So you’ve finally made the move and deployed one of your business applications in the cloud. You picked a leading public cloud provider (Amazon Web Services or Microsoft Azure) thinking this will get you the peace of mind you are looking for. Well that’s almost too good to be true. While there are many advantages with hosting applications in the cloud to improve overall efficiency and expand business opportunities – securing your applications in the cloud is more complicated. As you migrate or deploy more and more applications in the cloud, you are facing a more distributed network that splits across multiple cloud providers and your organization’s private network.
The primary challenge for securing cloud-based applications comes from the loss of control over your applications and the lack of visibility you have into its overall behavior and performance. This introduces a number of security challenges:
- You cannot protect if you cannot detect: The fact that your application is hosted in the cloud limits your ability to monitor its behavior and detect any abnormalities that can be potential attacks. Now you may think that your application is protected because it’s on a public cloud but in fact, cloud-based applications, even those hosted on public clouds like AWS and Azure, get hit by DDoS attacks regularly. Lately, with the growth in Internet of Things (IoT)- enabled devices, attackers are launching massive application-layer DDoS attacks that can either bring down or create prohibitive costs for Web applications that are hosted on public clouds.
- Your protection is only as good as what your cloud provider gives you: Relying on your cloud provider for protection is the most intuitive thing to do but does it give you the best protection you need? Not necessarily. Public cloud providers offer only very limited protection, if at all, against DDoS attacks. Those that do offer DDoS protection typically only focus on network-layer DDoS protection, and lack protection from application and SSL-based DDoS attacks, leaving you exposed to attacks such as launched by the Mirai Botnet.
- Protection without borders: Say your application hosted on AWS is attacked. You are able to detect the attack and block it, so that specific application is now protected. But what happens with your other applications? How can you now protect your applications that are hosted in your data center from the same attack? These questions simply cannot be answered if you are using different solutions to protect your premise- and cloud- based applications.
- Hidden costs of attack traffic: If you can’t protect your applications when you are under attack, not only does your business suffer but you also need to pay your cloud provider for all that extra traffic that reaches your application. That adds up to a lot!
Before you give up, there is a solution for all of this. When thinking about DDoS protection for your applications, look for a unified “single pane-of-glass” solution that can protect your applications anywhere and everywhere. Keep in mind you will likely need different protection types (hybrid, on-demand or always-on) depending on where your applications are hosted.
For your applications hosted on public clouds, such as AWS or Azure, most vendors will offer you an always-on DDoS protection service. In this case the traffic going towards your application is routed first through the security vendor’s scrubbing center before it reaches your applications – always and all the time. While this solution provides you with real-time detection and mitigation, it also comes at a cost of increased latency, even during peacetime, and increased cost of the service (always-on costs more!).
Instead, choose an on-demand cloud DDoS protection service that does not add latency to your traffic in peacetime. You should go for an on-demand service that still provides automatic detection of attacks and real-time mitigation – it does exist! In addition, you should choose a solution that offers the widest protection and does not limit to only network-layer attack protection.
Finally, remember that it’s not a one-size-fits-all approach. The appropriate solution – hybrid, on-demand or always-on cloud protection – will vary for each of your applications depending on where the application is hosted (data center, public cloud, etc.) and its sensitivity to delays and latency. Finding the right deployment for each application as part of a single-vendor, holistic solution will introduce efficiencies while still keeping consistency across your DDoS protection.
Do not compromise on DDoS protection for your applications. Check out Radware’s fully managed Cloud DDoS Protection Services to protect your applications everywhere with integrated, unified protection across data centers and public cloud environments.
Read “Myth vs. Reality: DDoS Protection for Applications Hosted on Public Clouds” to learn how to safeguard AWS and Azure-based applications from cyber-attacks.
Shira Sagiv is the Director of Security Product Marketing at Radware. She is responsible for the positioning and messaging, launches, and all inbound/outbound product collateral for all security products. Prior to Radware, Shira spent 10 years at Microsoft HQ, in various senior product marketing positions including building Microsoft’s Security Response process and managing executive communications around the company’s security efforts. Before that, Shira was a senior software engineer team leader at Avaya. Shira holds a BSc. in Computer Science & Economics from Tel Aviv University and an MBA from the Kellogg School of Management at Northwestern University.