|By Don MacVittie||
|May 5, 2011 04:42 PM EDT||
There is a theory in traditional military strategy that goes something along the lines of “take land, consolidate your gains, take more land…” von Moltke the Elder found this theory so profound that he suggested a defender could trade land for time – advice that Russia managed pretty well in The Great Patriotic War (known in the west as World War II), and German General Kesselring practiced against the allies in Italy during the same war. By giving up land, the enemy is forced to occupy it before they can begin forward movement again, buying you time to build your defenses at a new location, and often forcing them to change their tactics and strategic goals.
There are a lot of reasons why comparisons between warfare and security exist, and I’m going to continue the long-standing tradition here. We are ready to move into the cloud… But there’s a problem. We have to change some of our tactics before we can take overall advantage of cloud infrastructure. At least in the short-term.
People like myself, some with more experience in the space than others, have been recommending that developers leave large swaths of security implementations to firewalls and web application firewalls. This was sound advice, I’ve been a developer, I know the way that code is crafted, I know that it doesn’t take much to leave a gaping hole in one little tiny bit of code. Web application firewalls offer a layer of protection in case you missed something, and can be expanded to lighten the amount of code required to do many mundane tasks.
And there’s the problem. We’ve been telling developers to largely remove themselves from the security business, but now we’re moving to the cloud, where the infrastructure of the corporate datacenter is not necessarily available. Which means the weight of all that redundant security coding falls right back onto developers’ shoulders for the short term. Companies like F5 are moving an increasing amount of high-caliber infrastructure to VMs that can be deployed to the cloud and restore access to the datacenter infrastructure either with manual separate configuration or by slaving the VM appliances to your corporate appliances, which will then put us back where we are today.
von Moltke the Elder
But until your organization has web application firewalls and other security devices on-par in the cloud with what is in the datacenter, I’m afraid there’s going to be a return to the good old “is field all alphanumeric?” “Is field < 8 characters” type checking all over your source code. But it really is a temporary situation, before you know it, you will be able to say “my datacenter device has all the information for this application, share it with my cloud VM appliance”, and you’ll be off and running.
So dig out the security books from a few years back, study up on web application security, schedule extra time for writing and testing your application… And then be prepared to put things back under the umbrella of web application firewalls.
You still won’t be completely out of the security business. No one knows your application and its most glaring security weaknesses better than the developer that wrote it, but that’s the status quo for in-datacenter applications today – developers in shops making use of all of the great network-based security products on the market are able to focus their security efforts on the one or two areas that must have extra protection instead of all possible security vulnerability points.
The bigger problem is deploying purchased applications to the cloud, where you can’t lock it down without tools to help, and those tools have to run in VMs. This is an aspect that I’m not certain has gotten all the attention it deserves yet, but is definitely going to be a problem in the near-term.
I’d say “you could delay deploying to the cloud…” I could also say “You could wait for the sun not to come up tomorrow…” because generally speaking, developers do not get to choose deployment methodology, only influence it, and cloud has taken on a life (or a hype) all its own.
So be careful, have a plan for how to address application-specific security in the cloud, check out VM security offerings as they become available, and keep rocking the apps. Consolidate, reconsider tactics, move to a new attack.
|Connect with Don:||Connect with F5:|
Related Articles and Blogs:
- BIG-IP ASM v.10 Application Ready Security Policy Templates
- v.10 – Application Security Manager (ASM) From iControl
- ASM Layer 7 DoS And Brute Force Protection
- F5 Networks Delivers Comprehensive Application Security Solution ...
- Web Application Security at the Edge is More Efficient Than In the ...
- 4 Reasons We Must Redefine Web Application Security
- Would you risk $31000 for milliseconds of application response time?
- When Is More Important Than Where in Web Application Security
- PCI DSS Deadline Looming Large While Debate Continues - WAF vs VA
- Web Application Security: Where do we go from here?
- What's the difference between a web application and a blog?
- Remember when…you had to choose between security and speed?
- 3 reasons you need a WAF even if your code is (you think) secure
- The Application Delivery Spell Book: Detect Invisible (Application ...
Early adopters of IoT viewed it mainly as a different term for machine-to-machine connectivity or M2M. This is understandable since a prerequisite for any IoT solution is the ability to collect and aggregate device data, which is most often presented in a dashboard. The problem is that viewing data in a dashboard requires a human to interpret the results and take manual action, which doesn’t scale to the needs of IoT.
