WHITE PAPER ENSURING APPLICATION AVAILABILITY AND SECURITY IN THE CLOUD

Transcription

1 WHITE PAPER ENSURING APPLICATION AVAILABILITY AND SECURITY IN THE CLOUD

2 CONTENTS EXECUTIVE SUMMARY 3 THE LIFEBLOOD OF MANY BUSINESSES IS UNDER ATTACK 3 IT LEADERS FACE A DIFFICULT BALANCING ACT 3 Companies are Exposed in the Cloud 5 Threat Challenge: Seeing and Connecting Threats across All Environments 6 HARNESSING CLOUD-BASED PROTECTION FOR BETTER BALANCE 6 CONCLUSION: ADOPTING A HYBRID SECURITY APPROACH IS KEY TO APPLICATION RESILIENCY 7 ABOUT VERISIGN 7 2 Verisign Public Ensuring Application Availability and Security in the Cloud

3 EXECUTIVE SUMMARY Organizations relying on online applications to deliver services to customers and generate revenues for the business must contend with an increasingly hostile and complex threat environment. The challenge is complicated when IT leaders move these applications to a public, private or hybrid cloud. Without communications and interactions between on-premise security and hosted applications, organizations lose visibility and control over application security and availability. As organizations move to the cloud for agility, efficiency and cost savings, they need to align their security approach accordingly, and adopt a novel yet proven approach for striking a balance between availability and security of applications in the cloud. THE LIFEBLOOD OF MANY BUSINESSES IS UNDER ATTACK Today s enterprises increasingly rely on Web-based services and applications to power their businesses, including those fueling online commerce, service delivery, support, communication, collaboration and more. These applications and services drive significant revenue and profit, making them the lifeblood of these organizations. Yet, it s no small matter ensuring these diverse and complex services and applications are always available and working without fail. This is especially true in a world characterized by a growing range of sophisticated security threats and massive distributed denial of service (DDoS) attacks. It s no wonder TechTarget s 2014 IT Priorities Survey indicates that 45 percent of respondents will be adding new capacity in network security and 35 percent plan on adding threat detection and management. 1 The mandate for today s CIOs and CSOs is to prevent outages, reduce the risk of and thwart any and all attacks, and minimize network exposures. Doing so is vital to securing non-stop business operations, protecting brand reputation, and satisfying customer and employee expectations. IT LEADERS FACE A DIFFICULT BALANCING ACT One could argue that this is a balance long required of those in charge of IT infrastructure. However, they now face a much more difficult challenge and delicate balancing act. Because of the need to support large and computeintensive databases and a huge volume of users, applications have grown very large and complex. Fewer than 30 percent of organizations are prepared for a DDoS attack against their extended network infrastructure.2 To handle this explosion of large, complex applications in the midst of significant budget constraints, tech leaders have been driven to leverage a variety of environments to host and deliver these applications. These include various cloud environments including public, private and hybrid often interconnected to ensure an always-on operating environment. 1 Sales, Francesca. Top enterprise IT spending trends and priorities of April 29, SearchCIO.com. Top-enterprise-IT-spending-trends-and-priorities-of-2014/1/Investments-in-technology-reveal-IT-priorities-across-the-enterprise#contentCompress 2 Forrester Research. DDoS Mitigation and DNS Availability Should Be Key Components of Your Resiliency Strategy. December Verisign Public Ensuring Application Availability and Security in the Cloud 3

