|By Don MacVittie||
|May 5, 2011 04:42 PM EDT||
There is a theory in traditional military strategy that goes something along the lines of “take land, consolidate your gains, take more land…” von Moltke the Elder found this theory so profound that he suggested a defender could trade land for time – advice that Russia managed pretty well in The Great Patriotic War (known in the west as World War II), and German General Kesselring practiced against the allies in Italy during the same war. By giving up land, the enemy is forced to occupy it before they can begin forward movement again, buying you time to build your defenses at a new location, and often forcing them to change their tactics and strategic goals.
There are a lot of reasons why comparisons between warfare and security exist, and I’m going to continue the long-standing tradition here. We are ready to move into the cloud… But there’s a problem. We have to change some of our tactics before we can take overall advantage of cloud infrastructure. At least in the short-term.
People like myself, some with more experience in the space than others, have been recommending that developers leave large swaths of security implementations to firewalls and web application firewalls. This was sound advice, I’ve been a developer, I know the way that code is crafted, I know that it doesn’t take much to leave a gaping hole in one little tiny bit of code. Web application firewalls offer a layer of protection in case you missed something, and can be expanded to lighten the amount of code required to do many mundane tasks.
And there’s the problem. We’ve been telling developers to largely remove themselves from the security business, but now we’re moving to the cloud, where the infrastructure of the corporate datacenter is not necessarily available. Which means the weight of all that redundant security coding falls right back onto developers’ shoulders for the short term. Companies like F5 are moving an increasing amount of high-caliber infrastructure to VMs that can be deployed to the cloud and restore access to the datacenter infrastructure either with manual separate configuration or by slaving the VM appliances to your corporate appliances, which will then put us back where we are today.
von Moltke the Elder
But until your organization has web application firewalls and other security devices on-par in the cloud with what is in the datacenter, I’m afraid there’s going to be a return to the good old “is field all alphanumeric?” “Is field < 8 characters” type checking all over your source code. But it really is a temporary situation, before you know it, you will be able to say “my datacenter device has all the information for this application, share it with my cloud VM appliance”, and you’ll be off and running.
So dig out the security books from a few years back, study up on web application security, schedule extra time for writing and testing your application… And then be prepared to put things back under the umbrella of web application firewalls.
You still won’t be completely out of the security business. No one knows your application and its most glaring security weaknesses better than the developer that wrote it, but that’s the status quo for in-datacenter applications today – developers in shops making use of all of the great network-based security products on the market are able to focus their security efforts on the one or two areas that must have extra protection instead of all possible security vulnerability points.
The bigger problem is deploying purchased applications to the cloud, where you can’t lock it down without tools to help, and those tools have to run in VMs. This is an aspect that I’m not certain has gotten all the attention it deserves yet, but is definitely going to be a problem in the near-term.
I’d say “you could delay deploying to the cloud…” I could also say “You could wait for the sun not to come up tomorrow…” because generally speaking, developers do not get to choose deployment methodology, only influence it, and cloud has taken on a life (or a hype) all its own.
So be careful, have a plan for how to address application-specific security in the cloud, check out VM security offerings as they become available, and keep rocking the apps. Consolidate, reconsider tactics, move to a new attack.
|Connect with Don:||Connect with F5:|
Related Articles and Blogs:
- BIG-IP ASM v.10 Application Ready Security Policy Templates
- v.10 – Application Security Manager (ASM) From iControl
- ASM Layer 7 DoS And Brute Force Protection
- F5 Networks Delivers Comprehensive Application Security Solution ...
- Web Application Security at the Edge is More Efficient Than In the ...
- 4 Reasons We Must Redefine Web Application Security
- Would you risk $31000 for milliseconds of application response time?
- When Is More Important Than Where in Web Application Security
- PCI DSS Deadline Looming Large While Debate Continues - WAF vs VA
- Web Application Security: Where do we go from here?
- What's the difference between a web application and a blog?
- Remember when…you had to choose between security and speed?
- 3 reasons you need a WAF even if your code is (you think) secure
- The Application Delivery Spell Book: Detect Invisible (Application ...
The IoTs will challenge the status quo of how IT and development organizations operate. Or will it? Certainly the fog layer of IoT requires special insights about data ontology, security and transactional integrity. But the developmental challenges are the same: People, Process and Platform. In his session at @ThingsExpo, Craig Sproule, CEO of Metavine, will demonstrate how to move beyond today's coding paradigm and share the must-have mindsets for removing complexity from the development proc...
