Under Attack?
Search
Menu

How To Achieve Application Protection Behind AWS/Azure CDN

By Ben ZilbermanJune 29, 2021

Isn’t cloud-native application development exciting? You get to design the perfect CI/CD pipeline with all the latest and greatest tools, optimize resource utilization and time-to-release, and eventually show off to your bosses’ productivity as well as savings. Too awesome!

And then comes the security team. Oh no!
But wait, there are many solutions out there to protect cloud-hosted apps. Aren’t there?

Well, why don’t we put things in order?

The Web Application and API Protection market very much belong to cloud-based services. That sounds great too, doesn’t it? Outsource app-sec to experts, bundling it with CDN…. Wait! What?

Why you should rethink using a cloud WAF with a IAAS provider CDN service

  1. Cost – Using both services is not cost-effective. Also, you would be paying twice.
  2. Latency – Local application protection provides for a better user experience. In return, it provides for a better brand image as well as more revenue. There’s no point in sending each incoming HTTP request outside of the VPC for inspection and then back to the application. It eliminates all the above benefits of agile, continuous deployment.
  3. Data Privacy – Most enterprises today prefer keeping confidential data within the environment.

Suppose you are already using AWS CloudFront or Azure CDN services for traffic accessing your application development and delivery environment. In that case, another CDN/WAF service is less likely to fit your needs.

Local security for cloud-hosted applications

To keep enjoying all the benefits mentioned above and optimize your compute costs, service SLA, scalability, and agile development cycles, you’ll have to look another way.

Unfortunately, there aren’t too many technologies that provide complete application and data protection to these environments. Meaning, solutions that do not disrupt the software development lifecycle (physical or virtual web application firewall appliances come with a lot of tuning and overhead labor).
In other words, a solution that can deliver effective security from a broad set of threats as well as the required local installation, auto-scalability, high availability and did I say effective security?

Here’s something to think about. What do most choose when they feel security requirements overcomplicate everything? The easiest selection. However, those coming after your sensitive data know it won’t be easy and are upping their game time after time.  Defenders shouldn’t be discounting themselves either.

[You may also like: How To Secure Applications At-scale From Code to Cloud]

Limitations of IaaS WAF

The easiest selection in our scenario would be the WAF technology provided by the public cloud vendor itself (AWS/Azure/GCP). All it requires is checking a box. However, they are not specialized application security vendors; analysts talk about the security gaps compared to those of market leaders. See below the image from Gartner’s latest “Critical Capabilities for Web Application and API Protection (WAAP), Nov. 2020”, where these offerings get low scores.

Figure 1: Gartner Critical capabilities for WAAP vendor rankings.

So, appliances out, other cloud services (i.e., not local) are out, and IaaS security is also out. Before talking about solutions, one additional aspect must be covered, which is:

The importance of API protection in cloud-native environments

Cloud-native development and delivery practices rely on synchronization and interoperability of multiple components, from orchestration to provisioning to event-driven apps and functions. All those different tools and open-source code, and third-party services (SaaS is a good example) are interconnected by an array of APIs. These APIs transfer sensitive data that requires protection.

However, many organizations can not tell:

  • How many APIs they have
  • Where all the API endpoints are
  • What kind of data they are processing
  • Their level of security

Once this is sorted out with a complete mapping and visibility, they can advance to evaluate detection and mitigation solutions. However, the whole CI/CD lifecycle depends on these APIs. Any introduction of a security solution is very delicate, at least in the eyes of DevOps/DevSecOps, as there are some risks of interruptions and hiccups in the service delivery.

Figure 2: API Security Challenges

[Like this post? Subscribe now to get the latest Radware content in your inbox weekly plus exclusive access to Radware’s Premium Content. ]

To summarize

Local, scalable application protection behind AWS/Azure CDN can be achieved by deploying a solution that provides provisioning, redundancy, and scale while delivering high quality of application security.

Radware Kubernetes WAF provides the #1 Web Application and API Protection solution for cloud-native applications. Learn more about protecting cloud native application development and delivery environments.

Posted in: Application Protection Public Cloud ProtectionTags:

Ben Zilberman

Ben Zilberman is a director of product-marketing, covering application security at Radware. In this role, Ben specializes in web application and API protection, as well as bot management solutions. In parallel, Ben drives some of Radware’s thought leadership and research programs. Ben has over 10 years of diverse experience in the industry, leading marketing programs for network and application security solutions, including firewalls, threat prevention, web security and DDoS protection technologies. Prior to joining Radware, Ben served as a trusted advisor at Check Point Software Technologies, where he led channel partnerships and sales operations. Ben holds a BA in Economics and a MBA from Tel Aviv University.

Related Articles

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Contact Us Now

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Locations
Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program

CyberPedia

An Online Encyclopedia Of Cyberattack and Cybersecurity Terms

CyberPedia
What is WAF?
What is DDoS?
Bot Detection
ARP Spoofing

Get Social

Connect with experts and join the conversation about Radware technologies.

Blog
Security Research Center
Close

What are you looking for?