4 The benefits of this distributed approach seem clear. David Floyer, CTO of tech community site Wikibon, states, Wikibon forecasts that the total worldwide value created by the industrial Internet alone will be $1,279 billion in 2020, with an IT spend of $514 billion Our initial finding is 90 percent of the value comes from the business, through faster time-to-deploy and change, and increased availability of resources to develop new applications. About 10 percent of value comes from lower IT costs and in some cases lower IT budgets, particularly from lower OPEX costs for supporting applications. 3 CYBER CRIMINALS CYBER SPIES ZERO-DAY VULNERABILITIES Application Environments and Online Threats are Diversifying (Source: VeriSign, Inc.) At the same time, CIOs and CSOs are facing an increasingly complex threat landscape, spanning cyber crime, new system and application vulnerabilities, hacktivism and espionage. With applications hosted in the cloud, tech leaders must contend with a bigger attack surface and threats that are so large, sophisticated and malicious, they have reached Internet scale. In just one example, Verisign s Quarterly DDoS Trends Report showed that the number of DDoS attacks exceeding 10 gigabits per second (Gbps) grew substantially between the second and third quarters of The issue is complicated by all the ways online applications are accessed. In addition to connecting via corporate networks, employees, customers, partners and others often access online services via mobile devices from anywhere. Each of these end points can serve as conduits for potential security threats. It s no wonder IT and security staff struggle to stay abreast of and maintain knowledge and understanding of the ever-changing scope of threats. More importantly, these attacks are beyond the control of organizations using reactive strategies. 3 Floyer, David. Beyond Virtualization: From Consolidation to Orchestration and Automation. Wikibon. Oct. 12, Verisign. Verisign DDoS Trends Report: Q November VerisignInc.com. 4 Verisign Public Ensuring Application Availability and Security in the Cloud

5 As the average attack size increases and networks are flooded, it is more difficult sometimes impossible for organizations to mitigate DDoS attacks using traditional security devices. In fact, attacks that saturate an organization s network pipes render on-premise security devices ineffective, leaving applications vulnerable. Companies are Exposed in the Cloud Consider these two examples: A global media company with 20,000 employees maintains many private data centers around the world. The company s CIO faces significant cost pressures as he or she expands the organization s network to support a global customer and employee base. At the same time, the CIO must support new online applications and services, including traditional websites, e-commerce in many markets, and applications in many languages. He or she chooses to move many of those applications and services into a new public-cloud environment for cost savings. However, the tools the organization has relied on for years to proactively manage security in its data centers don t integrate with the new cloud environment. This leaves the CIO s security approach out of balance and exposes the organization to problems. There is growing recognition that there is no silver bullet. Firewalls and antivirus software alone cannot keep hackers out, so corporations are beginning to take a more layered approach to data protection. 5 -Nicole Perlroth, The New York Times Or consider the case of a quickly growing niche software-as-a-service (SaaS) company with 300 employees. The company s hugely popular and proprietary application is hosted by a very large public-cloud services firm in the U.S. To support the company s global expansion, its CIO recently signed hosting agreements to offer localized versions of the application in numerous markets around the world. For legal reasons, the data generated by the application must also be hosted in many of the local markets, including Germany, the U.K. and others. The CIO is worried about load balancing across all those locations. Perhaps more concerning is that the traditional flow-based monitoring tools the organization had used to proactively address security are not available from all of the new hosting providers. In these different cloud environments, this organization is now exposed to new threats. In short, while many organizations are compelled to host their applications in the cloud, they are bumping up against shortcomings when it comes to extending their traditional security tools and approaches into these new environments. Simply put, what worked in more contained environments and in a simpler threat landscape doesn t provide the threat awareness, visibility or control needed to cover the size of the new attack surface and the scale of today s threats. In fact, because today s attacks can completely overwhelm any on-premise security solution, industry experts and analysts recommend a hybrid approach to mitigating the impact of DDoS attacks. 5 Perlroth, Nicole. hacked vs. Hackers: Game On. Dec. 2, The New York Times (nytimes.com) Verisign Public Ensuring Application Availability and Security in the Cloud 5

