Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:30 PM
Connect Directly

Web Application Firewalls Adjust to Secure the Cloud

Cloud-based WAFs protect applications without the costs and complexity of on-prem hardware. Here's what to keep in mind as you browse the growing market.

As the application landscape changes, so do the tools we use to protect corporate systems and the data they process. The evolution of the Web Application Firewall (WAF) is a prime example of adjusting old security systems to protect a modern enterprise.

Most, if not all, businesses have reason to fear online compromise. Hackers aren't only targeting websites; they're also seeking holes in Web applications used among employees, customers, and partners. Enterprise apps are packed with personal and corporate data, and they demand higher levels of protection.

"Web applications have proven to be the leakiest attack vectors when it comes to hacking," says John Maddison, senior vice president for products and solutions at Fortinet. Nearly half of data breaches were related to hackers targeting Web app vulnerability, the latest Verizon Data Breach Investigations Report found, and the Equifax breach is an example of what could be prevented with a WAF deployed.

The Demand for Cloud WAFs

WAFs have traditionally been installed as physical, on-premise tools designed to process and analyze Web traffic for exploits and block threats like SQL injection, distributed denial-of-service (DDoS) attacks, and buffer overflows. If malicious activity was detected, it was blocked.

"If you imagine your network as a fortress that is protected by a wall (your firewall), Web applications are like adding a screen door - it doesn’t matter how many layers of security you may have, an improperly secured web application could potentially cut through all that," says Maddison.

As businesses move to the cloud, applications are no longer hosted on their infrastructure. They lack visibility into how the application is being used, who is accessing it, and what traffic is flowing in and out. Cloud-based WAFs simplify management with more regular security updates, scalability for added capacity, and monthly or annual subscription pricing.

People have long used WAFs in detection mode, but it took a while to enable threat blocking, explains Gartner research director Adam Hils. WAFs provided a wealth of information but also generated enough false positives to make security teams nervous. According to a new survey from Imperva, 27% of security teams receive more than a million security alerts each day, leaving 53% of IT pros struggling to separate critical incidents from false positives.

In the past four to five years, more companies have wanted better Web application support but lacked expertise, says Ajay Uggirala, director of product management at Imperva. They have turned to the growing market of cloud-based WAFs, which share threat data and provide similar support with easier deployment and management for businesses.

Cloud-Based vs. On-Prem WAFs: Differences and Deployment

There are a few key differences between on-premise and cloud-based WAFs, and the biggest is in how they're deployed. On-prem WAFs run in the data center, or as a virtual machine through a IaaS service. Cloud WAFs are sold as software-as-a-service (SaaS) and managed through a Web interface or mobile app. On-prem WAFs require you to handle capacity planning and complexities; with cloud WAFs, these are handled by the WAF provider.

While on-prem WAFs come with policies out of the box, admins have full control over their company's rules, says Uggirala. On-prem systems are more customizable and complex, giving admins the power to adjust how applications interact with the WAF. However, this also demands the enterprise monitor and control that data, ensuring it can't be accessed.

Cloud-based WAFs are different. Their security policies are pre-defined by the WAF provider based on their view of the threat landscape. "We will create these policies and we tune them so [clients] don't get too many false positive," Uggirala continues. Cloud WAFs typically come with features like load balancing, APIs, application delivery rules, and DDoS protection. However, customers typically don't have the granular access they would have for on-prem WAFs. Software is hosted in data centers by the provider, which is responsible for securing them.

Whether you choose on-prem or cloud WAFs will vary based on your business and the sensitivity of its apps and data. Some organizations use a hybrid model, says Hils, with physical WAF on-prem and WAF-as-a-service in the public cloud. For example, a cloud-based WAF could be placed at the edge of your network as an on-prem WAF analyzes complex internal threats.

"The security person will want to get with the business and figure out if things are moving to the cloud, and how quickly," says Hils. "Once they understand the road map from there, they can decide what form factor they want - if they want a virtual WAF or cloud-delivered WAF."

Maddison says cloud-based WAFs are better-suited for smaller applications; mission-critical Web-based applications require a dedicated or hardware type of appliance. "Since it's not a one-size-fits-all situation, organizations should use a broad array of form factors that can support diverse network environments to provide maximum flexibility and security," he says.

You need to have someone on the team who knows security and the application, as well as how to use the cloud of choice and move information to the cloud effectively and efficiently says Hils. The combination of infrastructure and security skills "is pretty rare," he notes.

Major Cloud Providers Shift the Market

Early deployments of WAFs in the public cloud had to be third-party solutions, says Hils, because public cloud vendors did not offer any. Now that major cloud providers have basic rudimentary WAFs, application teams are gravitating toward solutions from Amazon and AWS.

"It depends on the nature of the application and the use case," says Hils of choosing one over the other. If an app is highly vulnerable, he recommends using a third-party virtual WAF or WAF-as-a-Service tool, which he says currently provide better protection for Web applications.

"If it's less critical and the customer trusts that the cloud vendor will advance their WAF then it's fine to go with those cloud-native tools," he continues. The security of WAFs from major cloud providers isn't yet on-par with third-party systems, but it is improving. Amazon Web Services, for example, is already enhancing its capabilities. The first AWS WAF had no signatures, Hils explains, but now it's building a signature database. Amazon's WAF is also less expensive: you pay for the amount of bandwidth as you do for every AWS function.

"Over time, as more critical workloads move and security is more involved, there will be tension between cloud IaaS vendors improving their WAFs," Hils anticipates. "They're still not as good as a third party, but they will cost a lot less."

As major providers like Microsoft and Amazon explore the WAF space, existing vendors focus on adding more capabilities to existing tools. Imperva recently debuted Attack Analytics, which aims to automate the process of correlating and analyzing attack events and prioritize the most severe threats. Threat data can be pulled from applications on-prem or in the cloud.

The coming year will likely bring more calls and questions from security managers at odds with their development teams about native cloud protections versus third-party services, he predicts.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This is not what I meant by "I would like to share some desk space"
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-20
A vulnerability in the user management roles of Cisco DNA Center could allow an authenticated, remote attacker to execute unauthorized commands on an affected device. The vulnerability is due to improper enforcement of actions for assigned user roles. An attacker could exploit this vulnerability by...
PUBLISHED: 2021-01-20
Multiple vulnerabilities in the web-based management interface of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to bypass authorization and modify the configuration of an affected system, gain access to sensitive information, and view information that they are not autho...
PUBLISHED: 2021-01-20
Multiple vulnerabilities in the web-based management interface of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to bypass authorization and modify the configuration of an affected system, gain access to sensitive information, and view information that they are not autho...
PUBLISHED: 2021-01-20
A vulnerability in the system resource management of Cisco Elastic Services Controller (ESC) could allow an unauthenticated, remote attacker to cause a denial of service (DoS) to the health monitor API on an affected device. The vulnerability is due to inadequate provisioning of kernel parameters f...
PUBLISHED: 2021-01-20
A vulnerability in the web-based management interface of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to conduct Cypher query language injection attacks on an affected system. The vulnerability is due to insufficient input validation by the web-based management interf...