The On-Prem WAF is Dead. Long Live the Cloud WAF

This post is also available in: Spanish

For ages, web application firewalls (WAFs) have been synonymous with application protection. For many application security teams, the best option to protect their applications — especially if they are deployed on-prem (or in their private cloud) — is a top-notch WAF solution. But the environment in which applications are developed, deployed and used has radically changed since the WAF was introduced. It’s about time we take a deep look into application environment changes and examine whether a WAF is the best solution for protecting applications. 

What’s Leading To The Death Of The On-Prem WAF — Today’s Application Threat Landscape

According to Radware’s threat analysis hub, in 2022 there was a year-over-year (YOY) increase of 392% in the number of blocked malicious events by Radware’s Cloud WAF service. In the same period, there was a 105% increase in bad bot transactions. And over 50% of organizations reported that they experienced multiple vectors of attacks and at a higher frequency (see below).

It’s clear that protecting applications requires different solutions to cover all attack vectors, including WAFs (protecting application vulnerabilities), API protection, bot management and DDoS protection (with layer 7 DDoS protection abilities). It’s important to note that these solutions are only as good as the application protection experts managing them.

In 2022 alone, we saw an array of organizations subject to application-level attacks. It can be assumed that many of the organizations, like large service providers, big e-commerce brands and large software vendors, have top-notch application protection solutions in place. Still, it is clear that attack sophistication is on the rise and challenging CISO teams, regardless of industry or the size of the organization.

Other Issues and Events Leading to the On-Prem WAF’s Demise

Application Development And Deployment

Historically, applications were monolithic and deployed only in private data centers. Today, they are deployed across multiple environments — traditional data centers, the cloud (public or private), or both. The application architectures are certainly changing, as well. For decades, the majority were based on a single, monolithic application code base. Today, applications use microservices architectures with many integrated 3rd party services that rely extensively on APIs to communicate between the microservices and 3rd party services. Also, many applications rely on running code in the client-side browser, which makes clients’ devices part of the application.

With this evolving architecture, protecting applications requires a different approach than simply relying on a traditional on-prem WAF, even if it can be deployed throughout an organization’s cloud environment(s).

Shortage In Security Experts And Skills

The recent 2022 (ISC) Cybersecurity Workforce Study & Survey by Gaper ISSA/ESG showed that 70% of organizations are facing skills shortages in their cybersecurity teams. One of the reasons for the shortage is that there is a high burnout rate in existing teams due to heavy workloads. The same survey revealed that there are over 3 million open cybersecurity positions worldwide (400,000 openings in the United States alone).

Challenges And Requirements In Managing Application Protection

After reading the aforementioned, you’ve probably gathered that you must carefully consider whether a self-managed on-prem WAF can provide adequate application protection. To help you evaluate, consider the following challenges facing an on-prem WAF given today’s application and threat landscapes.

Management overhead: With an increasing number of applications to protect — and considering that they are deployed in more environments than ever — the management overhead of protecting them is becoming nothing short of impossible.

Shortage in cyber experts: With the growth of threat vectors and the increase in attack sophistication, the level of expertise required to manage all aspects of cyber security has grown exponentially. Here’s the thing — the amount of application protection experts can’t keep up. This has created tremendous challenges for many organizations that need to protect their applications and architectures.

Quality of protection: A WAF is only as good as the security policies with which it is configured. An on-prem WAF only generates security policies based on the local application it protects; this can be extremely limiting. Also, optimizing and maximizing protection while covering bot and API domains requires ML/AI-based algorithms that aren’t available with on-prem WAF devices.

Protecting all application surfaces: As application architectures change, protecting just one environment (the application server) isn’t enough. The new application architecture introduces many locations through which it can be accessed, all needing protection (e.g., server, cloud, 3rd party APIs and the client). Old school, on-prem WAFs can’t provide protection for all these application access points.

Agility and scalability: Rolling out a new application service is a labor-intensive task. Ensuring that service doesn’t break the application (and yet effectively protects it) consumes even more resources. This impacts an organization’s overall agility. Remember, application protection is a compute-intensive function; scaling it poses additional challenges that limit agility.

Conclusion — the On-Prem WAF Eulogy

Hopefully, it’s now evident that protecting applications with a self-managed on-prem WAF is no longer a valid option. The management overhead associated with it, when combined with global shortages of cyber security experts, has created bottlenecks that are simply unacceptable, not to mention they compromise application protection and security. With today’s rapidly evolving application architecture, on-prem WAFs are simply incapable of providing a single, consistent solution for securing applications, regardless of the environment in which they are deployed.

It’s why Radware’s Cloud WAF Service needs to be a part of your application protection arsenal. And don’t hesitate to contact Radware’s talented and tenured cybersecurity professionals. They combine expertise and years of empirical experience keeping customers safe and their applications protected. Reach out to them here. They would love to hear from you.

If you’ll be attending the RSA Conference in San Francisco on April 24-27, make sure and stop by the Radware booth (#2139). Meet with our team of experts and take your cybersecurity to the next level. Better yet, you can set up an appointment with them here.

Yaron Azerual

Yaron Azerual is a senior product marketing manager at Radware bringing 27 years of engineering, product management and product marketing experience from both large corporations such as Lucent, Avaya as well as from smaller companies and startups such as Alvarion and Wavion. Yaron brings deep understanding of both the development aspects of communication and security products and of the customer challenges those products should solve. He holds a bachelor's in electrical engineering from Tel Aviv University.

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program


An Online Encyclopedia Of Cyberattack and Cybersecurity Terms

What is WAF?
What is DDoS?
Bot Detection
ARP Spoofing

Get Social

Connect with experts and join the conversation about Radware technologies.

Security Research Center