Web Application Firewalls Adjust to Secure the Cloud

Cloud-based WAFs protect applications without the costs and complexity of on-prem hardware. Heres what to keep in mind as you browse the growing market.

As the application landscape changes, so do the tools we use to protect corporate systems and the data they process. The evolution of the Web Application Firewall (WAF) is a prime example of adjusting old security systems to protect a modern enterprise.
Most, if not all, businesses have reason to fear online compromise. Hackers arent only targeting websites; theyre also seeking holes in Web applications used among employees, customers, and partners. Enterprise apps are packed with personal and corporate data, and they demand higher levels of protection.
Web applications have proven to be the leakiest attack vectors when it comes to hacking, says John Maddison, senior vice president for products and solutions at Fortinet. Nearly half of data breaches were related to hackers targeting Web app vulnerability, the latest Verizon Data Breach Investigations Report found, and the Equifax breach is an example of what could be prevented with a WAF deployed.
The Demand for Cloud WAFs
WAFs have traditionally been installed as physical, on-premise tools designed to process and analyze Web traffic for exploits and block threats like SQL injection, distributed denial-of-service (DDoS) attacks, and buffer overflows. If malicious activity was detected, it was blocked.
If you imagine your network as a fortress that is protected by a wall (your firewall), Web applications are like adding a screen door - it doesn’t matter how many layers of security you may have, an improperly secured web application could potentially cut through all that, says Maddison.
As businesses move to the cloud, applications are no longer hosted on their infrastructure. They lack visibility into how the application is being used, who is accessing it, and what traffic is flowing in and out. Cloud-based WAFs simplify management with more regular security updates, scalability for added capacity, and monthly or annual subscription pricing.
People have long used WAFs in detection mode, but it took a while to enable threat blocking, explains Gartner research director Adam Hils. WAFs provided a wealth of information but also generated enough false positives to make security teams nervous. According to a new survey from Imperva, 27% of security teams
receive
more than a million security alerts each day, leaving 53% of IT pros struggling to separate critical incidents from false positives.
In the past four to five years, more companies have wanted better Web application support but lacked expertise, says Ajay Uggirala, director of product management at Imperva. They have turned to the growing market of cloud-based WAFs, which share threat data and provide similar support with easier deployment and management for businesses.
Cloud-Based vs. On-Prem WAFs: Differences and Deployment
There are a few key differences between on-premise and cloud-based WAFs, and the biggest is in how theyre deployed. On-prem WAFs run in the data center, or as a virtual machine through a IaaS service. Cloud WAFs are sold as software-as-a-service (SaaS) and managed through a Web interface or mobile app. On-prem WAFs require you to handle capacity planning and complexities; with cloud WAFs, these are handled by the WAF provider.
While on-prem WAFs come with policies out of the box, admins have full control over their companys rules, says Uggirala. On-prem systems are more customizable and complex, giving admins the power to adjust how applications interact with the WAF. However, this also demands the enterprise monitor and control that data, ensuring it cant be accessed.
Cloud-based WAFs are different. Their security policies are pre-defined by the WAF provider based on their view of the threat landscape. We will create these policies and we tune them so [clients] dont get too many false positive, Uggirala continues. Cloud WAFs typically come with features like load balancing, APIs, application delivery rules, and DDoS protection. However, customers typically dont have the granular access they would have for on-prem WAFs. Software is hosted in data centers by the provider, which is responsible for securing them.
Whether you choose on-prem or cloud WAFs will vary based on your business and the sensitivity of its apps and data. Some organizations use a hybrid model, says Hils, with physical WAF on-prem and WAF-as-a-service in the public cloud. For example, a cloud-based WAF could be placed at the edge of your network as an on-prem WAF analyzes complex internal threats.
The security person will want to get with the business and figure out if things are moving to the cloud, and how quickly, says Hils. Once they understand the road map from there, they can decide what form factor they want - if they want a virtual WAF or cloud-delivered WAF.
Maddison says cloud-based WAFs are better-suited for smaller applications; mission-critical Web-based applications require a dedicated or hardware type of appliance. Since its not a one-size-fits-all situation, organizations should use a broad array of form factors that can support diverse network environments to provide maximum flexibility and security, he says.
You need to have someone on the team who knows security and the application, as well as how to use the cloud of choice and move information to the cloud effectively and efficiently says Hils. The combination of infrastructure and security skills is pretty rare, he notes.
Major Cloud Providers Shift the Market
Early deployments of WAFs in the public cloud had to be third-party solutions, says Hils, because public cloud vendors did not offer any. Now that major cloud providers have basic rudimentary WAFs, application teams are gravitating toward solutions from Amazon and AWS.

It depends on the nature of the application and the use case, says Hils of choosing one over the other. If an app is highly vulnerable, he recommends using a third-party virtual WAF or WAF-as-a-Service tool, which he says currently provide better protection for Web applications.
If its less critical and the customer trusts that the cloud vendor will advance their WAF then its fine to go with those cloud-native tools, he continues. The security of WAFs from major cloud providers isnt yet on-par with third-party systems, but it is improving. Amazon Web Services, for example, is already enhancing its capabilities. The first AWS WAF had no signatures, Hils explains, but now its building a signature database. Amazons WAF is also less expensive: you pay for the amount of bandwidth as you do for every AWS function.
Over time, as more critical workloads move and security is more involved, there will be tension between cloud IaaS vendors improving their WAFs, Hils anticipates. Theyre still not as good as a third party, but they will cost a lot less.
As major providers like Microsoft and Amazon explore the WAF space, existing vendors focus on adding more capabilities to existing tools. Imperva recently debuted Attack Analytics, which aims to automate the process of correlating and analyzing attack events and prioritize the most severe threats. Threat data can be pulled from applications on-prem or in the cloud.
The coming year will likely bring more calls and questions from security managers at odds with their development teams about native cloud protections versus third-party services, he predicts.
Related Content:
10 Free DevOps Security Tools Developers Will Love
Windows Double Kill Attack Code Found in RIG Exploit Kit
6 Security Investments You May Be Wasting
Building Blocks for a Threat Hunting Program

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Web Application Firewalls Adjust to Secure the Cloud