As the application landscape changes, so do the tools we use to protect corporate systems and the data they process. The evolution of the Web Application Firewall (WAF) is a prime example of adjusting old security systems to protect a modern enterprise.
Most, if not all, businesses have reason to fear online compromise. Hackers aren't only targeting websites; they're also seeking holes in Web applications used among employees, customers, and partners. Enterprise apps are packed with personal and corporate data, and they demand higher levels of protection.
"Web applications have proven to be the leakiest attack vectors when it comes to hacking," says John Maddison, senior vice president for products and solutions at Fortinet. Nearly half of data breaches were related to hackers targeting Web app vulnerability, the latest Verizon Data Breach Investigations Report found, and the Equifax breach is an example of what could be prevented with a WAF deployed.
The Demand for Cloud WAFs
WAFs have traditionally been installed as physical, on-premise tools designed to process and analyze Web traffic for exploits and block threats like SQL injection, distributed denial-of-service (DDoS) attacks, and buffer overflows. If malicious activity was detected, it was blocked.
"If you imagine your network as a fortress that is protected by a wall (your firewall), Web applications are like adding a screen door - it doesn’t matter how many layers of security you may have, an improperly secured web application could potentially cut through all that," says Maddison.
As businesses move to the cloud, applications are no longer hosted on their infrastructure. They lack visibility into how the application is being used, who is accessing it, and what traffic is flowing in and out. Cloud-based WAFs simplify management with more regular security updates, scalability for added capacity, and monthly or annual subscription pricing.
People have long used WAFs in detection mode, but it took a while to enable threat blocking, explains Gartner research director Adam Hils. WAFs provided a wealth of information but also generated enough false positives to make security teams nervous. According to a new survey from Imperva, 27% of security teams receive more than a million security alerts each day, leaving 53% of IT pros struggling to separate critical incidents from false positives.
In the past four to five years, more companies have wanted better Web application support but lacked expertise, says Ajay Uggirala, director of product management at Imperva. They have turned to the growing market of cloud-based WAFs, which share threat data and provide similar support with easier deployment and management for businesses.
Cloud-Based vs. On-Prem WAFs: Differences and Deployment
There are a few key differences between on-premise and cloud-based WAFs, and the biggest is in how they're deployed. On-prem WAFs run in the data center, or as a virtual machine through a IaaS service. Cloud WAFs are sold as software-as-a-service (SaaS) and managed through a Web interface or mobile app. On-prem WAFs require you to handle capacity planning and complexities; with cloud WAFs, these are handled by the WAF provider.
While on-prem WAFs come with policies out of the box, admins have full control over their company's rules, says Uggirala. On-prem systems are more customizable and complex, giving admins the power to adjust how applications interact with the WAF. However, this also demands the enterprise monitor and control that data, ensuring it can't be accessed.
Cloud-based WAFs are different. Their security policies are pre-defined by the WAF provider based on their view of the threat landscape. "We will create these policies and we tune them so [clients] don't get too many false positive," Uggirala continues. Cloud WAFs typically come with features like load balancing, APIs, application delivery rules, and DDoS protection. However, customers typically don't have the granular access they would have for on-prem WAFs. Software is hosted in data centers by the provider, which is responsible for securing them.
Whether you choose on-prem or cloud WAFs will vary based on your business and the sensitivity of its apps and data. Some organizations use a hybrid model, says Hils, with physical WAF on-prem and WAF-as-a-service in the public cloud. For example, a cloud-based WAF could be placed at the edge of your network as an on-prem WAF analyzes complex internal threats.
"The security person will want to get with the business and figure out if things are moving to the cloud, and how quickly," says Hils. "Once they understand the road map from there, they can decide what form factor they want - if they want a virtual WAF or cloud-delivered WAF."
Maddison says cloud-based WAFs are better-suited for smaller applications; mission-critical Web-based applications require a dedicated or hardware type of appliance. "Since it's not a one-size-fits-all situation, organizations should use a broad array of form factors that can support diverse network environments to provide maximum flexibility and security," he says.
You need to have someone on the team who knows security and the application, as well as how to use the cloud of choice and move information to the cloud effectively and efficiently says Hils. The combination of infrastructure and security skills "is pretty rare," he notes.
Major Cloud Providers Shift the Market
Early deployments of WAFs in the public cloud had to be third-party solutions, says Hils, because public cloud vendors did not offer any. Now that major cloud providers have basic rudimentary WAFs, application teams are gravitating toward solutions from Amazon and AWS.
"It depends on the nature of the application and the use case," says Hils of choosing one over the other. If an app is highly vulnerable, he recommends using a third-party virtual WAF or WAF-as-a-Service tool, which he says currently provide better protection for Web applications.
"If it's less critical and the customer trusts that the cloud vendor will advance their WAF then it's fine to go with those cloud-native tools," he continues. The security of WAFs from major cloud providers isn't yet on-par with third-party systems, but it is improving. Amazon Web Services, for example, is already enhancing its capabilities. The first AWS WAF had no signatures, Hils explains, but now it's building a signature database. Amazon's WAF is also less expensive: you pay for the amount of bandwidth as you do for every AWS function.
"Over time, as more critical workloads move and security is more involved, there will be tension between cloud IaaS vendors improving their WAFs," Hils anticipates. "They're still not as good as a third party, but they will cost a lot less."
As major providers like Microsoft and Amazon explore the WAF space, existing vendors focus on adding more capabilities to existing tools. Imperva recently debuted Attack Analytics, which aims to automate the process of correlating and analyzing attack events and prioritize the most severe threats. Threat data can be pulled from applications on-prem or in the cloud.
The coming year will likely bring more calls and questions from security managers at odds with their development teams about native cloud protections versus third-party services, he predicts.