6 Threat Challenge: Seeing and Connecting Threats across All Environments CIOs are embracing more open environments to deliver key applications and services, but these moves leave their security counterparts feeling nervous. In fact, according to Laurie Wurster, research director at Gartner, Data loss, data breaches, unsecure application programming interfaces (APIs) and shared technology in a multi-tenant environment are just a few of the concerns expressed by respondents [to a 2014 Gartner survey] tackling the option of using public cloud. 6 After all, visibility of threats in these cloud environments is a key challenge. Can an on-premise device provide threat data to applications in the cloud? Will information about threats to hosted data in the cloud be shared with devices in the traditional data center? Protecting against DDoS attacks increasingly requires communication and coordination between many components from networking equipment to specialized appliances and cloud-based services. Today s IT leaders need a solution that provides a single pane of glass to integrated threat intelligence for any environment. Only open protocols can consolidate all the information available to identify and mitigate attacks in today s complex environments. The Verisign OpenHybrid architecture enables this through a standards-based, vendor-agnostic approach to DDoS protection and application availability. Verisign OpenHybrid makes it possible for on-premise security devices and diverse application environments to signal to upstream cloud-service providers, such as when an application is under DDoS attack. These threat-intelligence signals can enable faster detection and mitigation of attacks across private and public-cloud environments and data centers, along with a vendor-agnostic security approach. Most importantly, it allows organizations running applications in leading public clouds to better protect themselves against DDoS attacks. HARNESSING CLOUD-BASED PROTECTION FOR BETTER BALANCE Relying solely on traditional premise-based or discrete threat solutions is insufficient and won t provide balanced protection across more complex environments. CIOs and CSOs need to consider an approach that complements their existing security strategies while enabling interoperability between environments and protection against DDoS and other threats. Leveraging a comprehensive, interoperable approach will enable proactive threat intelligence 6 Press Release. Gartner Survey Reveals That SaaS Deployments Are Now Mission-Critical. Gartner.com. Nov. 25, Verisign Public Ensuring Application Availability and Security in the Cloud

7 and make applications more available and secure. With CIOs and CSOs more prepared to protect applications and data across different environments, CIOs can deliver on their promise to the business of uptime and always-on services. Cloud-based DDoS protection services divert and filter attack traffic before it reaches an organization s network. Besides mitigating the entire attack outside the organization s environment, these protection services complement onpremise solutions so businesses can cost-effectively address a range of threats. CONCLUSION: ADOPTING A HYBRID SECURITY APPROACH IS KEY TO APPLICATION RESILIENCY A growing reliance on Web-based applications, an evolving threat landscape and fragmented security has yielded new IT challenges. Businesses increasingly rely on network availability as applications and systems that support businesscritical applications move to cloud environments. As more companies shift their workloads onto public, private and hybrid cloud infrastructure, they are exposed to new security risks and the potential for application downtime. The challenge of balancing availability and security is complicated by the fact that attacks are growing in size, complexity and frequency and that traditional tools often prove inoperable or ineffective in cloud environments. A hybrid approach that calls upon open standards helps ensure interoperability between diverse environments and addresses the new operating and threat landscape. A combination of on-premise security devices communicating with cloud service providers, augmented by cloud-based DDoS protection and actionable threat intelligence is paving the way for non-stop availability and secure applications. Combining on-premise security devices with cloud-based DDoS monitoring and mitigation provides a powerful foundation for application and service availability. By taking advantage of this opportunity, organizations can effectively defend against today s increasingly massive and complex DDoS threats, and help ensure the uninterrupted flow of their lifeblood. To learn more about ensuring application availability and security in the cloud, visit today. ABOUT VERISIGN Verisign, a global leader in domain names and Internet security, enables Internet navigation for many of the world s most recognized domain names and provides protection for websites and enterprises around the world. Verisign ensures the security, stability and resiliency of key Internet infrastructure and services, including the.com and.net domains and two of the Internet s root servers, as well as performs the root-zone maintainer functions for the core of the Internet s Domain Name System (DNS). Verisign s Network Intelligence and Availability services include intelligence-driven Distributed Denial of Service Protection, idefense Security Intelligence and Managed DNS. To learn more about what it means to be Powered by Verisign, please visit VerisignInc.com. Verisign Public Ensuring Application Availability and Security in the Cloud 7

8 VerisignInc.com 2015 VeriSign, Inc. All rights reserved. VERISIGN and other trademarks, service marks, and designs are registered or unregistered trademarks of VeriSign, Inc. and its subsidiaries in the United States and in foreign countries. All other trademarks are property of their respective owners. Verisign Public VRSN_EAAS-Cloud_WP_201504