Information security professionals can hardly be blamed for a recent over-emphasis on looking to cloud-based solutions for protection for both network and application protection. It’s a natural reaction to the seemingly endless stream of news about large volumetric attacks. Add to that the natural migration of many applications to the cloud and the cloud momentum really gets rolling.
Certainly, cloud-based resources should play an important part in a sound cyber-attack protection strategy. But those falling into a belief they are the be-all-end-all for protection will leave themselves exposed to a number of threats and risks based on the limitations of cloud-only protection.
It is important to be aware of the shortcomings of many cloud-only solutions and consider them when planning for attack protection. There are inherent challenges of putting all of your faith in the cloud versus a balanced architecture, one that leverages cloud strengths but adds support through on premise components.
We’ve Come Quite a Ways
Before getting into some of the specific challenges posed by cloud-only protection, let’s take a step back and recognize how far we’ve come. It wasn’t long ago that many were learning about the challenges of using firewalls and IDS/IPS to protect from advanced cyber-attacks. Now, it would be untrue to say we never see or hear this anymore… there are still segments of the information security audience that still want to look at a firewall or IPS as a panacea from all malicious threats.
By and large, the notion that a stateful device can protect from large floods or even more sophisticated application attacks that require visibility into request-and-response had dwindled significantly over the past 2-3 years. Certainly, the benefits of purpose-built protections from advanced cyber-attacks such as DDoS got a big vote of confidence when Cisco recently announced the OEM’ing of Radware’s DDoS protection into the Firepower 9300 series. The technology is meant to compliment separate FW/IPS capabilities also on the product.
Why So Cloud-Centric?
Let’s examine a few of the reasons why so many organizations are thinking (or maybe just hoping) cloud-based solutions hold the answer to their security challenges.
First, the news headlines… this is not to suggest that information security professionals are a bunch of mindless drones following the tome of what they see in the news. But the overwhelming volume of news related to the “mega-attacks”(many hundreds of Gbps) are impossible to ignore or even keep from seeping into our psyche. To give you a sense of just how dominant this topic has been of late, I took a look through the last 45 days of “DDoS” keyword-triggered (non-vendor) news in my various news feeds and discovered that nearly two-thirds of these stories relate directly to volumetric threats or specific attacks.
This impact arguably has an even greater effect on executive management. The panicked reaction to hearing about yet another peer or competitor falling in the face of these threats generates a lot of “don’t let that happen to us” pressure down onto the security and networking teams.
Add to this the undeniable dynamic that information security teams and professionals have an overwhelming number of threats to monitor, detect and defend against. The sense of having to keep up with the rapidly evolving and advanced tool sets of malicious actors causes many to turn attention towards outside solutions that at first glance would seem to put the least burden on internal resources for management and maintenance. Fortunately, there are many good outsourced managed services offerings that don’t expose the organization to the shortcomings of cloud-only architectures.
Cloud-Only Protection Challenge #1: Redirecting traffic in peacetime
There is a saying that articulates a philosophy on cyber-attack protection… “detect where you can, mitigate where you should.”
There are many benefits to a distributed attack mitigation system, including the situation of mitigating large volumetric attacks near major peering points. Or alternatively, mitigating application threats close to the application itself.
What is clear, however, is that the decision made by some to redirect all application or website traffic to third-party cloud security service providers is driven by something other than optimal security architecture. Rather, it seems to stem from a basic desire to make the attacks someone else’s problem to mitigate. Ironic when you consider that for some the exploration of cloud-based solutions stems from the bias against “putting yet another device in the network.” So the response is to pass all traffic over to a third party?
This, however, can introduce often non-trivial latency into the application’s performance. I think we can agree that in some cases small amounts of latency are not deal-breakers. These can be good candidates for cloud based protection for both network layer and application layer attacks. However, many applications (often those an organization determines it cannot host in the cloud) require the minimal latency that comes from full management of the application infrastructure.
Another often overlooked shortcoming of the cloud-only approach to cyber-attack protection is that what can be called the “collateral damage” risk. For providers delivering an always-on cloud option to customers, you quickly can see how a collection of attacks targeting a growing customer base creates a threat against all customers. Alternatively, organizations that leverage cloud resources in conjunction with on-premises components incur none of this risk when they are at peacetime, and generally are able to get better detection of attacks that can be mitigated without having to swing traffic. In fact, Radware customers, representing many of the world’s largest organizations across what you might call core cyber-attack prone industries see 85% of attacks are able to be mitigated fully by the on-premises components.
I’m not here to propose cloud-based attack protection has no place in sound security architecture. But the tendencies of organizations to overreact to the headlines and jump to the conclusion that cyber-attack protection equals only volumetric attack protection warrants correction. So too does the notion that all application layer threats are best mitigated in the existing flow of traffic through cloud resources. Over the coming weeks, we’ll take a deeper look at some of the other challenges the cloud-only approach brings into play for both volumetric network threats and application layer attacks.
If you’d like to learn more about a balanced attack mitigation solution that leverages the benefits of cloud, but still offers optimal protection, download our white paper “Cyber Security Just Got Easier”.