Apps are Increasingly Distributed. Your WAF Technology Needs to Adapt.

Applications, which are at the core of our digital experiences, continue to be deployed across diverse environments, including private and public clouds, on-premises, in data centers, and at the edge. Similarly, application security technologies are increasingly deployed in different locations from the applications they are serving. They are no longer necessarily tethered to the applications they serve but are deployed in different environments and may support multiple applications. For instance, 92% of organizations still deploy some applications on-premises, but only 53% of them host app security technology there. Modern app development, deployment, creation processes, and support services have converged and become modular. They are all critical to the digital experience customers demand.

This digital expansion means an explosion in the number of applications, integrations, and environments, making it increasingly challenging for DevOps, DevSecOps, and SecOps to define and implement a robust multi-cloud expansion and security strategy. A typical organization can manage between 200 and 1,000 applications—in addition to using several third party-as-a-Service offerings. Complexity is now the norm:

• Applications are built using many languages in multiple integrated development environments (IDEs).
• Applications are deployed on various infrastructure platforms using different toolsets and deployment modalities across cloud, data centers, containers, microservices, and serverless.

Of course, we can try to standardize as much as practical to minimize complexity. Over time, traditional application development had become slow, inflexible, and unmanageable, unable to address the fast-changing needs of customers while also blurring the lines between application development roles. You could argue that you gain economies of scale using the same IDE for applications because you maintain and build code on a single system. You can also standardize on a common deployment framework, like Ansible and Terraform, or choose to deploy on a single cloud provider. However, the risks of using a single type of infrastructure and ecosystem generally far outweigh the benefits. You risk vendor lock-in, a single point of failure, and an inability to control costs.

In contrast, you can achieve scale and efficiency when you deploy in diverse environments. For example, moving from deploying physical servers to virtual machines to optimize and abstract the underlying hardware dependencies makes it easier and faster to scale compute. Similarly, the benefit of virtual machines is quickly outweighed when you consider containers, a portable piece of virtual compute that is deployable across any infrastructure.

So, why do we accept being tied into infrastructure-specific security when our deployments are very diverse? If you deploy compute in AWS using a mix of virtual machines and containers, you can end up using security tools from AWS and different tools on-premises that are incompatible. Staff are needed to manage each tool, requiring additional resources and training. Also, because our controls are different, can you be sure what the risk exposure is? And if expanding to another cloud provider, you'll need to learn about new tools. Accordingly, it has become table stakes to decouple applications from their web application firewalls (WAFs), with widespread cloud adoption, the emergence of the edge, and the resulting distributed nature of applications. The best deployment location for a given WAF depends not only on where the application is located but also on other factors such as the nature and location of the apps’ users, the nature of the WAF itself, etc.

F5’s WAF portfolio, based on its BIG-IP Advanced WAF engine, adapts to the unique requirements of today’s modern applications and deployments. It offers flexible deployment and operational choices to match your organization’s infrastructure, architecture, application location, and expertise across fully managed, self-service, hybrid SaaS, and web environments, without sacrificing efficacy or risk. Organizations can employ:

1. BIG-IP Advanced WAF, available for on-premises / data center and public or private cloud (virtual edition) deployment, for robust, high-performance web application and API security with granular, self-managed controls.
2. F5 NGINX App Protect WAF for a lightweight software security solution that provides high-performance, low-latency, and platform-agnostic deployments for modern, microservices-based applications and containers.
3. F5 Distributed Cloud WAF for SaaS-based deployments in a distributed environment that reduces operational overhead with an optional fully managed service.

Overall, these security solutions are best-in-class and continue to be at the leading edge of security innovation to enable organizations to secure all their applications, wherever they are deployed—public or private clouds, on-premises data centers, or at the edge—and regardless of their architectures: monolithic / legacy, microservices, service mesh, or serverless.

As workload deployments proliferate across diverse environments and app architectures, organizations want to be able to enforce consistent security controls across all applications, anywhere. At F5, our vision is a unified suite of market-leading web application firewall tools, enabling organizations to deploy the correct WAF for their use case while sharing policies, telemetry, and insights. This removes the complexity of managing inconsistent and dissimilar security policies and enforcement in heterogeneous and hybrid cloud environments, enabling organizations to neutralize the next generation of bad actors and attacks efficiently. See below for a visual of how it all comes together.

To learn more, visit:

• BIG-IP Advanced WAF product page: Advanced Web Application Firewall (WAF)
• F5 NGINX App Protect WAF product page: F5 NGINX App Protect WAF
• F5 Distributed Cloud WAF page: Web Application Firewall | F5 Distributed Cloud Services