“The Times They Are a Changin’”, Bob Dylan knew it in 1964 and what was true then is even move true today. There continues to be ongoing debate on web application firewalls (WAFs), specifically which is better for the enterprise—on-premises solutions or those in the ever-changing cloud.
When searching for a WAF for your business, you will find dozens of products to select from. As you evaluate your options, one of the key decisions you will need to make is whether to select a cloud or on-premises solution. However, don’t consider this an “either-or” decision. It’s not necessarily a matter of choosing only one—cloud or on-prem. In many cases, it makes sense to utilize both in a hybrid deployment.
In this post we’ll share the benefits of a hybrid WAF deployment and review the advantages and disadvantages of both cloud and on-prem WAFs.
Typically, as part of their transition to the cloud we see customers move workloads to the cloud over time, or move only specific workloads to the cloud and leave others on-prem. In this case you need adequate app security in both locations and a hybrid WAF deployment is best.
To eliminate the threat closest to the threat origin, deploying a cloud-based WAF at the edges of your network and regionally to clean and scrub connections prior to entering your network makes sense. This ensures bad actors and cyber threats are eliminated before they breach your outer perimeter. The added benefit includes reducing threat-related network traffic that may negatively impact your network while additionally driving down network related expenses. Your on-premises WAF then processes and focuses on more complex business related and internal threats.
When moving to the cloud, flexible licensing is important. Trying to estimate exactly the right amount of app protection you’ll need in the cloud versus on-prem at any one time can be challenging – and potentially expensive as you might over-invest out of caution. Look for a single license that offers you the ability to deploy products how, when and where you need them. Imperva FlexProtect lets customers move applications among Imperva on-prem and cloud solutions without incurring additional costs.
The fundamental difference between the two options is how they’re deployed. An on-prem WAF runs either in your data center, or potentially as a virtual machine within your infrastructure-as-a-service (IaaS) cloud presence—and is then managed by your internal technical staff, accessed through LAN and VPN when outside the local area network. A cloud WAF is provided as software as a service (SaaS) and accessed through a web interface or mobile app.
Let’s review how they compare on a number of key factors.
With a cloud WAF, complexities and cost of capacity planning are fully managed by your cloud provider, but with an on-premises solution you’re responsible for these activities. This usually means that on-premises solutions are more expensive in terms of hardware, maintenance and administration. But not always. In some cases, depending upon data center topology and amount of app traffic, on-prem can be less expensive.
Here are a few things to consider when it comes to infrastructure:
Hardware: With an on-prem WAF, purchasing hardware to support peak traffic calculations commonly results in excess security capacity. The other side of the equation is no better. If you get capacity planning wrong and your solution can’t handle the traffic most WAF solutions are designed to “fail open” (WAF fails and allows all traffic good and bad through) which then leaves your organization exposed. At a minimum you will need to consider the following expenses:
Maintenance: Updates within cloud environments tend to occur more regularly than on-prem due in large part to the service provider needing to align to a common maintenance schedule, resource availability and solution standards. Additionally, with an on-prem WAF your in-house technical team is responsible for making timely updates to the WAF, whereas updates to a cloud WAF solution are completely managed by the cloud provider.
> A cloud WAF replaces the upfront and ongoing costs associated with maintaining an on-premises system, with simple usage-based and pay as you go pricing. You pay a regular fee based on the bandwidth utilized.
Cloud-based solutions were designed to leverage efficiency via scalability. Cloud WAFs have compute capacity that far exceeds any on-premises solution, so functionality like bot detection, account take over and fraud prevention become far more effective. Consider six months down the road your capacity needs to double. With a cloud WAF it’s literally point and click on demand. With an on-prem WAF it requires hardware procurement, installation and configuration.
> The ability to scale seamlessly and without consideration of additional hardware and infrastructure changes i*s* key to cloud offerings.
Cloud WAF solutions are generally priced as a monthly or annual subscription, with additional cost for training and support. The advantage of this pricing model is your expenditure can be categorized as OPEX instead of CAPEX. There’s minimal initial investment and it’s easy to forecast. You avoid hardware and unforeseen maintenance costs. All the hardware, backups and maintenance are managed by the vendor.
Traditional, appliance-based on-prem WAF licensing usually at a minimum a one-time investment for the license (perpetual license), which is usually based on appliance capacity and/or throughput. Generally, on-prem WAF solutions will be CAPEX. You will also need to identify an implementation partner and account for those implementation costs.
Again, if you’re looking at a hybrid WAF deployment, you might want to consider a flexible, subscription-based licensing model that spans both on-prem and cloud deployments.
Typically cloud-based WAF implementations are considerably faster than on-prem WAF solutions. The average time for cloud deployment will be calculated in weeks whereas on-premises WAF implementation can take weeks or months depending on the company size, number of users, locations, and required customizations.
Maintaining data security is critical regardless of which option you go with. With a cloud WAF, software is hosted within highly secured data centers and the cloud services provider is responsible for data security.
An on-prem WAF is only as good as the company’s ability to secure access to that data. Within many organizations data security is not their primary focus which in turn creates data vulnerabilities, exposure and increased risk. The server and software are installed locally on the company’s premises, access can be closely monitored and controlled as long as data security and physical security is taken seriously and reviewed regularly.
Cloud WAF solutions come with standard features, such as DDoS protection, content delivery acceleration (CDN), load balancing, APIs, application delivery rules and standard rule sets. Minimal customization is possible because as a customer you will have less access to the source code. However, most enterprise-level on-prem WAF providers will offer access to deep policy development and delivery rules to customize your experience effectively. They give customers the ability to control behavior at a granular level.
On-prem WAF solutions tend to be more customizable, allowing you to customize the interaction between the applications and the WAF at a more detailed level. For instance, let’s say you have built special functionality on top of your HR system to extract data, compile that data, enrich it and then move it for later consumption. This custom internal process falls outside of the “typical” product behavior. On-prem solutions are going to be able to drill down and have the flexibility to capture this new process easily. The cloud WAF solution may have difficulty as the products don’t typically allow for unique process development.
Both on-prem and cloud WAFs have their own advantages and disadvantages, which often drive the decision for a hybrid WAF deployment. Selecting the right deployment for your organization’s architecture is dependent on your company’s management and stakeholder preferences, security policy and priorities, budget, and vision.
For more information on WAF requirements and solutions, download Gartner’s 2017 Magic Quadrant for Web Application Firewalls.