Click here to close now.





















Welcome!

Microservices Expo Authors: Carmen Gonzalez, Liz McMillan, Pat Romanski, Jason Bloomberg, Elizabeth White

Related Topics: Java IoT, Microservices Expo, @CloudExpo

Java IoT: Article

App Attack Surface in the Cloud | @CloudExpo #Cloud #AWS #Microservices

Is the App Attack Surface in the Cloud Really Different Than On-Premises?

Is the App Attack Surface in the Cloud Really Different Than On-Premises?

No.

Still here? Okay then, let me explain further. This whole thing started because I was reading the Internet the other day and happened upon a claim that stated: “the attack surface for cloud applications is dramatically different than for highly controlled data centers”.

And that made me frustrated because it isn’t true at all.

The attack surface for applications deployed in the cloud is the same as that of applications deployed on-premises. It doesn’t matter if we’re talking about SaaS or IaaS. An application’s attack surface is always the same.

app security basicsAn application may be attacked at the application layer, at the platform layer and sometimes* at the operating system layer.

The vast majority of threats against applications in the past 15 years have targeted protocols (HTTP, TCP, or SSL/TLS) that are the responsibility of the platform (app or web server) or at the application itself (SQLi, XSS, CSRF, etc…). Both of these layers of the application stack are the same irrespective of where that application might be deployed.

top breach stats

The attack surface for cloud applications remains the same. Let’s say you had an app, in the cloud, that was vulnerable to SQLi. Which shouldn’t be too much of a stretch cause there are a whole lot of apps that are today. Just saying.

Let’s say you decided to move that app on-premises. In that “highly controlled data center.”

Did the SQLi vulnerability go away?

Of course not. It’s still there and it’s still just as exploitable. We can reverse that process and guess what, the app is vulnerable (and exploitable) regardless of whether it’s “in the cloud” or “on-premises.”

If it was vulnerable to Heartbleed or Shellshock or Apache Killer on-premises, it’s still vulnerable in the cloud. And vice versa. The attack surface of an application does not change with its deployment location.

What changes when you move from on-premises to the cloud is what you are responsible for securing.

For example, the only thing you really have control over with SaaS (and are ultimately responsible for managing) is who is authorized access. That’s why ID federation is becoming such a big deal; it’s the best technological solution we have to providing the level of corporate governance over access to SaaS applications.

In IaaS, your responsibility goes deeper into the stack – down to the guest operating system. You may recall this statement from AWS head of global security programs Bill Murray:

“Customers are responsible for protecting everything from the guest operating system they run on AWS up through the applications they are running, ” he told El Reg. We are responsible for the host OS and the VM and everything down to the concrete of the data centre floor.”

Which means the OS, platform, and application layers of the application stack are your responsibility in IaaS. Interestingly enough, they’re also your responsibility in the data center. And those layers – those attack surfaces – don’t magically disappear when you put an app into the cloud.

That’s important to remember when you start evaluating what services you need in the cloud for apps you may be deploying “out there.” DDoS. WAF. Data leak prevention. Access control. These are all app security services that remain as critical in the cloud as they are in the data center, on-premises – because the attack surface of an application doesn’t change with its deployment location.

* I say sometimes because while the rate at which malware/trojans are deposited during volumetric attacks is increasing, the thing is that the deposits are generally happening via the application layer. They aren’t directly targeting the operating system layer.

More Stories By Lori MacVittie

Lori MacVittie is responsible for education and evangelism of application services available across F5’s entire product suite. Her role includes authorship of technical materials and participation in a number of community-based forums and industry standards organizations, among other efforts. MacVittie has extensive programming experience as an application architect, as well as network and systems development and administration expertise. Prior to joining F5, MacVittie was an award-winning Senior Technology Editor at Network Computing Magazine, where she conducted product research and evaluation focused on integration with application and network architectures, and authored articles on a variety of topics aimed at IT professionals. Her most recent area of focus included SOA-related products and architectures. She holds a B.S. in Information and Computing Science from the University of Wisconsin at Green Bay, and an M.S. in Computer Science from Nova Southeastern University.

