Skip to Content
Security Oct 21, 2022

Why a Web Application Firewall (WAF) is a critical defence layer against web-based attacks

We know this first-hand. Only recently, we carried out an experiment in our labs where we set up a website and monitored what happened.

Almost immediately, a steady stream of untargeted attacks poured in – and this is what your website’s up against.

Plus, like so many organisations, you’re probably moving your applications and workloads to the cloud right now. This definitely changes the risks, and can even increase them.

How confident are you that your websites are secure in the cloud?  

Take your security assessment back to basics

First of all, consider your priorities. Most security professionals will have heard of the ‘CIA triad’, and will be using it to guide their information security policy. The key principles are:

  • confidentiality - protecting sensitive information from unauthorised access
  • integrity - preserving information so that it can’t be altered by anyone unauthorised
  • availability - making sure information is always available to authorised parties such as employees or customers.

Different organisations will have different orders of priority. For example, availability may well be key if your website is business critical and you’re reliant on it for transactions or hosting essential applications. Alternatively, if your biggest threat is compromised or lost sensitive data, then confidentiality is the most critical. And for others, everything else comes second to protecting data from any change.

Imagine what would happen if you couldn’t collaborate with partners, customers and suppliers. Or if a breach of PCI-DSS compliance meant you couldn’t take payments any more. Or if you lost customers because they didn’t trust you with their information.

How do you prevent this?

Layer your security using WAFs

Web application development teams primarily focus on making sure the current release of an application is secure. This means there may be a problem if there’s suddenly a critical vulnerability with the in-house software or an external component.

The software would have to be rebuilt, and this can take days, weeks or even months.

In the meantime, you need to decide whether you’re going to run the risk and carry on operating or take down an application and lose the functionality.

Putting a Web Application Firewall (WAF) in front of your website can detect and block both known and unknown threats, protecting in-life applications – it’s an extra layer of defence. A WAF uses a combination of up-to-the-minute threat signatures and machine learning to identify behaviours that look like an attack but are currently unknown. It enables control over how traffic reaches your applications and prevents application-layer attacks and subsequent breaches.

WAF protects availability

Some organisations worry that putting something around their website that could restrict access to their core business could break or stop that very business. They wonder if their application availability could be adversely affected by a security misconfiguration, reduced web speed or a lack of global availability.

Fortunately, the strong cloud focus and technical expertise of today’s security vendors neutralises these concerns – and brings additional benefits.

Cloud WAF typically offers global availability and content caching, so complete coverage from one vendor. It’s a flexible solution, with elastic scaling, a pay-as-you-use OpEx set-up and a SaaS shared service model. You can also choose between a self-service option or consuming it as part of a managed security service overlay. Plus, importantly, it separates out security duties from the remit of website developers.

If you choose to go with an on-premises WAF deployment, you could also see the benefit of lower latency and enjoy full control over your data at rest.  Your event logs can stay on site or be stored in BT data centres in the UK.

Greater security visibility

The clear result of putting a cloud WAF in place is greater security and peace of mind. It’s a fast way to get protection from new vulnerabilities without any disruption to your applications, as well as protection from in-code bespoke vulnerabilities.

You’ll be able to see where attacks against you appear to be coming from, boosting your security visibility. And a cloud WAF will generally improve your security compliance, too. For example, WAF is specifically mentioned in the PCI-DSS compliance standards.

Potentially, you’ll see improvements in performance, because WAF vendors can cache your content locally across the globe, giving a more local content delivery.

Start protecting your web applications

Our managed WAF solution protects against the top 10 security risks, application-layer DoS and zero day attacks. It uses AI-based, dual-layer machine learning engines, enabling you to deploy and access internal and external web applications without overburdening security teams.

It keeps your applications available and increases compliance with critical security standards.