Application and cloud security is a shared responsibility

Cloud environments and application connectivity have become a critical part of many organizations’ digital transformation initiatives. In fact, nearly 40% of North American and European-based enterprises adopted industry-specific cloud platforms in 2022. But why are organizations turning to these solutions now?

These trends are influencing the current state of affairs:

• Low/no code solutions: Thanks to the software development skills gap, we’ve been forced to come up with new ways to develop applications. Citizen development, for instance, encourages non-IT-trained employees to become software developers by using IT-sanctioned low-code/no-code (LCNC) platforms to create business applications.
• Composability: Also referred to as “plug-in-play” architecture, composable enterprises represent the transition from monolithic technology suites and code-based software development to interconnected ecosystems of multiple, interchangeable applications.
• Microservices: This architectural approach to software development takes what was once a very big application (think Microsoft Word) and breaks it down into lots of smaller services (font styling, page formatting, etc.) This allows developers to modify and redeploy these tiny services in a more time-efficient manner.

Despite the growing popularity of these trends, it’s crucial to remember that every time an organization adopts a new environment or works with a particular cloud provider, security risks are bound to ensue – and it’s not always the providers’ responsibility to mitigate them.

What storms will you have to weather in the cloud?

All three of these trends have one thing in common – they all increase connections and drive dependencies among a larger number of applications that could reside anywhere in a cloud. When developers must deal with complex application connections across different clouds and applications that are dependent on other applications or services, they tend to lose sight of security for the sake of speed and convenience.

This simple “slip up” has the power to throw off entire supply chains. At the end of the day, the exploitation of one small link has the power to break the entire chain. But what happens when a link is missing? What if multiple links are missing and they are not limited to the supply chain? What if they include security services?

There is a weakness in many cloud and application security strategies. Enterprises believe that they have a strong chain link fence around their network, but they may be missing critical controls – links in the chain – that allow threat actors to slide right in. Today, most software goes through a five or six step pipeline before it becomes a live application on the web. One way modern applications are working to mitigate these security risks is by automating the tools that scan for flaws and vulnerabilities in applications as they move through the pipeline.

GitLab is a great example of this. GitLab allows you to build software in their environment, but within their pipeline are various types of tests, such as static and dynamic application security tests. This is a great advancement for modern applications, but a lot of legacy applications were built with old systems that are not conducive to the re-engineering needed to accept these new practices.

On the other hand, with the significance of multi-cloud and the sheer complexity of cloud infrastructure, it is difficult to have visibility into all of the different cloud workloads running in your environment, let alone securing them. There are so many cloud and application controls that may be overlooked due to the assumed trust enterprises place in their cloud providers. Enterprises may believe that AWS oversees the handling of identity and access management policies, or that Azure will manage data classification, but for many, that belief leads to a false sense of security. So, who holds the responsibility to ensure production applications are secure?

Cloud and application security is everyone’s responsibility – there isn’t much of a choice

Many enterprise cloud customers make the mistake of believing that they are free from obligation when it comes to application security, and they deploy the apps in the cloud, exposing themselves to security gaps at the seam of enterprise and cloud vendor infrastructures. Comprehensive security has always required the enterprise to be responsible and proactive in their security defenses, but the fact of the matter is that enterprises are really forced to share in the responsibility.

Cloud and application security encompasses the entire ecosystem of people, processes, policies and technology that serve to protect the data that operates within, but security for things like data classification, network controls and physical security need clear owners. The shared responsibility model for cloud security provides a clear breakdown of who should be doing what.

Traditional enterprise CISOs have, in the past, used on-premises data centers, which could be protected with a firewall that monitors traffic. They had total control of their security department, but they lost some of that control once they moved to the cloud. They’re now forced to rely on the security that the cloud provider offers. Yes, these providers offer a lot of built-in security, but they don’t cover everything.

Today’s cloud and application security providers have so many services and figuring out how to configure these services or understanding their security perimeters can be incredibly challenging, as it requires some special skills and training. And that’s just if the enterprises work with one commercial cloud!

I strongly encourage security teams to do their homework: leverage resources to familiarize yourself with the security services your cloud provider might not cover or provide in the way that best works with your enterprise. Research and ask questions or have conversations with your peers. Figure out where your gaps may be, and verify that your architecture plugs them.