Jul. 25, 2016 01:00 PM EDT Reads: 1,920
SYS-CON Events announced today that 910Telecom will exhibit at the 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. Housed in the classic Denver Gas & Electric Building, 910 15th St., 910Telecom is a carrier-neutral telecom hotel located in the heart of Denver. Adjacent to CenturyLink, AT&T, and Denver Main, 910Telecom offers connectivity to all major carriers, Internet service providers, Internet backbones and ...
Jul. 25, 2016 12:15 PM EDT Reads: 400
CenturyLink has announced that application server solutions from GENBAND are now available as part of CenturyLink’s Networx contracts. The General Services Administration (GSA)’s Networx program includes the largest telecommunications contract vehicles ever awarded by the federal government. CenturyLink recently secured an extension through spring 2020 of its offerings available to federal government agencies via GSA’s Networx Universal and Enterprise contracts. GENBAND’s EXPERiUS™ Application...
Jul. 25, 2016 12:00 PM EDT Reads: 1,812
IoT generates lots of temporal data. But how do you unlock its value? You need to discover patterns that are repeatable in vast quantities of data, understand their meaning, and implement scalable monitoring across multiple data streams in order to monetize the discoveries and insights. Motif discovery and deep learning platforms are emerging to visualize sensor data, to search for patterns and to build application that can monitor real time streams efficiently. In his session at @ThingsExpo, ...
Jul. 25, 2016 11:00 AM EDT Reads: 897
Verizon Communications Inc. (NYSE, Nasdaq: VZ) and Yahoo! Inc. (Nasdaq: YHOO) have entered into a definitive agreement under which Verizon will acquire Yahoo's operating business for approximately $4.83 billion in cash, subject to customary closing adjustments. Yahoo informs, connects and entertains a global audience of more than 1 billion monthly active users** -- including 600 million monthly active mobile users*** through its search, communications and digital content products. Yahoo also co...
Jul. 25, 2016 10:30 AM EDT Reads: 288
"There's a growing demand from users for things to be faster. When you think about all the transactions or interactions users will have with your product and everything that is between those transactions and interactions - what drives us at Catchpoint Systems is the idea to measure that and to analyze it," explained Leo Vasiliou, Director of Web Performance Engineering at Catchpoint Systems, in this SYS-CON.tv interview at 18th Cloud Expo, held June 7-9, 2016, at the Javits Center in New York Ci...
Jul. 25, 2016 10:30 AM EDT Reads: 1,937
"Tintri was started in 2008 with the express purpose of building a storage appliance that is ideal for virtualized environments. We support a lot of different hypervisor platforms from VMware to OpenStack to Hyper-V," explained Dan Florea, Director of Product Management at Tintri, in this SYS-CON.tv interview at 18th Cloud Expo, held June 7-9, 2016, at the Javits Center in New York City, NY.
Jul. 25, 2016 10:15 AM EDT Reads: 1,864
The best-practices for building IoT applications with Go Code that attendees can use to build their own IoT applications. In his session at @ThingsExpo, Indraneel Mitra, Senior Solutions Architect & Technology Evangelist at Cognizant, provided valuable information and resources for both novice and experienced developers on how to get started with IoT and Golang in a day. He also provided information on how to use Intel Arduino Kit, Go Robotics API and AWS IoT stack to build an application tha...
Jul. 25, 2016 10:00 AM EDT Reads: 983
SYS-CON Events announced today that LeaseWeb USA, a cloud Infrastructure-as-a-Service (IaaS) provider, will exhibit at the 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. LeaseWeb is one of the world's largest hosting brands. The company helps customers define, develop and deploy IT infrastructure tailored to their exact business needs, by combining various kinds cloud solutions.
Jul. 25, 2016 09:45 AM EDT Reads: 1,127
Whether your IoT service is connecting cars, homes, appliances, wearable, cameras or other devices, one question hangs in the balance – how do you actually make money from this service? The ability to turn your IoT service into profit requires the ability to create a monetization strategy that is flexible, scalable and working for you in real-time. It must be a transparent, smoothly implemented strategy that all stakeholders – from customers to the board – will be able to understand and comprehe...
