How cloud architectures defend against the cyber attack surge

As we look to a post-pandemic world, we can expect to see companies invest in building resilience to destructive-type attacks. 2020 saw a record number of distributed denial-of-service (DDoS) and ransomware attacks, and the numbers are expected to remain high through the rest of this decade.

The cloud — and cloud-native architectures — can help deliver resilience due to three key attributes:

Distributed applications and services: If your applications are leveraging a distributed delivery model, for example leveraging cloud-based services such as content delivery networks (CDNs), then you have to worry less about DDoS attacks, as these attacks work best by concentrating their firepower in one direction.

Immutable data sets: If your applications are leveraging solutions that do not modify records but rather are “append-on-write,” in other words your data set is immutable, then you have to worry less about attacks on the integrity of that data, as it is easier to detect and surface such attacks.

Ephemeral workloads: Finally, if your applications are ephemeral in nature then you may worry less about attackers establishing persistence and moving laterally. And the value of confidential information (such as tokens associated with that application instance) is reduced, as those assets simply get decommissioned and new ones get instantiated within a relatively short frame of time.

By leveraging modern cloud-native architectures that are distributed, immutable and ephemeral, you help address the issues of confidentiality, integrity and availability that have been the foundational triad of cybersecurity.

So how are companies manifesting these attributes in their applications? Modern cloud architectures are moving from monolithic, tiered models to distributed microservices-based architectures, where each microservice can scale independently, within a geographic region or across regions. And each microservice can have its own, optimized storage and database, thereby allowing that service to run stateless (or perhaps more accurately using a shared-state model where the state is shared amongst the running instances via the storage/database layer). This allows those services to become truly ephemeral and distributed.

Pets vs. cattle

This brings us to a concept that has seen quite a bit of discussion already in the context of the cloud — pets vs. cattle.

Pets have a cute name and can be recognized individually. If a pet falls ill, the owner takes it to the vet. Owners give their pets a lifetime of caring and make sure they live healthy lives for as long as possible. Traditional applications are like pets. Each instance is unique. If the application gets infected, it is taken to the cyber vet. “Patch in place” is common with traditional applications, which make these instances unique. IT’s job is to keep the applications up and running for as long as possible.

Cattle on the other hand, don’t have names, they have numbers. You generally cannot distinguish the cattle in the herd, and you don’t build relationships with them. If cattle fall ill or get infected, you cull the herd. Modern cloud applications are like cattle. You create many running instances of the services, and each instance is indistinguishable from the other. They are all manifested from a golden repository. You never patch-in-place, i.e. you never make the instances bespoke. Your job is to make the instances ephemeral, killing them quickly and creating new ones. In doing so, you build resilient systems rather than fragile ones.

Benefits of the cloud

The cloud offers many tools to help build systems that follow this paradigm. For example, Amazon recently announced “chaos engineering” as-a-service, which allows organizations to introduce elements of chaos into their production workloads, such as taking down running instances, to ensure that the overall performance isn’t impacted and the workloads over time become resilient in the face of these types of operational setbacks.

Getting to this point is a journey, and companies may need to take multiple steps to get there. For example, if you move your pets from an on-premises world to the cloud world without significantly altering the architecture of the applications, that’s just one step. The common term for this is “lift and shift.” Once your applications are in the cloud and you have started building familiarity with cloud native tools, you can work on re-architecting those pets into modern architectures that are distributed, immutable and ephemeral (i.e. cattle). In other words, you can move from pets-in-the-cloud to cattle-in-the-cloud. When you get to that point, you need to make sure you don’t regress and move back to creating pets again. In other words, don’t patch-in-place or keep instances up and running longer than necessary.

Shehzad Merchant is CTO at Gigamon.