Although some organizations have fully migrated to the cloud today, many have not. They retain some, or even all, of their infrastructure on-prem. This often includes their web security solution.
While there may be some advantages to retaining servers (for sites, apps, and APIs) on-prem, web security is a different matter. Organizations still running their WAF and other security measures on-prem should carefully consider the implications of doing so.
In this article, we’ll discuss:
- The perceived advantages of on-premise web security
- The substantial disadvantages it includes
- A better approach: how to maintain the benefits of on-prem traffic filtering, while avoiding the drawbacks.
Perceived Advantages of On-Premises Web Security
There are a number of reasons why many organizations continue to maintain substantial infrastructure, including their web security solution, on-prem rather than moving to the cloud.
Legacy Hardware and Software
Until recently, on-prem was the default architecture for enterprises. Many organizations still have not migrated to cloud, whether partially or fully, simply to avoid the time and expense required to do so.
Control and Customization
When your organization owns the physical infrastructure, you can control all of its components, who has access to them, and how they operate.
When data is processed and stored completely on-premises, no other entity has access to it (at least in theory), which can make privacy and regulatory compliance easier.
Most third-party cloud security solutions filter traffic in the vendor’s external environment. This means that traffic must be routed there first, and then after processing, continue on to the customer. Many organizations (correctly) perceive this to be a problem, and they would rather avoid this routing latency, so they host their own security solution in their data center.
When a cloud security vendor filters traffic within external infrastructure, it means that private traffic data is being decrypted and processed outside of the customer’s perimeter. Again, many organizations want to avoid this, so they keep their web security on-prem. (This also avoids the additional latency introduced by the vendor’s decryption and re-encryption of the traffic.)
Hybrid architectures (combining on-prem and on-cloud) are common today. Many third-party vendors have difficulty supporting these, so many organizations keep their web security in-house and take care of it themselves.
The Disadvantages of On-Prem Web Security
Despite the benefits listed above, filtering incoming traffic on-premises includes a significant number of drawbacks. Here are some of them.
On-prem security solutions are usually sold as dedicated appliances, but these can be very costly.
Proper management of on-prem IT assets, including security appliances, can require significant technical and financial resources, along with a team that’s skilled in administration, networking, and security.
A physical data center is subject to certain risks. Most of them are not likely to occur (fires, floods, earthquakes, etc.), while others are more likely but can be mitigated (e.g., local power outages can be made irrelevant with backup generators). Nevertheless, they must be anticipated, and appropriate measures taken.
Data Backup & Recovery
Data loss is a significant risk for on-prem IT infrastructure. Backup and recovery measures must be in place and regularly tested (!), which adds to the workload on IT staff and management.
Challenges in Leveraging DevOps
DevOps can be applied to any SDLC—not just cloud-based but on-premises too. However, there are a few challenges when it comes to implementing DevOps on-premises. These include version dependencies among various software packages and operating systems, difficulties in using IaC (infrastructure as code), and difficulties in trying to use immutable infrastructure. And when DevOps can’t be used, neither can DevSecOps. This often means that organizations can’t shift security left in their SDLC.
Most organizations have significant variability in the magnitude of IT workloads. To accommodate peak demand, staff must purchase and maintain a much larger amount of assets (including web security hardware and software) than are typically required on a day-to-day basis. Many organizations understandably try to save money here; however, this means that later, they can find themselves in situations where their resources are inadequate.
On-prem infrastructure is, by definition, limited. If something happens to affect its availability, many organizations don’t have the ability to shift workloads elsewhere. This can result in downtime, which means lost opportunities and lost revenue.
Today’s threat environment is complex. Maintaining on-prem web security means that IT staff have to create and maintain security policies and rulesets, defend against attacks as they occur, keep up-to-date with a constantly evolving threat environment (by monitoring CVE databases, following security professionals on social media, attending live events, checking risk-advisory feeds, etc.), apply hardware and software patches whenever they are issued, and so on.
This can all be very difficult (not to mention time-consuming), and the price of failure is high. An incorrect or incomplete configuration can leave security gaps in the system.
All things considered, when organizations manage their own on-prem security, it can be very difficult to consistently maintain a strong security posture.
Vulnerability to Attack
Ironically, maintaining web security in the same data center as other assets actually introduces a vulnerability to DDoS attacks.
When your traffic filtering occurs in your data center, all the incoming requests (including the malicious ones) must pass through your Internet pipe first. Therefore, when a DDoS occurs, it can overwhelm your upstream ISP. In these situations, the ISP will frequently defend itself by blackholing all the traffic. An unintended, but inevitable, side effect is that your sites and applications become unavailable to web users–which is exactly what the attacker was hoping to achieve.
How to maintain the benefits of on-prem web security, while avoiding the drawbacks
Fortunately, there is not a dichotomy between on-prem and on-cloud. Reblaze offers the benefits of both.
Reblaze is a cloud native web security platform that can also protect on-prem assets. Incoming requests are filtered in the cloud, before they arrive at the destination environment, whether the protected assets are on-cloud or on-prem.
This preserves the advantages of maintaining web security in your data center:
- There’s no expense to migrate legacy hardware and software to the cloud. Once Reblaze is deployed (which can be done in minutes), a simple DNS change is all that’s required to start routing traffic through Reblaze.
- Control and customization: if desired, you can deploy Reblaze within your own cloud account, and maintain full control over it.
- Compliance: Since Reblaze is deployed in your cloud, you maintain full control over all data processing and storage.
- Performance: Unlike other security solutions, Reblaze filters traffic in your cloud environment, and it can be deployed and geolocated in front of your data center. This avoids the routing latency that other solutions introduce.
- Privacy: Unlike other security solutions, Reblaze does not decrypt any requests outside of your cloud.
- Flexibility: Reblaze supports on-prem, hybrid, single-cloud, and multi-cloud architectures.
And it does all this while also avoiding the disadvantages of on-prem web security:
- Low expense: To use Reblaze, no hardware or software has to be purchased. Web security becomes opex instead of capex.
- Minimal risks and maintenance: Reblaze is fully integrated with, and runs natively on, the top-tier cloud providers. Whether you want web security for AWS, a cloud native WAF for Azure, or turn-key security for web apps and APIs on Google Cloud Platform, your security solution will run on infrastructure that is maintained for you by the cloud provider, with guarantees for availability and uptime.
- Full management: Reblaze is a fully managed security solution, maintained by a team of security professionals. Along with a robust set of policies and rulesets out of the box, during the onboarding process your Reblaze deployment(s) will also be configured and customized to your unique requirements, with minimal security expertise required from your team. And as new threats arrive, Reblaze is hardened against them automatically, so your web security is always up-to-date.
- DevOps and DevSecOps: Reblaze supports them both.
- Scalability and redundancy: Reblaze autoscales and responds to changes in incoming traffic as necessary, leveraging the near-infinite resources of the cloud automatically.
- Your incoming Internet pipe will be unaffected by even massive volumetric assaults, because Reblaze filters traffic in the cloud.
Reblaze is a comprehensive web security solution, including next-generation web application firewall (WAF), enhanced DDoS protection, advanced bot detection and management, API security, ATO (account takeover) prevention, and much more.