Using the Cloud to Enhance Your Web Security

By Tzury Bar Yochay

AllCloud Blog: Cloud Insights and Innovation

How secure is the cloud?

Often, people assume that the cloud makes you more vulnerable to mishaps such as data theft. But cloud-related security incidents (such as recent reports of unsecured S3 buckets) are usually the result of poor IT practices—and they aren’t from intrinsic vulnerabilities of the cloud.

The cloud is not inherently insecure. In fact, the opposite is true. When used properly, the cloud can improve your organization’s security profile.

Here are five ways you can use cloud technologies to enhance your security posture.

1. Use the cloud to replace your WAF

WAFs (Web Application Firewalls) are typically hardware appliances, filtering traffic before it reaches the protected data center.

But there are numerous problems with these WAFs: high expense, complicated administration and configuration, the frequent need for installing patches and upgrades… the list goes on.

Now consider the benefits of moving your WAF functionality to the cloud. Web security solutions are available which provide full WAF/IPS functionality, but they run in the cloud instead of an appliance or bare-metal server.

Cloud platforms can be fully managed and always kept up-to-date. This eliminates the time and expertise required for IT staff to maintain and patch your security solutions.

And since most cloud solutions are provided as SaaS, they’re far less expensive than appliances—some such as  Reblaze are available via a month-to-month subscription.

2. Use the cloud to mitigate vulnerabilities

The Equifax breach is perhaps the most notorious recent security incident. The company utterly failed to protect the very personal data of over 145 million people.

But how was Equifax breached? Through a flaw in Apache Struts, for which a patch was released (but not applied by Equifax) several months before the breach occurred.

We can rightfully point fingers at the incompetent management that allowed this vulnerability to remain open. But here’s a question: how diligent is your organization about installing updates?

Are patches always applied immediately upon release? Or are they sometimes delayed, because of product release schedules, insufficient IT resources, internal political issues, human error, or other factors?

Perhaps your organization would never let a serious vulnerability remain unpatched for months, as Equifax did. Yet hackers don’t need months to take advantage of an exploit.

If your organization sometimes, for whatever reason, does not apply important security updates immediately—if there are even occasional short delays, maybe only for a few days, or just a week or two—then an ‘Equifax event’ could easily be in your future too.

Now consider how this situation changes if you have moved your web security to the cloud. Now all incoming traffic is routed through the cloud platform for scrubbing, before it can reach your network.

This greatly mitigates the risk associated with unpatched vulnerabilities. Of course, you should still apply all security updates upon release, or at least ASAP. But nevertheless, hackers will not have direct access to your servers, and reputable cloud security solutions are updated immediately whenever new vulnerabilities become known. So you will always have the latest protection, and attackers will be thwarted, whether or not the downstream servers have been updated.

In fact, this can also be true even before the vulnerabilities themselves are formally recognized. Let’s discuss that next.

3. Use the cloud to leverage new technologies

The most advanced cloud security providers have heavily invested in integrating Machine Learning and Big Data into their solutions. This gives you tremendous power.

For example, Big Data can be used to store massive amounts of traffic data. (In the case of Reblaze, we receive and store 3.5 billion HTTP/S requests per day.) Then Machine Learning can analyze this data to identify new attack patterns. As new threats are identified, the cloud allows updates to be rolled out immediately, to protect against them.

In other words, the cloud can allow you to be protected from an exploit even before the vulnerability is formally recognized and reported. Your security profile can be hardened against a new attack almost from the moment that our platform first discovers it occurring, anywhere in the world.

4. Use the cloud for better DDoS protection

By their nature, legacy security appliances have great difficulty defending against DDoS.

Even if they are effective at identifying and filtering out attack packets, by the time the traffic reaches an appliance it has already passed through the incoming Internet pipe. So a volumetric DDoS can overwhelm a network’s incoming connection, making it partially or completely unresponsive to legitimate traffic—in other words, the DDoS can be successful—even if the appliance itself correctly recognizes and processes the attack.

