Why a traditional Web application firewall will not work
In a cloud, the infrastructure and the services are shared between customers, meaning one set of hardware is used by many business, organizations and even individuals. Each of these cloud operator customers adds a unique layer of policy settings, use-cases and administrative enforcement requirements. For the cloud or service provider, security quickly becomes very complex. The average provider may have 10,000 customers subscribing to its service, each with varied policy settings for individual divisions within the company. The service provider now has to manage an nth degree of application filter settings.
Currently, web application firewalls (WAF) and other security solutions are restricted to hardware appliances, which creates a serious bottleneck for cloud service providers. Dedicated hardware boxes simply don't allow for reasonably scalable levels of multiple administrators duties within a box’s singular security policy mechanism. Ironically, in addition to the traditional network hardware, cloud service providers are forced to have a rack full of dedicated WAF machines – one per customer – that take up space and eat up resources. Security becomes counter to the efficiency promises of a fully virtualized environment. This cost is passed on to customers, increasing adoption barriers to mainstream cloud computing.
In an ideal world, applications would be designed from the ground up to meet the rigors of a virtualized world, integrating security measures directly into the applications and thus solving a core problem with current cloud computing. Until the industry reaches this ideal), traditional web application firewall boxes are preventing the industry from reaching the full potential of a cloud computing.
Defining the distributed Web application firewall (dWAF) for cloud protection
Web application security in a cloud has to be scalable, flexible, virtual and easy to manage. A WAF must escape hardware limitations and be able to dynamically scale across CPU, computer, server rack and datacenter boundaries, customized to the demands of individual customers. Resource consumption of this new distributed WAF must be minimal and remain tied to detection / prevention use instances rather than consuming increasingly high levels of CPU resources. Clouds come in all sizes and shapes, so WAFs must as well.
The dWAF must be able to live in a wide variety of components to be effective without adding undue complexity for cloud service providers. Today’s providers are using a variety of traditional and virtual technologies to operate their clouds, so the ideal dWAF should accommodate this mixed environment and be available as a virtual software appliance, a plug-in, SaaS or be able to integrate with existing hardware. Flexibility with minimal disruption to the existing network is central.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.