Ring of fire

But George Hess, CEO and co-founder of application security specialist Art of Defence and a prominent member of the Open Web Application Security Project, doesn’t agree that the issues lie with the user. “Users can only exploit cloud applications to the extent that the applications themselves allow,” he says. Hess suggests that proactive security features such as secure session management, form-field protection, user rights and encrypted data traffic all come into play. “My answer is, integrate a distributed Web Application Firewall [dWAF] that can handle all this.”

Firewalls as a ring ence around a hardwired network have had to adapt as everything becomes virtualized, so think of a dWAF as consisting of three modules: a decider, an enforcer and an administrator, each individually scalable as necessary.

The enforcer has two tasks: to take the security-relevant areas of the web traffic out of the web stream and hand it off to the decider, and to put the decision that results from this into action. It’s typically a plugin for firewalls, reverse proxies, load balancers or web and application servers.

The decider consists of the security policy framework and is responsible for analyzing the inbound and outbound web traffic of an application and deciding what will be done with the individual requests or responses.

Finally, the administrator allows for the management of the dWAF itself and is configurable based on applications under protection, rather than host-based. This frees up the dWAF to provide true multi-tenancy for cloud usage.

Next: Fighting the fear
Back to: The weakest link
Back to: Overview