The era of for the cloud WAF is now. While Software as a Service (SaaS) tools may be ubiquitous today, the early model of providing managed business applications as a service had rough beginnings as “Application Service Providers” (ASP) in the late 90s, an era where WiFi was just becoming mainstream and internet speeds were crawling (the standard for “high speed” then was 200Kbps — compare that with the US average of 70.75Mbps today).
Today’s mobile workforce, however, take their mission-critical SaaS apps on the go, collaborating on projects over the cloud without a lost connection or disruption to their workflow. And we know by now that wherever work goes, security’s got to follow.
How Cloud WAFs Entered the Market
Before the advent of the cloud, Web Application Firewall (WAF) capability was mainly delivered through hardware appliances. These WAF appliances were absolutely great for big businesses and enterprises, handling gargantuan volumes of data that required high-throughput (high traffic capacity) solutions. However, such on-premise solutions couldn’t protect enterprise web assets beyond their data centers, such as in virtualized infrastructure which had recently become popular. As such, businesses also began to turn to software-based options like virtual WAFs to harden their cloud systems.
But whether a WAF is deployed as a hardware or virtual appliance, the bottom line is this: a company needs to have its own infrastructure to install the WAF locally, which isn’t always a given for many smaller-scale online businesses.
Cloud WAFs on the other hand, like other security services delivered through the cloud, became the trend only because cloud migration as a whole started making business sense — for users and vendors alike. Migrating web applications and storage to the cloud allows businesses to cut down on infrastructure setup and operational costs while they accelerate application testing and development. The intense demand for a low-cost, scalable security solution to match this flexibility has made cloud WAFs a hit, especially among small and medium-sized businesses (SMBs).
How A Cloud WAF Makes Website Security Better
1. Seamless Updates
Scalability issues arise with a purely hardware approach to WAF deployment as hardware needs to be added whenever new data assets need to be protected. However, the process is complicated when the original hardware is hosted in another physical location. Protecting additional applications may also require reconfiguring of the network and protocols. If installing enterprise-level technology sounds like a difficult task, imagine the complex job of keeping it updated.
With a cloud WAF service, a single instance of the web application firewall software serves multiple users and businesses (this is known as “multi-tenancy architecture”), such that all receive centralized upgrades to the newest software version the moment updates are released. This revolutionizes the way major upgrades take place. Rather than depending on customer resources to apply new updates on an often delayed schedule, new features can be enjoyed instantly as implementation becomes vendor-managed.
2. Low Technology Barrier
Expanding upon the previous point, the vendor-managed aspect of a cloud-based security delivery model ensures minimal configuration burden on the customer’s end. This means that enterprises with dedicated network security administrators or technical teams are not the only ones able to utilize WAF protection for their web assets. SMBs in particular stand to benefit as they often do not operate at a scale that requires deep customization of WAF beyond basic controls. While WAF services remain highly customizable, default settings meet the needs of most users, and the web-based access to the service ensures an intuitive interface is of high-priority.
3. Coverage for Highly Distributed Environments
While cloud service providers (CSP) may guarantee infrastructure security, data security is the responsibility of each organization. Today’s world consists of users and employees whose work and corporate data are no longer centrally located or all locally protected. To truly thrive at the forefront of cloud technology, businesses need operational agility complemented by reliable security that cloud infrastructure providers may not be able to supply. Third-party SECaaS options are therefore crucial in mitigating risks associated with cloud migration.
As software is increasingly developed to run in the cloud rather than locally and 80% of enterprise IT organizations are predicted to commit to hybrid cloud architecture within this year, hybrid cloud security tools will be critical for any effective cloud deployment strategy. Businesses will have a mix of both applications that should be retained in corporate data centers, and those prioritized for the cloud. This is why cloud-based security providers need to be able to deliver both on-premises and SECaaS options for WAF deployment.
As for SMBs, cloud adoption is not slowing down either, making the low-cost, scalability aspect of a cloud WAF a great enabler. From Internet celebrities to non-profits and multinational enterprises, the web has become a critical space for people to engage with any brand.
Elite Guards for Today’s Shopfronts
Just like security gates for a physical shopfront, cloud WAFs make defending web assets a lot simpler to implement, for a lot more people — except hiring the equivalent of an elite security service protecting websites, 24/7, now comes at a fraction of what it would have used to cost enterprises.
If you’re considering deploying a cloud WAF or any other kind of web-based security solutions, read about what to look out for in our Newbie’s Guide to SECaaS.
Editor’s Note: This post was originally published in June 2016 and has been updated for relevance and comprehensiveness.