Barracuda Networks has made its web application firewall (WAF) available on the Google Cloud Platform (GCP).
Tim Jefferson, vice president of public cloud for Barracuda Networks, said the availability of CloudGen WAF on GCP means organizations can now deploy a common approach to manage a WAF across all three of the major cloud services.
Each cloud service provider has built a unique set of cloud infrastructure that requires software vendors to built separate hooks into each platform. Now that GCP is gaining more traction among developers, Jefferson said there’s more demand for a WAF that is optimized for GCP.
As multi-cloud computing becomes the new normal, developers are looking to for a means to broadly apply DevSecOps processes that leverage REST application programming interfaces (APIs), he said. Within those scenarios, the WAF is emerging as a control point through which cybersecurity policies are defined by cybersecurity professionals, but implemented by developers. That approach should help alleviate the pressure on hard-pressed cybersecurity teams that are finding it difficult to hire and retain staff at a time when application deployment has never been more distributed, he added.
Ultimately, the WAF increasingly will be the means through which most policy enforcement relating to the egress and ingress of data will be automated via REST APIs, Jefferson said, adding those APIs are critical because developers will not embrace cybersecurity tools that require them to master a graphical user interface (GUI).
The next big issue that needs to be addressed in the cloud, he noted, is billing, as developers want to be able to consume cybersecurity resources in the same way they consume compute and storage. That requires cybersecurity vendors to be able to integrate their offerings with the billing services provided by the cloud service provider.
In general, Jefferson said it’s simply not practical to lift and shift existing cybersecurity frameworks into the cloud because so many on-premises environments are built around a specific virtual machine through which the firewall is trying to secure both the host and the application. In the cloud, the hosts are secured by the service provider, while the IT organization is held responsible for securing the applications that run on those hosts. The biggest issue is that many cybersecurity teams often are unaware of where applications are deployed in the first place—line-of-business units today enjoy unprecedented levels of flexibility that make it easy for many of them to bypass cybersecurity controls, either out of ignorance or occasional willful disobedience.
It may take a while for cybersecurity teams to get their arms around the implications of cloud-native applications. Not only are the core underlying technologies different, but also there’s an emerging separation of cybersecurity duties and responsibilities that require significant cultural changes to be made across the IT organization.
The good news is that as products and processes continue to evolve, applications should become more secure—which hopefully will reduce the current level of cybersecurity stress for all concerned.