BIG-IP Cloud Edition: The Security Advantage of Per-App Architectures

This is part two of our three-part series on F5 BIG-IP Cloud Edition. You can find the first blog here.

Application security and mitigating risk are critical for every business. Why? Because modern applications—and the wealth of sensitive data they contain—are the lifeblood of enterprise.

Here are some fun (read: frightening) facts that illustrate what we mean:

• According to National Cyber Security Alliance research, as much as 60% of SMBs go out of business following a hack or security breach
• Over 70% of attacks target SMBs

And, as expected, the costs are even higher for larger enterprises:

• The 2017 Cost of Data Breach Study from the Ponemon Institute estimates the global cost to be $3.72 million or $141 per record
• The average number of records compromised is 24,000

These figures, while sobering in and of themselves, don’t highlight the fact that many applications—especially the mission critical ones—have a number of cascading dependencies and connections to other apps. That means one security shortcoming, one overlooked entry point, one firewall breach, can have serious impact on your entire application catalog—unless you do something about it. Unfortunately, many companies just aren’t.

The Application Existential Dilemma: Simply Being Introduces Risk

In our 2018 State of Application Delivery it was discovered that 36% of the companies we talked to plan on protecting less than a quarter of their apps. I know what you’re thinking: “That’s fine…They only need to protect the high-risk, high-value apps in their catalog.” This is simply not true; all apps introduce security holes and risk simply by existing—this is especially true for the valuable ones.

“All valuable apps introduce risk…the most basic is dependency…All the app has to do is be valuable and unavailable for it to create problems.”

And while user apps introduce risk, the apps that other applications need to function properly and perform optimally (services) introduce even more risk because of the layers of dependencies. This dicey, all-too-common approach provides an ideal breeding ground for:

• East-west network traversal
• Data exfiltration
• “Island hopping” attacks

This impacts everyone (not just security teams), creating headaches for app owners, network teams, operations teams, customer service, helpdesks, incident managers, analysts, etc.

No More Group Therapy: Mitigating Risk Requires an Individualized Approach

We’ve touched on the distinct security advantage that a per-app architecture offers in a previous blog. It’s not unlike a microservices architecture, a way of developing apps which also provides a leg up on the security front. The enhanced security of a per-app approach is exhibited in four key ways:

1. Faster, more frequent distribution of security updates, fixes, and policies. Updating apps 2x to 3x per year simply isn’t good enough. A per-app architecture means app owners (and the SecOps teams supporting them) can apply security updates quickly and not worry about affecting other apps in production.
    
2. Limited blast radius. If/when a threat compromises an app, every other app in your production environment (on-premises, private cloud, public cloud, hybrid) is safe as they are isolated from each other. It’s almost as if every app in your production environment has its own HAZMAT suit—just in case.
    
3. Deeper visibility = Faster “time to innocence.”Because security and the associated analytics are tackled on a per-app basis, it’s much easier to:
   • Identify anomalies with traffic and application behavior
   • Drill down and find root causes
   • Remediate the issue
      
4. Addressing the “candy problem.” You’ve heard it before: Network and application architectures are like a candy bar, “hard and crunchy on the outside, soft and gooey on the inside.” While this is an overused analogy, it’s still very true. A per app architecture (and approach to security services) is like having little fortresses inside your fortress. If the bad guys get past the outer wall, they are then confronted with tens (or hundreds) of smaller walls.
    

What can be done in the current advanced threat landscape?

Beyond a per-app approach, proactive security policies and robust tools are absolutely essential. Unfortunately, the majority of existing security solutions—such as many WAF offerings—are insufficient against the current wave of sophisticated, automated attack vectors and techniques. Bots, botnets, credential stuffing attacks, and app-level DoS attacks (now the top type of security incident) are commonplace and VERY difficult to defend against.

It’s clear that for businesses to survive in today’s app-focused digital economy, they need superior application services—ones that deliver availability, performance, and security. Furthermore, they need a way to deploy these services in a way that helps them be more agile and secure.

F5’s BIG-IP Cloud Edition is an ideal solution to tap into the security benefits of a per-app architecture. BIG-IP Cloud Edition marries the best-of-breed F5 application services (including the most advanced web application firewall) with the deep visibility, ease-of-use, and tight control of BIG-IQ Centralized Management—right-sized and with flexible licensing that promotes business agility. And with its robust automation, your services and security expand and contract based on need, business drivers, and policies you set. Best of all, with its fine-grained RBAC, DevOps, NetOps, and SecOps can work together, not against each other—helping align their (usually very different) priorities.

Be sure to check back for our third and final blog in this Cloud Edition series. We’ll explore BIG-IP Cloud Edition’s automation, analytics, and autoscaling functionality, and how they can help you to better take advantage of your public cloud investments.