Home

RSA WAF Trend: WAF in the cloud

By Ofer Shezaf - Posted on April 22nd, 2009
Tagged:  

As usual, RSA is the time of year companies choose for major announcements. The WAF announcements this year focus, following the general computing trend, around cloud computing:

  • Art of Defense, a WAF vendor from Germany, has launched its SaaS WAF solution which target mostly service providers and SaaS vendors.
  • Savvis, a web hosting turning into cloud services company, has added WAF in the cloud offering based on Imperva SecureSphere WAF.
  • SecureWorks, a managed security services provides, announced full management for Imperva SecureSphere and monitoring for other WAFs.

Two challenges facing WAFs in the cloud are bandwidth and complexity.

Bandwidth

A pure WAF in the cloud service would require double the bandwidth for traffic to go from the client to the WAF and than again on public infrastructure to the the web server. For very small web sites this is not an issue, however for medium and large sites this presents a problem as it lengthens traffic latency and increases bandwidth cost.

The three announcements present three different solutions to this issue: Art of Defense builds its own delivery infrastructure around the world aiming at ensuring short routes even when traffic has to go through the WAF. While a novel idea, we feel that such a service requires serious infrastructure investment and is more suitable for existing cloud delivery players such as Akamai. Savvis is probably going to focus on its hosting clients, eliminating the 2nd leg the traffic has to travel while Secure Works keeps the enforcement point at the organization moving only management to the cloud.

Complexity

Implementing a WAF became easier in recent years but is still not a plug and play experience. Moreover, it requires the involvement of different groups in the organization beyond the security group. This present a challenge to cloud based solutions whose value lies is simple implementation. The three vendors announcing this week all cover this issue by providing a complimentary service offering. However they are also willing to provide the system "as is". For example Art of Defense offers an "entry level" solution which is essentially signature based. This level of service pose a risk to the WAF market as it essentially turns a WAF into a web specific IPS. You can read more about the difference in our article about WAF alternatives.

Other RSA WAF Announcements

Non cloud WAF announcements this week include:

  • NEC said it will start selling its own WAF in the US shortly. 
  • Silver Tail, an intriguing start-up which develops a logic layer WAF focusing on fraud detection announced a money raising round.

We will cover those very interesting non cloud announcements in upcoming posts.