3 Reasons Your Public Cloud Provider Won’t Protect You From A DDoS Attack
The use of public clouds, whether by a very small company or a large enterprise, is more popular now than ever. Its popularity is due to the scalability, flexibility and cost-effectiveness public cloud providers deliver. However, it is exactly this popularity that has led them to become attractive targets for cybercriminals looking to launch DDoS attacks. This has made many public cloud providers invest in security measures to mitigate the impact of DDoS attacks on their customers. But are these measures really good enough when you are under attack?
The truth is, no matter how attractive it is to have everything — infrastructure, compute, storage and security — taken care of by a single vendor, the public cloud providers fall short. As a result, the basic security provided by public cloud providers is not sufficient when you’re hit by a sophisticated DDoS attack.
There are a few key reasons why DDoS protection by public cloud providers may not protect you from a DDoS attack.
1. It’s Not Their Focus Area
Ultimately, the core business of public cloud providers is selling their compute and storage services. It’s a straightforward business model where the more cloud services the customer consumes, the more money they make. Security is not their core business, but rather a “side business” that increases their customers’ cloud consumption.
Today, we see DDoS attacks getting more sophisticated with attackers constantly finding new ways to bypass existing security measures. It requires the skills and expertise of a security-first vendor to develop ways to mitigate such attacks and minimize their impact on customers. Given that cloud providers are not specialized security vendors, they lack the expertise that comes from dealing with complex and sophisticated cyberattacks that leave their customers exposed for extended periods of time while they’re under attack.
2. Protection Coverage is Poor, Low Quality
Most public cloud providers today provide some level of protection against DDoS attacks. This may be sufficient to protect against the most basic, frequently-occurring network and transport layer attacks, but it won’t protect against more advanced attacks, such as burst attacks, DNS and encrypted attacks, multi-vector attacks and zero-day attacks.
Cloud providers offer basic protection as part of their standard offering, but the advanced protection is available as an expensive add-on. With large-scale, frequent, complex and advanced multi-vector attacks targeting public clouds on the rise, even the advanced tier DDoS protection they have does not provide the level of protection that customers require. This, of course, leaves them exposed when under attack.
Additionally, the public cloud providers provide DDoS protection that is designed to protect their own infrastructure and not their customer’s applications hosted in their private data center or another cloud infrastructure. This makes relying on DDoS protection from public cloud providers a rather bad option for customers with hybrid- and multi-cloud environments. Doing so means to stay fully protected they will need to manage multiple different solutions with different security policies and inconsistent visibility.
3. Support is Limited and SLAs Have No Guarantees
Any downtime caused by DDoS attacks can cost your organization a fortune. The faster the detection and mitigation time for attacks, the better your bottom line will be. Therefore, it is very important to understand what your provider is willing to commit to.
Public cloud providers offer no commitments for their basic protection at all. However, if you purchase their advanced tier of DDoS protection, they provide “best effort” SLA commitments, but only for uptime. Their SLA does not include attack detection time, mitigation time, alerting, or quality of mitigation. The lack of these metrics should immediately raise a red flag about the quality of protection they’re providing. Moreover, when they do not meet their uptime commitment, they provide remediation in service credits; this amounts to a mere fraction of what they’re due and in no way compensates for any losses that may have been caused by a service disruption. It’s like buying car insurance that only covers the tires.
Managed services and emergency support are applicable only on advanced DDoS protection tiers. So, it’s only possible to have these support services if you are subscribed to the business and enterprise support plans. Of course, you’ll have to pay for these separately.
Cheap Can be Expensive
Contrary to the general perception people have that the public cloud is inexpensive, it is in fact quite expensive when it comes to DDoS protection. As covered earlier, the free tier is extremely basic and if you need better protection you have to purchase the advanced protection tier. This becomes quite expensive because you’ll need to pay a monthly fee for each account or resource. Moreover, if you need more visibility into the traffic and protection measures used, it’s only possible if you turn on and pay for an additional service. The additional charges add up pretty quick.
As you’ve probably guessed by now, support and managed services are also add-ons you will need to pay for on top of this. The sad part is that even after paying for all the add-ons, you still end up getting inferior protection that may not protect against all types of DDoS attacks. It’s a roll of the dice. Gambling shouldn’t be part of your security plan.
It’s very important to understand your specific needs and risk profile before turning to a public cloud provider for DDoS protection. Although some may consider DDoS protection from a public cloud provider as a good starting point, you’ll definitely need to evaluate a security leader like Radware.
There is a reason so many organizations, enterprises and governments rely on Radware to provide industry-leading IT security to remain safe and operating at optimal levels. Our experts have one goal in mind — keep customers secure by detecting and stopping attacks before they overwhelm their infrastructure. Reach out to them HERE. They would love to hear from you. Protection from DDoS and other attacks is just a click away.