Application Evolution … And its Security Impact
As applications have evolved from legacy & monolithic to modern & microservices-based, they have become increasingly disaggregated into smaller & more number of components that run on a variety of workloads (VMs, containers, serverless, etc.), are distributed across multiple clouds & heterogeneous & hybrid environments, and are dynamic & ephemeral in nature.
The exponential increase in the number of workloads per application has also resulted in an explosion in the number of inter- and intra- application API traffic flows.
The unintended consequence of all of this is that applications have become much more vulnerable to threats, as the attack surface of the applications have opened up to become much larger and more dynamic. The applications have also become more susceptible to higher layer (i.e. API-layer) attacks, as is evident from the recent spate of application and API exploits (recall the IRS hack, Equifax attack, Facebook hack, USPS hack, just to name a few).
So what do Enterprises do today to secure their applications and data ? Well, they deploy a plethora of perimeter-based security solutions such as network firewalls and/or a web application firewalls (WAFs). In many Enterprises, unfortunately, that is the only application security solution they have in place, and in the event that the perimeter is breached, which it quite often does, they have no way to prevent sensitive data from going into the wrong hands. Several other Enterprises have a network-based micro-segmentation solution deployed to contain east-west threats, which again does nothing to stop application-layer attacks. And then there are others who have put together ‘Appsec teams’ that manually (or by running tests) look at vulnerabilities within the application code. All these solutions are either inefficient or ineffective in defending against ever more sophisticated application-layer attacks. And with increasing multi-cloud and multi-environment deployments, applications are essentially perimeter-less, leaving them wide open to east-west attacks at the API layer.
What Enterprises really need, therefore, is a comprehensive and application-centric approach to security that is distributed and moves along with the application workloads. In other words, they need a security solution where every microservice is responsible for its own security, where each service interaction is protected at the API layer in a distributed and zero-trust manner, and where application-level access controls & fine-grained segmentation provides intelligent defense against sophisticated application-layer and API attacks. Furthermore, security practitioners should be able to implement security without manual application inspection or any application code change, i.e. implying that security should be added transparently to existing applications.
In a world where attackers are getting ever more sophisticated, leaving a gaping hole in the security posture only makes it that much easier for bad actors to get access to sensitive data. And so to stay ahead in the game, Enterprises need to put in place comprehensive, distributed and intelligent application-security solutions.