Press Release
Last Updated on January 15, 2024
Public cloud environments are architected for robust security and offer a wealth of services to help users implement security best practices. Yet it remains dauntingly easy for application code and/or users’ operational and management processes to introduce unforeseen vulnerabilities and risks that threaten critical cloud-based workloads and the sensitive data they process.
Why is cloud application security so challenging and potentially hazardous? What can orgs do to avoid costly mistakes and know their applications are secure in the public cloud?
To share a comprehensive, “full-stack” understanding of how to build, deploy, and manage highly secure applications in the public cloud, the latest episode of The Virtual CISO Podcast features Jeff Schlauder, Founder at Catalina Worldwide LLC.
No Easy Button
With all the sophistication of public cloud infrastructure, you’d think there would be simple DIY templates or wizards to get newbies up and running safely. But as Jeff explains, there are too many dependencies to consider in each specific context.
“Simple is the key word there,” Jeff jokes. “There are multiple ways to deploy applications securely to the cloud. But when you’re designing a solution there’s not a lot of out-of-the-box, Easy Button, just follow these two or three steps and you’re going to be all set. That’s typically not what we see, and it certainly wasn’t how we got there. There is a lot of ‘it depends’ that comes into play.”
“There are multiple ways to deploy applications securely to the cloud. But when you’re designing a solution there’s not a lot of out-of-the-box, Easy Button, just follow these two or three steps and you’re going to be all set. That’s typically not what we see, and it certainly wasn’t how we got there.”—Jeff Schlauder
Who is responsible for security?
A major question in any public cloud deployment is who will be managing the infrastructure and what is their skill set?
“There are a lot of really great tools and capabilities within AWS,” Jeff states. “But they’re not necessarily simple. It takes time to build knowledge in each of those areas.”
If the team that’s supporting the application environment doesn’t have the skills necessary to manage it the way it was architected, that can introduce huge security risks.
“We’ve seen it happen where you can design a really great, secure solution—but it’s so complex that a mistake or not understanding how everything interrelates can cause unnecessary risk and security issues,” warns Jeff.
“We’ve seen it happen where you can design a really great, secure solution—but it’s so complex that a mistake or not understanding how everything interrelates can cause unnecessary risk and security issues.”—Jeff Schlauder
Factoring management into design
A best practice at Catalina Worldwide is to factor application management choices in from the start.
“There’s a common misconception that just having somebody build it and then you’ll run it will somehow end up with a more secure application or less cost,” offers Jeff. “Typically, in our experience that isn’t the case.”
Outsourcing the complete application lifecycle allows the vendor to leverage what Jeff calls the paved road approach: “If we’re going to build this and we’re going to manage it, we’re going to build it using the technologies we’re comfortable with, which are industry best practices.”
Going “off-pavement” with customizations introduces risk as well as cost.
“There’s a common misconception that just having somebody build it and then you’ll run it will somehow end up with a more secure application or less cost,” offers Jeff. “Typically, in our experience that isn’t the case.” —Jeff Schlauder
Yes to containers
As AWS specialists, Jeff’s team is quick to leverage EC2 containers as part of nearly every app deployment. Containers offer uniformity and ease of maintenance through greater automation; ECR versus Kubernetes offers simplicity at the expense of portability to other public clouds.
Free OWASP ASVS Testing Guide
If you are just learning about OWASP’s testing standard or are considering the best way to prove the security of an application, this guide is meant for you!
