying bad things because they feel they can't afford the licenses."

Ultimately, in order to move security to a point where companies feel that cloud security is on a par with or better than on-premises security, both the deployment model and the licensing structure must be based on what works best for the application - not just what the licenses force a company to do.

Following genuine best practices in the cloud provides better security for an organization than pure on-premise environments, he says.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
What We Talk About When We Talk About Risk
Jack Jones, Chairman, FAIR Institute,  7/11/2018
Major International Airport System Access Sold for $10 on Dark Web
Kelly Sheridan, Staff Editor, Dark Reading,  7/11/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-14373
PUBLISHED: 2018-07-17
An issue was discovered in LibTIFF 4.0.9. In TIFFFindField in tif_dirinfo.c, the structure tif is being dereferenced without first checking that the structure is not empty and has the requested fields (tif_foundfield). In the call sequences following from the affected library functions (TIFFVGetFiel...
CVE-2018-14374
PUBLISHED: 2018-07-17
An issue was discovered in LibTIFF 4.0.9. A buffer overflow can occur via an empty fmt argument to unixErrorHandler in tif_unix.c, and it can be exploited (at a minimum) via the following high-level library API functions: TIFFClientOpen, TIFFFdOpen, TIFFRawStripSize, TIFFCheckTile, TIFFComputeStrip,...
CVE-2018-14375
PUBLISHED: 2018-07-17
An issue was discovered in LibTIFF 4.0.9. A buffer overflow vulnerability can occur via an invalid or empty tif argument to TIFFRGBAImageOK in tif_getimage.c, and it can be exploited (at a minimum) via the following high-level library API functions: TIFFReadRGBAImage, TIFFRGBAImageOK, and TIFFRGBAIm...
CVE-2018-14378
PUBLISHED: 2018-07-17
An issue was discovered in LibTIFF 4.0.9. A buffer overflow can occur via an invalid or empty tif argument to TIFFWriteBufferSetup in tif_write.c, and it can be exploited (at a minimum) via the following high-level library API function: TIFFWriteTile.
CVE-2018-14363
PUBLISHED: 2018-07-17
An issue was discovered in NeoMutt before 2018-07-16. newsrc.c does not properly restrict '/' characters that may have unsafe interaction with cache pathnames.