WAF technology needs to adapt now that apps are increasingly distributed

Applications, which are at the core of our digital experiences, continue to be deployed across diverse environments, including private and public clouds, on-premises, in data centres, and at the edge. Similarly, application security technologies are increasingly deployed in different locations from the applications they are serving. They are no longer necessarily tethered to the applications they serve but are deployed in different environments and may support multiple applications.

According to the F5 State of Application Strategy Report 2022, 92% of organisations still deploy some applications on-premises, but only 53% of them host app security technology there. Modern app development, deployment, creation processes, and support services have converged and become modular. They are all critical to the digital experience customers demand.

This digital expansion means an explosion in the number of applications, integrations, and environments, making it increasingly challenging for DevOps, DevSecOps, and SecOps to define and implement a robust multi-cloud expansion and security strategy. A typical organisation can manage between 200 and 1,000 applications—in addition to using several third-party-as-a-Service offerings. Complexity is now the norm:

• Applications are built using many languages in multiple integrated development environments (IDEs).
• Applications are deployed on various infrastructure platforms using different toolsets and deployment modalities across cloud, data centres, containers, microservices, and serverless.

Application deployment standardisation or diversification?

Of course, we can try to standardise as much as practical to minimise complexity. Over time, traditional application development had become slow, inflexible, and unmanageable, unable to address the fast-changing needs of customers while also blurring the lines between application development roles. You could argue that you gain economies of scale using the same IDE for applications because you maintain and build code on a single system. You can also standardise on a common deployment framework, like Ansible and Terraform, or choose to deploy on a single cloud provider. However, the risks of using a single type of infrastructure and ecosystem generally far outweigh the benefits. You risk vendor lock-in, a single point of failure, and an inability to control costs.

In contrast, you can achieve scale and efficiency when you deploy in diverse environments. For example, moving from deploying physical servers to virtual machines to optimise and abstract the underlying hardware dependencies makes it easier and faster to scale compute. Similarly, the benefit of virtual machines is quickly outweighed when you consider containers, a portable piece of virtual compute that is deployable across any infrastructure.

So, why do we accept being tied into infrastructure-specific security when our deployments are very diverse? If you deploy compute in AWS using a mix of virtual machines and containers, you can end up using security tools from AWS and different tools on-premises that are incompatible. Staff are needed to manage each tool, requiring additional resources and training. Also, because our controls are different, can you be sure what the risk exposure is? And if expanding to another cloud provider, you'll need to learn about new tools. Accordingly, it has become table stakes to decouple applications from their web application firewalls (WAFs), with widespread cloud adoption, the emergence of the edge, and the resulting distributed nature of applications. The best deployment location for a given WAF depends not only on where the application is located but also on other factors such as the nature and location of the apps’ users, the nature of the WAF itself, etc.

F5's WAF portfolio

F5’s WAF portfolio, based on its BIG-IP Advanced WAF engine, adapts to the unique requirements of today’s modern applications and deployments. It offers flexible deployment and operational choices to match your organisation’s infrastructure, architecture, application location, and expertise across fully managed, self-service, hybrid SaaS, and web environments, without sacrificing efficacy or risk. Organisations can employ:

1. BIG-IP Advanced WAF, available for on-premises/data centre and public or private cloud (virtual edition) deployment, for robust, high-performance web application and API security with granular, self-managed controls.
2. F5 NGINX App Protect WAF for a lightweight software security solution that provides high-performance, low-latency, and platform-agnostic deployments for modern, microservices-based applications and containers.
3. F5 Distributed Cloud WAF for SaaS-based deployments in a distributed environment that reduces operational overhead with an optional fully managed service.

Overall, these security solutions are best-in-class and continue to be at the leading edge of security innovation to enable organisations to secure all their applications, wherever they are deployed—public or private clouds, on-premises data centres, or at the edge—and regardless of their architectures: monolithic / legacy, microservices, service mesh, or serverless.

As workload deployments proliferate across diverse environments and app architectures, organisations want to be able to enforce consistent security controls across all applications, anywhere. The vision of F5 is a unified suite of market-leading web application firewall tools, enabling organisations to deploy the correct WAF for their use case while sharing policies, telemetry, and insights. This removes the complexity of managing inconsistent and dissimilar security policies and enforcement in heterogeneous and hybrid cloud environments, enabling organisations to neutralise the next generation of bad actors and attacks efficiently. See below for a visual of how it all comes together.