Software is taking over the world. Have you heard that one before? The rise of public clouds like AWS and vCloud Air moves your data from your protected data center and into someone else’s domain. It’s one thing to protect your infrastructure if you own it, but what if you don’t? Cloud security requires a change in thinking.
Traditional security protects the infrastructure.
Remember the good old days before “cloud”? I’m not going to say it was easy, but it was definitely easier. Your data center was your castle and you were the king. Pass a decree, and all the gates were barred and the drawbridges were raised. Let no one in or out without an executive decree, and you were safe.
This method worked then, but it places all of the focus on protecting the hardware. How strong are the firewalls? Did we get all of the servers inside? Is the important data all stored in our safe databases? The infrastructure steals the attention, and all focus is placed on how to protect it. This works if all of your users only use your infrastructure, but what happens when they venture outside of your protected castle?
The cloud delivers applications to users.
In the public cloud, no one cares what servers you have, how high your firewalls are or the brand of your databases. You probably don’t own the firewall anyway. Applications can be served from anywhere on the globe at any time, and they are expected to be available 24 x 7 with no performance degradation. Users know which services they want to reach, and they request access directly to the applications that provide those services. The infrastructure plays second fiddle. ITIL v3 reorganized our delivery into a service-oriented model, but what about our security?
Change your thinking with F5 cloud security.
Stop thinking about what a user should be able to do with your infrastructure and start thinking about what makes sense for the specific users of your application. Sure, a user might need to upload files, but should they be uploading to this application? What about this page? Do you even trust this user enough to upload things? Cloud security requires getting trusted users into and out of your applications safely. Cloud security isn’t about barring the gates against the enemy; it’s about meeting each user at the gate and guiding him or her safely to and from the destination. This requires a change in thinking away from guarded infrastructure and towards contextual user policy. Who has access to What? Where? When? How?
But in public cloud environments, we don’t own the walls or gates—we must introduce our own guides. F5 Networks introduced Access Policy Manager Virtual Edition (APM VE) for just this purpose. The APM VE can also work in conjunction with your Application Security Manager Virtual Edition (ASM VE) to make sure that your public cloud remains a safe place to visit. All of these virtual editions live directly in the public cloud and help you stay in control. If the APM VEs are your guides, the ASM VEs are the guards on the wall, keeping watch across all users on a macro level and making sure that nothing is amiss. Lesson? If you can’t own the castle, at least own the guards.