Analyst & Research Reports

O'Reilly Modern Defense in Depth

Issue link: https://hub.dyn.com/i/1077963

Contents of this Issue

Navigation

Page 24 of 53

CHAPTER 3 Cloud-Based Lines of Defense for Web Application Security In this chapter, you learn what lines of defense I highly recommend to fully protect web applications deployed in cloud environments. This discussion begins with the very outside edge of the cloud, which is where traffic enters the cloud environment from the internet. You can think of this as a boundary between the internet and the cloud resources deployed downstream. This discussion ends with the very inside edge, which you can think of as the very last line of defense before a web application is actually accessed by a user or attacker on the internet. All of the technologies discussed in this section make up the lines of defense in what I call the modern cloud edge. Defensive Line 1: Edge Routers Edge routers can often act as the first line of defense because they are fully capable of discarding unwanted traffic, given that they are pro‐ cessing it anyway. Organizations that either implement Border Gate‐ way Protocol (BGP) FlowSpec on their own edge routers or work with cloud providers (who do the same to offload other downstream lines of defense) have discovered the best approach to defend against various attacks using this line of defense. Although not always thought of in the terms of security (because edge routers are often managed by network teams and not security teams), as already mentioned, edge routers are fully capable of act‐ ing as the first line of defense to defend networks, websites, and 15

Articles in this issue

view archives of Analyst & Research Reports - O'Reilly Modern Defense in Depth