If you have HTTP applications in the cloud—any cloud—there is a reasonable chance they will be vulnerable. Applications and the protocols they run remain prime targets for application attacks like SQL injection or TLS protocol exploits. In fact, in a recent report from WhiteHat Security, applications across a range of industry verticals were “Regularly Vulnerable 151–270 days a year” in more than 50 percent of cases. That means for the majority of organizations, over half your applications are regularly vulnerable half the time.
Cloud providers understand this. They have invested considerable time and money into securing theirinfrastructure and networks. They recognize the need for robust security and, in general, they have delivered on their end of the bargain, working hard to secure hypervisors, networks, the control plane, and physical security.
However, securing the application is a more difficult problem. The web application firewall, or WAF, has become the solution of choice to protect applications from application-layer attacks. Cloud vendors—engaged in their ongoing mission to provide better security for their customers—have started to offer WAF services. Application-layer security, however, has to strike a delicate balance between effective protection and operational simplicity, which makes it difficult for a generalized cloud service to offer anything other than simple and, frankly, easily defeated protection.
The thing is, running a WAF—any kind of WAF—is a complicated, high-value operation. It takes people, knowledge, and ongoing maintenance. If you don’t use the right technology, all that effort is wasted. Basic layer 7 protection tools usually rely on simple pattern matching. While this can be a valuable defense against some routine attacks, it does not constitute comprehensive protection for your applications.
Using a full-featured WAF—one that takes you beyond basic pattern matching into the realms of client identification, machine learning, and response inspection—is your best choice. You can choose the level of protection that each of your applications or services requires, and then implement appropriate controls. And while more comprehensive protection does demand more administration, feature-rich WAF solutions do come with better tools for centralized policy management and distribution.
If your application needs protection, then you might as well protect it effectively. Make sure you have the right technology in place to not only meet a corporate or regulatory requirement, but to proactively defend your application—and the business it supports.