May. 2, 2016 03:00 PM EDT Reads: 265
SYS-CON Events announced today that Ericsson has been named “Gold Sponsor” of SYS-CON's @ThingsExpo, which will take place on June 7-9, 2016, at the Javits Center in New York, New York. Ericsson is a world leader in the rapidly changing environment of communications technology – providing equipment, software and services to enable transformation through mobility. Some 40 percent of global mobile traffic runs through networks we have supplied. More than 1 billion subscribers around the world re...
May. 2, 2016 02:45 PM EDT Reads: 1,042
You think you know what’s in your data. But do you? Most organizations are now aware of the business intelligence represented by their data. Data science stands to take this to a level you never thought of – literally. The techniques of data science, when used with the capabilities of Big Data technologies, can make connections you had not yet imagined, helping you discover new insights and ask new questions of your data. In his session at @ThingsExpo, Sarbjit Sarkaria, data science team lead ...
May. 2, 2016 02:00 PM EDT Reads: 906
SYS-CON Events announced today that Peak 10, Inc., a national IT infrastructure and cloud services provider, will exhibit at SYS-CON's 18th International Cloud Expo®, which will take place on June 7-9, 2016, at the Javits Center in New York City, NY. Peak 10 provides reliable, tailored data center and network services, cloud and managed services. Its solutions are designed to scale and adapt to customers’ changing business needs, enabling them to lower costs, improve performance and focus inter...
May. 2, 2016 12:30 PM EDT Reads: 1,258
You deployed your app with the Bluemix PaaS and it's gaining some serious traction, so it's time to make some tweaks. Did you design your application in a way that it can scale in the cloud? Were you even thinking about the cloud when you built the app? If not, chances are your app is going to break. Check out this webcast to learn various techniques for designing applications that will scale successfully in Bluemix, for the confidence you need to take your apps to the next level and beyond.
May. 2, 2016 12:00 PM EDT Reads: 1,531
There is an ever-growing explosion of new devices that are connected to the Internet using “cloud” solutions. This rapid growth is creating a massive new demand for efficient access to data. And it’s not just about connecting to that data anymore. This new demand is bringing new issues and challenges and it is important for companies to scale for the coming growth. And with that scaling comes the need for greater security, gathering and data analysis, storage, connectivity and, of course, the...
May. 2, 2016 11:45 AM EDT Reads: 922
So, you bought into the current machine learning craze and went on to collect millions/billions of records from this promising new data source. Now, what do you do with them? Too often, the abundance of data quickly turns into an abundance of problems. How do you extract that "magic essence" from your data without falling into the common pitfalls? In her session at @ThingsExpo, Natalia Ponomareva, Software Engineer at Google, will provide tips on how to be successful in large scale machine lear...
May. 2, 2016 11:30 AM EDT Reads: 1,310
SYS-CON Events announced today that Fusion, a leading provider of cloud services, will exhibit at SYS-CON's 18th International Cloud Expo®, which will take place on June 7-9, 2016, at the Javits Center in New York City, NY. Fusion, a leading provider of integrated cloud solutions to small, medium and large businesses, is the industry's single source for the cloud. Fusion's advanced, proprietary cloud service platform enables the integration of leading edge solutions in the cloud, including cloud...
May. 2, 2016 10:00 AM EDT Reads: 2,616
In his session at @ThingsExpo, Chris Klein, CEO and Co-founder of Rachio, will discuss next generation communities that are using IoT to create more sustainable, intelligent communities. One example is Sterling Ranch, a 10,000 home development that – with the help of Siemens – will integrate IoT technology into the community to provide residents with energy and water savings as well as intelligent security. Everything from stop lights to sprinkler systems to building infrastructures will run ef...
May. 2, 2016 10:00 AM EDT Reads: 1,014
Digital payments using wearable devices such as smart watches, fitness trackers, and payment wristbands are an increasing area of focus for industry participants, and consumer acceptance from early trials and deployments has encouraged some of the biggest names in technology and banking to continue their push to drive growth in this nascent market. Wearable payment systems may utilize near field communication (NFC), radio frequency identification (RFID), or quick response (QR) codes and barcodes...
May. 2, 2016 09:15 AM EDT Reads: 853
The increasing popularity of the Internet of Things necessitates that our physical and cognitive relationship with wearable technology will change rapidly in the near future. This advent means logging has become a thing of the past. Before, it was on us to track our own data, but now that data is automatically available. What does this mean for mHealth and the "connected" body? In her session at @ThingsExpo, Lisa Calkins, CEO and co-founder of Amadeus Consulting, will discuss the impact of wea...