Jul. 25, 2016 09:30 AM EDT Reads: 2,102
The cloud market growth today is largely in public clouds. While there is a lot of spend in IT departments in virtualization, these aren’t yet translating into a true “cloud” experience within the enterprise. What is stopping the growth of the “private cloud” market? In his general session at 18th Cloud Expo, Nara Rajagopalan, CEO of Accelerite, explored the challenges in deploying, managing, and getting adoption for a private cloud within an enterprise. What are the key differences between wh...
Jul. 25, 2016 09:15 AM EDT Reads: 2,002
SYS-CON Events announced today that Venafi, the Immune System for the Internet™ and the leading provider of Next Generation Trust Protection, will exhibit at @DevOpsSummit at 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. Venafi is the Immune System for the Internet™ that protects the foundation of all cybersecurity – cryptographic keys and digital certificates – so they can’t be misused by bad guys in attacks...
Jul. 25, 2016 08:30 AM EDT Reads: 1,275
Large scale deployments present unique planning challenges, system commissioning hurdles between IT and OT and demand careful system hand-off orchestration. In his session at @ThingsExpo, Jeff Smith, Senior Director and a founding member of Incenergy, will discuss some of the key tactics to ensure delivery success based on his experience of the last two years deploying Industrial IoT systems across four continents.
Jul. 25, 2016 06:00 AM EDT Reads: 1,499
There will be new vendors providing applications, middleware, and connected devices to support the thriving IoT ecosystem. This essentially means that electronic device manufacturers will also be in the software business. Many will be new to building embedded software or robust software. This creates an increased importance on software quality, particularly within the Industrial Internet of Things where business-critical applications are becoming dependent on products controlled by software. Qua...
Jul. 25, 2016 05:45 AM EDT Reads: 1,377
SYS-CON Events has announced today that Roger Strukhoff has been named conference chair of Cloud Expo and @ThingsExpo 2016 Silicon Valley. The 19th Cloud Expo and 6th @ThingsExpo will take place on November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. "The Internet of Things brings trillions of dollars of opportunity to developers and enterprise IT, no matter how you measure it," stated Roger Strukhoff. "More importantly, it leverages the power of devices and the Interne...
Jul. 25, 2016 05:00 AM EDT Reads: 2,020
Machine Learning helps make complex systems more efficient. By applying advanced Machine Learning techniques such as Cognitive Fingerprinting, wind project operators can utilize these tools to learn from collected data, detect regular patterns, and optimize their own operations. In his session at 18th Cloud Expo, Stuart Gillen, Director of Business Development at SparkCognition, discussed how research has demonstrated the value of Machine Learning in delivering next generation analytics to imp...
Jul. 25, 2016 04:15 AM EDT Reads: 2,410
In addition to all the benefits, IoT is also bringing new kind of customer experience challenges - cars that unlock themselves, thermostats turning houses into saunas and baby video monitors broadcasting over the internet. This list can only increase because while IoT services should be intuitive and simple to use, the delivery ecosystem is a myriad of potential problems as IoT explodes complexity. So finding a performance issue is like finding the proverbial needle in the haystack.
Jul. 25, 2016 03:45 AM EDT Reads: 2,198
The Internet of Things will challenge the status quo of how IT and development organizations operate. Or will it? Certainly the fog layer of IoT requires special insights about data ontology, security and transactional integrity. But the developmental challenges are the same: People, Process and Platform. In his session at @ThingsExpo, Craig Sproule, CEO of Metavine, demonstrated how to move beyond today's coding paradigm and shared the must-have mindsets for removing complexity from the develo...
Jul. 25, 2016 01:45 AM EDT Reads: 1,262
SYS-CON Events announced today that MangoApps will exhibit at the 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. MangoApps provides modern company intranets and team collaboration software, allowing workers to stay connected and productive from anywhere in the world and from any device.
Jul. 25, 2016 01:30 AM EDT Reads: 1,270
Basho Technologies has announced the latest release of Basho Riak TS, version 1.3. Riak TS is an enterprise-grade NoSQL database optimized for Internet of Things (IoT). The open source version enables developers to download the software for free and use it in production as well as make contributions to the code and develop applications around Riak TS. Enhancements to Riak TS make it quick, easy and cost-effective to spin up an instance to test new ideas and build IoT applications. In addition to...
Jul. 25, 2016 12:30 AM EDT Reads: 1,896