Cloud solutions can eliminate this problem. Incoming traffic is scrubbed while it’s still in the cloud, so the protected network’s incoming pipe is never affected. And the cloud makes bandwidth a non-issue: load-balancing and autoscaling can bring more resources online as needed, automatically, without user intervention needed.

5. Use the cloud for secure DevOps

DevOps is a major trend within industry today. Its numerous benefits have resulted in an explosive rate of adoption. But it introduces some challenges, especially in the area of security.

Many DevOps teams have come to hate the WAF that is supposed to protect their apps. Too often, legacy WAFs prevent continuous deployment, rather than enabling it.

Often, when a new app (or a change to an existing app) is deployed, new connections are required. A WAF appliance will probably block some, perhaps even all, of these connections. This breaks the traffic, preventing users from using the apps, and preventing your organization from getting whatever revenue the apps were supposed to generate.

And because most WAFs are opaque, they won’t show all the details of the traffic they’re blocking, or why they’re blocking it.

Or sometimes the opposite occurs. Sometimes a legacy WAF will not fully protect the new apps. New connections mean new potential attack surfaces, and an inadequate WAF will leave you exposed to attackers.

The usual remedy to these problems is lots of re-configuring. Every time you deploy a change, the WAF needs to be re-tuned. At best, this is a tedious process.

At worst, it will be difficult to get it right, and so it won’t be right until after weeks (or even months!) of configuring, testing, re-configuring, re-testing, and so on. Meanwhile, your traffic is still broken, or your protection isn’t robust.

What’s the solution to this? As mentioned above, the cloud allows you to ditch your hardware WAF and replace it with something far better.

Some cloud security platforms such as Reblaze are fully DevOps-compatible. Whenever you deploy a new app or service (or change an existing one), you can have them be protected immediately with a full next-generation WAF, DDoS protection, bot mitigation, etc., without having to invest days or even weeks in re-configuring your security profile. The platform is continuously adaptive, so whenever something new is deployed, it quickly recognizes it, adapts to it, and starts protecting it. The platform also has an API for programmatic control.

The cloud makes it possible for security to support DevOps, rather than hindering it.

A current example of the cloud enhancing security

No doubt you’ve heard of the Spectre and Meltdown security flaws—widespread security holes within CPUs.

As I’m writing this article, companies are scrambling to patch their machines. Even worse, some of the OS patches are turning out to have bugs of their own. (Hopefully, this mess will have cleared up by the time you read this.)

But you know who isn’t scrambling? Companies on the cloud.

Of course, using the cloud doesn’t necessarily make an organization immune to a problem like this. When such a fundamental security hole occurs, vulnerabilities are widespread.

But cloud users know that the top-tier cloud providers will throw massive amounts of resources at a problem like this. They will harden their platforms as soon as a fix is possible. So cloud users will be the first to have their infrastructures fixed, without having to do anything about it themselves.

In fact, it often works out far better than this. For example, GCP (Google Cloud Platform) started closing its Spectre and Meltdown vulnerabilities in June 2016—six months before the problems were publicly announced! And by the time the problems came to light, Google was able to announce (as it did on January 3rd) that “All G Suite applications have already been updated to prevent all known attack vectors,” and “GCP has already been updated to prevent all known vulnerabilities.”

This a great example of the benefits of the cloud, playing out right in front of us today.

Conclusion

Frequently, conversations about the cloud focus on additional risks that are introduced. Yet the cloud is no more inherently insecure than onsite hardware. As always, best practices will mitigate the risks, and the occasional horror stories are usually situations that were easily preventable.

Furthermore, modern cloud platforms can significantly enhance an organization’s web security. They not only compensate for the weaknesses of legacy solutions, they have many additional benefits of their own that have not been available before.

If you’d like to learn more about this topic, I can send you a Reblaze white paper called “Using the cloud for web security: What you need to know.” Or, I’d be happy to answer any security-related questions you might have. Just send me an email at tzury@reblaze.com.

Tzury Bar Yochay

Read more posts by Tzury Bar Yochay