May. 2, 2016 08:45 AM EDT Reads: 779
SYS-CON Events announced today that DatacenterDynamics has been named “Media Sponsor” of SYS-CON's 18th International Cloud Expo, which will take place on June 7–9, 2016, at the Javits Center in New York City, NY. DatacenterDynamics is a brand of DCD Group, a global B2B media and publishing company that develops products to help senior professionals in the world's most ICT dependent organizations make risk-based infrastructure and capacity decisions.
May. 2, 2016 06:30 AM EDT Reads: 2,532
The IoT has the potential to create a renaissance of manufacturing in the US and elsewhere. In his session at 18th Cloud Expo, Florent Solt, CTO and chief architect of Netvibes, will discuss how the expected exponential increase in the amount of data that will be processed, transported, stored, and accessed means there will be a huge demand for smart technologies to deliver it. Florent Solt is the CTO and chief architect of Netvibes. Prior to joining Netvibes in 2007, he co-founded Rift Technol...
May. 1, 2016 11:00 PM EDT Reads: 1,610
We’ve worked with dozens of early adopters across numerous industries and will debunk common misperceptions, which starts with understanding that many of the connected products we’ll use over the next 5 years are already products, they’re just not yet connected. With an IoT product, time-in-market provides much more essential feedback than ever before. Innovation comes from what you do with the data that the connected product provides in order to enhance the customer experience and optimize busi...
May. 1, 2016 05:00 PM EDT Reads: 1,062
SYS-CON Events announced today that Stratoscale, the software company developing the next generation data center operating system, will exhibit at SYS-CON's 18th International Cloud Expo®, which will take place on June 7-9, 2016, at the Javits Center in New York City, NY. Stratoscale is revolutionizing the data center with a zero-to-cloud-in-minutes solution. With Stratoscale’s hardware-agnostic, Software Defined Data Center (SDDC) solution to store everything, run anything and scale everywhere...
May. 1, 2016 01:30 PM EDT Reads: 1,600
Angular 2 is a complete re-write of the popular framework AngularJS. Programming in Angular 2 is greatly simplified – now it's a component-based well-performing framework. This immersive one-day workshop at 18th Cloud Expo, led by Yakov Fain, a Java Champion and a co-founder of the IT consultancy Farata Systems and the product company SuranceBay, will provide you with everything you wanted to know about Angular 2.
May. 1, 2016 01:00 PM EDT Reads: 1,770
SYS-CON Events announced today that Men & Mice, the leading global provider of DNS, DHCP and IP address management overlay solutions, will exhibit at SYS-CON's 18th International Cloud Expo®, which will take place on June 7-9, 2016, at the Javits Center in New York City, NY. The Men & Mice Suite overlay solution is already known for its powerful application in heterogeneous operating environments, enabling enterprises to scale without fuss. Building on a solid range of diverse platform support,...
May. 1, 2016 12:15 PM EDT Reads: 2,352
Whether your IoT service is connecting cars, homes, appliances, wearable, cameras or other devices, one question hangs in the balance – how do you actually make money from this service? The ability to turn your IoT service into profit requires the ability to create a monetization strategy that is flexible, scalable and working for you in real-time. It must be a transparent, smoothly implemented strategy that all stakeholders – from customers to the board – will be able to understand and comprehe...
May. 1, 2016 11:00 AM EDT Reads: 1,115
Increasing IoT connectivity is forcing enterprises to find elegant solutions to organize and visualize all incoming data from these connected devices with re-configurable dashboard widgets to effectively allow rapid decision-making for everything from immediate actions in tactical situations to strategic analysis and reporting. In his session at 18th Cloud Expo, Shikhir Singh, Senior Developer Relations Manager at Sencha, will discuss how to create HTML5 dashboards that interact with IoT devic...
May. 1, 2016 09:45 AM EDT Reads: 1,062
Artificial Intelligence has the potential to massively disrupt IoT. In his session at 18th Cloud Expo, AJ Abdallat, CEO of Beyond AI, will discuss what the five main drivers are in Artificial Intelligence that could shape the future of the Internet of Things. AJ Abdallat is CEO of Beyond AI. He has over 20 years of management experience in the fields of artificial intelligence, sensors, instruments, devices and software for telecommunications, life sciences, environmental monitoring, process...
May. 1, 2016 09:45 AM EDT Reads: 954