@MicroservicesExpo Stories
Culture is the most important ingredient of DevOps. The challenge for most organizations is defining and communicating a vision of beneficial DevOps culture for their organizations, and then facilitating the changes needed to achieve that. Often this comes down to an ability to provide true leadership. As a CIO, are your direct reports IT managers or are they IT leaders? The hard truth is that many IT managers have risen through the ranks based on their technical skills, not their leadership ab...
Most everyone in Cloud IT circles has realized the power of containerization and that companies are adopting Docker containers at a remarkable rate. There are many good reasons for this, such as easily setting up dev/test scenarios (DevOps), and building out sophisticated, distributed computing clusters. But there are some deeper questions this talk will address from the Microsoft perspective. For example, what is the future of Windows in a containerized world? How will Windows and Linux work to...
SYS-CON Events announced today that Ericsson has been named “Silver Sponsor” of SYS-CON's 17th Cloud Expo, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. Ericsson strives to connect everyone, wherever they may be. Because by being connected, people can take part in the emerging global collaboration that is the Networked Society – a society in which every person and every industry is empowered to reach their full potential.
Cloud computing delivers on-demand IT resources that provide businesses flexibility. The challenge is the cost and complexity of cloud security compliance (PCI, HIPAA, FFIEC). Raxak Protect automated cloud security enables cloud apps to be deployed quickly and cost-effectively. Get the guide to decreasing your security costs up to 50% through automated cloud security.
Ever since the dawn of the Internet, people have struggled with how to get one computer to talk to another. Early business systems had no provision for such interactions. They were entirely closed— worlds unto themselves. As enterprises set up early networks, the question of how to get applications to interact with each other became a pressing business concern, and led to the introduction of Remote Procedure Calls (RPCs). A client computer might directly interact with the program running on a...
After more than five years of DevOps, definitions are evolving, boundaries are expanding, ‘unicorns’ are no longer rare, enterprises are on board, and pundits are moving on. Can we now look at an evolution of DevOps? Should we? Is the foundation of DevOps ‘done’, or is there still too much left to do? What is mature, and what is still missing? What does the next 5 years of DevOps look like? In this Power Panel at DevOps Summit, moderated by DevOps Summit Conference Chair Andi Mann, panelists w...
Automating AWS environments is important for all businesses as it simplifies creation and setup of cloud resources, facilitates otherwise complex processes, and streamlines management. The benefits of automation are clear: accelerate execution, reduce human error and unwanted consequences, and increase the enterprise’s ability to rapidly adapt, all while reducing the overall cost of IT operations. In his session at 17th Cloud Expo, Patrick McClory, Director of Automation and DevOps at Datapipe...
Microservices are a very exciting architectural approach that many organizations are looking to as a way to accelerate innovation. Microservices promise to allow teams to move away from monolithic "ball of mud" systems, but the reality is that, in the vast majority of organizations, different projects and technologies will continue to be developed at different speeds. How to handle the dependencies between these disparate systems with different iteration cycles? Consider the "canoncial problem"...
IT is often cast in a dichotomy where things are either viewed as traditional, stable, and safe or innovative, impermanent, and vulnerable. There have been multiple attempts to organize these classifications in a fashion that make IT budget and planning more predictable such as various agile methodologies, DevOps, and the bimodal model. What qualifies as success depends on the customer and producer involved in a project. A survey conducted by Scott Ambler in 2013 suggests that being on schedule...
Most everyone in Cloud IT circles has realized the power of containerization and that companies are adopting Docker containers at a remarkable rate. There are many good reasons for this, such as easily setting up dev/test scenarios (DevOps), and building out sophisticated, distributed computing clusters. But there are some deeper questions this talk will address from the Microsoft perspective. For example, what is the future of Windows in a containerized world? How will Windows and Linux work to...
SYS-CON Events announced today that Super Micro Computer, Inc., a global leader in high-performance, high-efficiency server, storage technology and green computing, will exhibit at the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. Supermicro (NASDAQ: SMCI), the leading innovator in high-performance, high-efficiency server technology is a premier provider of advanced server Building Block Solutions® for Data ...
The 6th International DevOps Summit, co-located with 18th International Cloud Expo – being held June 7-9, 2016, at the Javits Center in New York City – announces that its Call for Papers is open. Born out of proven success in agile development, cloud computing, and process automation, DevOps is a macro trend you cannot afford to miss. From showcase success stories from early adopters and web-scale businesses, DevOps is expanding to organizations of all sizes, including the world's largest enterp...
Discussions of cloud computing have evolved in recent years from a focus on specific types of cloud, to a world of hybrid cloud, and to a world dominated by the APIs that make today's multi-cloud environments and hybrid clouds possible. In this Power Panel at 17th Cloud Expo, moderated by Conference Chair Roger Strukhoff, panelists will address the importance of customers being able to use the specific technologies they need, through environments and ecosystems that expose their APIs to make t...
SYS-CON Events announced today that Colovore, the Bay Area’s leading provider of scalable, high-density colocation solutions, will exhibit at the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. With power densities of 20 kW per rack and a pay-by-the-kW pricing model, Colovore is Silicon Valley’s premier provider of flexible, high-density colocation solutions. Our 9 MW facility has the power and cooling your se...
Docker is hot. However, as Docker container use spreads into more mature production pipelines, there can be issues about control of Docker images to ensure they are production-ready. Is a promotion-based model appropriate to control and track the flow of Docker images from development to production? In his session at DevOps Summit, Fred Simon, Co-founder and Chief Architect of JFrog, will demonstrate how to implement a promotion model for Docker images using a binary repository, and then show h...
Overgrown applications have given way to modular applications, driven by the need to break larger problems into smaller problems. Similarly large monolithic development processes have been forced to be broken into smaller agile development cycles. Looking at trends in software development, microservices architectures meet the same demands. Additional benefits of microservices architectures are compartmentalization and a limited impact of service failure versus a complete software malfunction....
Node.js has been in the industry a long time and yet the conversations about it never seem to slow down. So what’s all the fuss about? What makes Node.js different from other programming languages and environments out there? Take a look at the infographic below and discover what! BTW: You should know that Monitis has Node.js monitoring in its suite of application monitoring services. So if you’re building innovative mobile and web applications in the Node.js platform, you’ll certainly appr...
In their session at DevOps Summit, Asaf Yigal, co-founder and the VP of Product at Logz.io, and Tomer Levy, co-founder and CEO of Logz.io, will explore the entire process that they have undergone – through research, benchmarking, implementation, optimization, and customer success – in developing a processing engine that can handle petabytes of data. They will also discuss the requirements of such an engine in terms of scalability, resilience, security, and availability along with how the archi...
This article series has covered a lot of ground: it presented an overview of application performance management (APM), it identified the challenges in implementing an APM strategy, it proposed a top-5 list of important metrics to measure to assess the health of an enterprise PHP application, and it presented AppDynamics’ approach to building an APM solution. In this final installment this article provides some tips-and-tricks to help you implement an optimal APM strategy. Specifically, this arti...
No one should need to be convinced the value of good data. It gives you the confidence to make decisions quickly and with less risk, it allows you to measure your success, and it lets you know when you need to adjust your course. But there’s a difference between knowing the value of data, and creating a culture around it. A data-driven culture is a culture where everyone quantifies their actions as much as possible, and asks themselves how their teams are having a tangible impact on the business...