The Importance of Unified Application Security for Your Multi-cloud Strategy

Andrea Swaney

Andrea Swaney is the Director of Strategic Partnerships. She has spent the last 10 years with security startups in leadership roles including Sales, Business Development and Alliances. When not working to secure the web, Andrea is likely to be found reading about or drinking wine, or on a vineyard somewhere in California or France.

A word from the product marketing and alliances team today!


Public, private, hybrid--you’ve got choices when it comes to cloud, and for good reason. Diversifying can be smart from a licensing perspective, or even given your organization’s size or technical priorities. According to Gartner, “a multi-cloud strategy will become the common strategy for 70% of enterprises by 2019, up from less than 10% in 2017.” (source)


As we see more customers adopting different platforms, our strategy remains the same--support them all! As you create more customer-facing (or even internal) web application and services, you should have a unified view of how they’re being attacked, much like you already know how they’re performing. At Signal Sciences, we’re all about protecting any app, from any attack, and integrating into any DevOps toolchain for unparalleled visibility.


On this front, we’re announcing that customers can easily deploy Signal Sciences across Amazon Web Services, Google Compute Engine and Microsoft Azure infrastructure as a service (IAAS) providers. We’re available in all three marketplaces for easy access to immediate blocking against OWASP vulnerabilities, like SQLi and XSS attacks, without tuning any rules, wherever your apps are deployed. In addition to our marketplace presence, we fully support installing our software directly in the instances you’re running on these platforms. It’s up to you - and like a lot of our customers, you’ll probably have a bunch of different apps on different infrastructure.


Here are some reasons it’s important to have a unified solution across your applications, wherever they are deployed.


“I Love Managing Different Rulesets for Each Cloud’s own WAF!” Said No One Ever.

All these cloud providers have some version of their own web application firewall (WAF)...which come with different rules to configure and test for OWASP injection attacks...for each application that you have. With point solutions and legacy WAFs running in front of cloud infrastructure, rules have to be tuned for each application that sits behind the cloud WAF instance, resulting in hundreds of rules to gain basic OWASP protection. Ooof. That sounds like an FTE (or three or four) to me! Plus, for your on-prem and internal apps, you might have yet another WAF...with another ruleset to manage. How do you get a clear picture of what’s going on across the board across all your apps?


With Signal Sciences, you have one SaaS console to use for all your apps. Install our software on any app (wherever and however you run it), and the software sends relevant data up to our cloud where you see aggregate metrics and decisions collected from all of your web properties. With a single product, you can view everything that’s happening to your applications on an aggregate basis in real time, plus reporting that allows you to see trends over time. It’s like one big hub and spoke system, where the hub is the brain behind the operation (our cloud console), and the spokes reach out to collect and bring back data on all of your applications to make dynamic decisions (in apps, PaaS, containers— wherever).


A Note on Rules.

We just talked about the pain of different rulesets. But for rules themselves, remember-- Signal Sciences doesn’t require you to configure or write any rules for core OWASP vulnerabilities. And we’re in blocking mode, in production, for 95% of our customers--including top-ranked Alexa websites. Based on our lexical analysis of request parameters along with thresholds that we developed using big data and statistical analysis, you gain the benefits of being able to use blocking right out of the box. So to reiterate, you get immediate protection and visibility with no rules writing and no learning mode. For those who want protection that just works, Signal Sciences can really help you.


WAF rules (and RASP rules and logic) that isn’t configured properly means you have sad user experiences. Yeah--that cat poster they were trying to buy, or that comment on a wall they wanted to post, that 2-factor authentication they were depending on to get their work done, or that really critical dataset they were trying to upload for a drug trial--get blocked. And you don’t want that. You want great user experiences--and data to back it up.


TCO Is a Real Thing.

Not only is it difficult to write rules for tack-on WAF solutions for your cloud deployments, but imagine the costs associated with operationalizing and maintaining different products. Think of how much time you’d lose managing inconsistencies across the products. Even if you could ingest some kind of meaningful log data into a SIEM, you’d have a tangled mess of data that would have different contexts based on where the data originated. I think it’s fair to say most security teams would rather put that time towards other projects--such as using the data they get to make decisions, instead of writing rules and configuring logs and alerts on yet another system.


So, if you have mix and match environments--and Gartner said 70% of enterprises are going to by next year--think about cost savings associated with a product that works out of the box and covers all of your apps.


So What?

We’re excited that you have infrastructure options. These provide unparalleled flexibility as you develop and scale out web apps to provide new and engaging experiences for your customers and employees. We want you to be able to ensure the same level of security across all these experiences - without impacting the customer experience.  


Go forth and be awesome with all the clouds!