New Survey Illustrates Real-World Difficulties in Cloud Security

Cloud security is not as simple as picking up traditional network perimeter appliances and converting them into cloud services, a new study shows. But security may ultimately be better for the change.

Barracuda Networks surveyed 608 participants from organizations around the world. A majority (57%) say that their on-premises security is superior to cloud security, with the percentage answering that way growing in lock-step with the size of their organization.

That's a problem for many organizations when they begin planning for security in the cloud. 83% say they have concerns about deploying traditional firewalls in the cloud, with 39% naming "pricing and licensing not appropriate for the cloud," and 34% citing "lack of integration prevents cloud automation" as their primary concerns.

The report is based on a survey conducted by Dimensional Research on behalf of Barracuda. 

Tim Jefferson, vice president of public cloud at Barracuda, says these organizations have reason to be concerned. "Companies that are trying to cut and paste into the public cloud are having trouble. Security has always been around the network and a lot of appliances are built around architectures centralized in the data center," he says. "Firewalls tend to scale vertically and that's an anti-pattern for the cloud, where best practice is to keep everything federated and elastic. The tools don't fit."

The bigger issue, Jefferson says, is that many of the tools that companies struggle to place into the cloud aren't really needed for cloud security. "In a public cloud you don't need a lot of those functions," he says. "A next-generation firewall isn't required in the cloud - you don't have to match the user to the function and filter on that because a properly architected cloud application will do that for you."

APIs Over Firewalls

Relying on the cloud applications - and to put a finer point on it, the cloud application APIs with their controls and logging capabilities - allows forward-thinking security professionals to have better security in the cloud than they have in their traditional data center architecture, Jefferson says. According to the report, 74% of respondents cite "Integration with cloud management, monitoring, and automation capabilities" as the most beneficial cloud-specific firewall capability.

Integration is key, but organizations are finding it difficult to fully integrate cloud security into their DevOps or DevSecOps, with 93% saying they have faced challenges integrating security into those practices. Jefferson is blunt when he talks about the changes needed for organizations to move past the current difficulties: "All the visibility that's so difficult to instrument in the data center is built in with the public cloud. It's all done by API and that can be instrumented to police and monitor security."

He says it all depends on perspective. "It's really the lens you look through," he says. "The traditional enterprise architect has thought of visibility as the instrumentation to see into ports and packets."

But the problem is that public cloud "can't provide span ports and access to layer 2. So they see public cloud and say there's no visibility," he says.

The public cloud, however, provides a better management tool. The management plane of the cloud can allow a security professional to track every interface and every record - every query, every response. The hard part is that the security professionals must re-think the means to the end of infrastructure security.

Security Hurdles

There are two huge hurdles standing between organizations and security in the cloud. The first is a human component that lies between security professionals' ears. "It makes the professional uncomfortable," Jefferson says, referring to security using APIs. "They want the tools they've always used."

The second hurdle may be higher because it involves money. Jefferson says that the traditional licensing model for firewalls and other network security appliances just doesn't work in a cloud environment where best practice is to spin up many federated instances rather than a handful of highly vertical compute centers.

"Now that things are federated and people may want to deploy hundreds of firewalls, vendors can't charge vast sums per license," Jefferson says. If they do, they "end up deploying bad things because they feel they can't afford the licenses."

Ultimately, in order to move security to a point where companies feel that cloud security is on a par with or better than on-premises security, both the deployment model and the licensing structure must be based on what works best for the application - not just what the licenses force a company to do.

Following genuine best practices in the cloud provides better security for an organization than pure on-premise environments, he says.

Related Content:

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here.