The Dawn of Hybrid Web Application Firewall-Why it will define security for the foreseeable future

By Carl Herberger, VP-Security Solutions, Radware

Carl Herberger, VP-Security Solutions, Radware

As the threat landscape transforms as quickly as advances in network protection, a sea of change is occurring in how organizations secure their networks. Dramatically different visions of how to effectively protect a network presents a juxtaposition—forcing pause and deep thought before executing a strategy.

The Web Application Firewall or WAF has undergone a shift in approach, as a result of changing business conditions as concepts of security perimeter protection have eroded. This confluence, a result of the growing cloud technology, is no longer manageable with today’s standard application security approaches. Out of necessity, a new hybrid approach that combines technologies to protect both cloud-based and on premise applications has evolved.

Why is a Hybrid Approach so Compelling?

Like two raging rivers that join together, the migration of business applications from on premise data centers to off premise cloud providers has erupted in a sprawl of security solutions. The result is an unmanageable and untenable security environment. Many suggest that you can no longer think of the cloud and premise-based technologies as disparate and isolated, but rather consider and manage them as one, in order to provide unified protection with no security gaps between on-premise and cloud-based devices.

The likes of IBM and others robustly declared at this year’s InterConnect Conference that the cloud can no longer be categorized as private or public—but instead has shifted to a hybrid state. To remain competitive and relevant, every business must transform and adapt. There are three major reasons behind the idea of cloud being synonymous with “hybrid”:

1. Most companies will retain some internal application delivery infrastructure

Most businesses simply aren’t positioned to move all legacy applications to the cloud. Starting a hybrid cloud approach does not require a complete migration of traditional IT infrastructure to a public or private cloud.

2. Dedicated infrastructures are a luxury

This will make most companies uncompetitive vis-à-vis hybrid competitors. The verdict is in about the merits of virtualization and cloud in that it unleashes hidden efficiencies which were elusive to classic data centers in the past.

At its core, the cloud was designed to take the complexity of virtualization away from the end user and fully enable self-provisioning and speed to service delivery.

3. Information Security and Compliance

From the inception of cloud delivery models, security has provided the anchor to adoption because of concerns of inadequacies. In the end, most companies who are “cloud-ifying” applications from more traditional deployments found themselves with fewer options and features in which to secure applications in the cloud. Also, cloud companies needs to be in lock-step with stringent compliance requirements of client companies such as PCI-DSS, HIPPA, and Patriot Act and Sarbanes-Oxley Act.

The task of keeping a business up and available while orchestrating cloud delivery service models is not trivial. Similar to the change of just-in-time inventory in manufacturing models, the cloud, with all its cost and agility benefits, ushered in a whole new era of requiring a high degree of uptime. The issue of uptime is multi-faceted. There is a need to cover numerous categories of security threats such as volumetric vs. non-volumetric attacks, bots vs. humans, multi-vector attack campaigns and web exhaustion techniques.

“The need to secure applications on-premise, in the cloud, and during the transition period from on-premise to the cloud, requires a hybrid solution”

Current technology shifts have changed business leaders' expectations of IT and disrupted many of the security models we’ve come to expect. These changes have resulted in complications for security professionals dealing with different operating environments and also a loss of visibility to the overall 'business' picture. Businesses are now looking for IT to respond in hours or even minutes compared to what used to be days or weeks. Organizations need to have the ability to detect threats with high quality in one location and react to those revelations in all operating environments in real time, and then orchestrate changes to the affected systems quickly and universally.

Until recently, no single web application firewall technology existed which addressed these problems. Solutions offered by security vendors did not include a web application firewall that integrated seamless on premise and cloud protection. This lack of integration led to limited visibility, a lack of policy orchestration, and muted attack responses. Organizations could also not differentiate attacks that occurred in the cloud from those on premise in a timely fashion. Was it the same vulnerability? Was it the same perpetrator in both attacks? Those questions could not be answered because the quality of detection was limited. The need was established that organizations needed to be able to mitigate a security problem both on-premise and in the cloud.

So, what needs to be coordinated and integrated between the cloud and premise-based applications to provide seamless protection? One needs to mitigate attacks in all environments, including behind a Content Delivery Network (CDN) or multiple CDNs. Powerful considerations need to be made for network latency and disruption as coordinating disaggregated devices will require high network fidelity and response. Moreover, compliance, and role-based-access-controls (RBAC) will be a key attribute to honing panoramic visibility.

In conclusion, the need to secure applications on-premise, in the cloud, and during the transition period from on-premise to the cloud, requires a hybrid solution. That will allow simple policy migration from the premise to the cloud while supporting a seamless migration without exposing the newly migrated applications to web attacks. The need for quick panoramic visibility to the entire delivered application infrastructure no matter where it is served is paramount. Quick and coordinated control and mitigation are essential to bring the balance of defense back into the defender’s court. The current path is clear—a hybrid solution is a must. The faster this architecture is migrated, the least amount of damage and harm will occur.