On-prem WAF is dead – long live cloud WAF

For ages, web application firewalls (WAFs) have been synonymous with application protection. In fact, many application security teams believe the best option to protect their applications is a top-notch on-prem WAF solution, especially if those applications are deployed on-prem or in a private cloud.

But Radware executive Yaron Azerual says the environment in which applications are developed, deployed and used has changed radically since the on-prem WAF was introduced. It’s about time we examined whether an on-prem WAF is still the best solution for application protection—or is it time for something new?

Let’s consider today’s application threat landscape.

According to my company’s latest research, the total number of web application transactions blocked by our Cloud WAF service grew 128% between 2021 to 2022, significantly out pacing the 88% increase in attacks between 2020 and 2021.

Given the unconventional shifts in the threat landscape, it’s clear that protecting applications requires more than a traditional on-prem WAF. Defending against a growing number of attacks across multiple vectors requires not only WAFs (protecting application vulnerabilities), but also API protection, bot management and DDoS protection (with layer 7 DDoS protection abilities).

It’s important to note that these solutions are only as good as the application protection experts managing them.

The escalation in the threat landscape, however, isn’t the only change leading to the demise of the on-prem WAF. Historically, applications were monolithic and deployed only in private data centres. Today, they are deployed across multiple environments: traditional data centres, the cloud (public or private), or both.

The application architectures are changing, too.

For decades, the majority were based on a single, monolithic application code base. Today, applications use microservices architectures with many integrated third-party services that rely extensively on APIs for communication.

To complicate the situation even more, many applications rely on running code in the client-side browser, which makes clients’ devices part of the application too.

Protecting applications in this evolving architecture is just one more reason why simply relying on a traditional on-prem WAF, even if it can be deployed throughout an organisation’s cloud environment, is no longer adequate.

There are even more challenges facing self-managed on-prem WAFs given today’s application and threat landscapes.

Management overhead: The management overhead involved in protecting an increasing number of applications across a growing number of environments is becoming nothing short of impossible.

Shortage in cyber experts: As the list of threat vectors grows and attacks get more sophisticated, the level of expertise required to manage all aspects of cyber security is increasing exponentially.

Here’s the crux: security experts can’t keep up. The recent 2022 (ISC)2 Cybersecurity Workforce Study showed that 70% of organisations are facing skills shortages in their cybersecurity teams.

One of the reasons for the shortage is a high burnout rate in existing teams due to heavy workloads. This is creating tremendous challenges for many organisations that need to protect their applications and architectures.

Quality of protection: A WAF is only as good as the security policies with which it is configured. An on-prem WAF only generates security policies based on the local application it protects; this can be extremely limiting.

Also, optimising and maximising application protection while covering bot and API domains requires machine learning and artificial intelligence-based algorithms that aren’t available with on-prem WAF devices.

Protecting all application surfaces: As application architectures evolve, protecting just one environment, the application server, is no longer enough. The new application architecture can be accessed from multiple entry points, all of which need protection. This includes the server, the cloud, third-party APIs and the client. Old school, on-prem WAFs can’t provide protection for all these access points.

Agility and scalability: Rolling out a new application protection service is a labour-intensive task. Ensuring that service doesn’t break the application and yet effectively protects it, consumes even more resources.

This impacts an organisation’s overall agility. Remember, application protection is a compute-intensive function, while scaling it poses additional challenges that limit agility.

Hopefully, it’s now evident that protecting applications with a self-managed on-prem WAF is no longer a valid option. The management overhead associated with it, when combined with the global shortage of cyber security experts, have created bottlenecks that are simply unacceptable for most companies, not to mention they compromise application protection and security.

With today’s rapidly evolving application architecture, on-prem WAFs are simply incapable of providing a single, consistent solution for securing applications, regardless of the environment in which they are deployed.

Today’s application environments and the businesses they support require a new arsenal of protection solutions. The cloud application protection services that offer the best attack coverage include:

  • An advanced cloud WAF engine, with auto-policy generation, both positive and negative.
  • An API protection module with automatic endpoints discovery.
  • A bot management module.
  • An application DDoS protection service.
  • A client-side protection service.

But even these tools are only effective if they are provisioned correctly. That’s why the top cloud WAF services come with not only AI-based algorithms to automate operations, but also a team of experts to oversee those operations. Maintaining full control and visibility over the application protection service is also a must-have to ensure success.

At the end of the day, there are two important considerations that will enable organisations to judge whether it’s time to switch to a cloud WAF service.

First, does the cloud WAF service provide better and more comprehensive application protection? And second, does the cloud WAF service reduce the total cost of ownership of the application protection solution? The answer to both questions for most organisations today is a resounding ‘Yes!’