A common misconception that we see a lot in the marketplace is that hybrid DDoS protection, a combination of on premise and cloud DDoS protection, is prohibitively expensive and difficult to manage.
That’s simply not the case.
And it’s certainly not true for the segment of the market seeking “always-on” protection. Before getting too deep into the specifics, let’s reestablish some basic points about hybrid protection.
It’s essentially a unanimous decision on the part of industry analysts that hybrid protection provides the most complete DDoS solutions for protection from today’s complex cyber-attacks. Since Radware introduced the hybrid model in 2012, we have seen an endless wave of competitors implement their flavor of hybrid, some more true to the concept than others. We still maintain a significant lead on others in terms of delivering a single-vendor hybrid solution, but that’s a blog post for another day.
The major benefits of hybrid DDoS protection, detailed more fully in our recent eBook, include:
- Full, always-on mitigation of ALL attack types; not limited to volumetric and/or what’s detected by Netflow
- Avoids peace-time latency issues inherent in always-on cloud models
- Avoids collateral damage risks of always-on cloud models
- Eliminates burden on the customer for attack detection and traffic redirection
- Speeds time to mitigate and effectiveness of mitigation when volumetric attacks are swung to the cloud
So, this assumption that hybrid solutions are expensive?
Certainly, providers of cloud-only solutions have a vested interest in promulgating this misperception. But in my experience it generally boils down to a lack of research on the part of the buyer. Obviously, the price point for various on premise products is going to vary significantly. That’s not only true when you’re talking vendor-to-vendor, but also model-to-model. Some on premise devices are made to handle extremely high traffic throughput and attack mitigation throughput, and are built largely for large network operators, carriers, etc. However, if you’re working with a provider that offers a wide range of on premise options and flexibility in terms of licensing for clean traffic models or attack models, a very reasonably priced on premise device that can deliver the above benefits is within reach for most.
Another concern often heard from prospects looking at different options is the management of the on premise component of the hybrid DDoS solution. A terrible misconception I’ve run into (including from some analysts) is that managing any on premise device requires someone on the security or network operations team to keep up with the highly dynamic and constantly evolving attack landscape. Again, the level of manual intervention required for effective protection from on premise devices varies from vendor-to-vendor. At Radware, we strongly encourage prospects to look deeply at the automation capabilities of the solutions they explore so they can see this wide variance first hand. It is an accurate statement by analysts that most operations teams will struggle to maintain the more manual solutions on the market. But the automation capabilities of many, such as Radware’s Real-Time Signature technology that provides automated protection from zero-day attacks, largely remove the management responsibilities for these devices.
And finally, for an increasing number of customers the best option is to go with a fully managed service to manage the on premise along with cloud-based elements of the hybrid solution. A growing number of vendors are introducing a fully managed service options around their DDoS solutions. Obviously, the cloud-based component is going to be a managed service. But the management of the on premise device is also an option, often at a price much more effective that putting a percentage of someone’s time against the management. When exploring the managed services options out there, prospects should carefully consider the depth of security and DDoS threat management experience held by the team doing the device management.