According to the Cloud Security Alliance, the average large enterprise has 946 custom applications deployed. Traditionally, organizations deployed Web Application Firewalls (WAF), which provide visibility and enforce security controls on external traffic that passes through them, at the perimeter to protect these applications against external attacks.
However, WAF-secured container-based applications are likely to be breached, as the concept of a perimeter does not exist in these architectures. A new approach is needed to address both external threats and threats from lateral movement inside the cluster. In a world where successful exploits may be inevitable, relying on a perimeter WAF for application security leaves your entire environment vulnerable unless adequate security tools and policies are implemented at the workload level.
WAF’s Weak Security
Security techniques for traditional container-based application architectures are analogous to medieval castles, where everything important to running an application is consolidated within castle walls. In this analogy, WAF played the role of the wall and gate, only letting in friendly traffic.
WAF provides additional capabilities in these traditional architectures. It actively parses through valid requests and threats and provides alerts when it receives suspicious log requests. These alerts keep the security team apprised of threats on the border. WAF also offers virtual patching capabilities to close off attack vectors for known vulnerabilities. Further, many companies must utilize WAF through various regulatory requirements, making it crucial for maintaining compliance in specific industries.
These capabilities, however, also feed into the downsides of WAF. For example, because WAF sits at the front gate, it requires complex rule-making that causes substantial false positives if implemented improperly. The effort required to tune alert configurations and rule sets to minimize those false positives significantly drains security team resources. WAF also does not prevent threats from malicious insiders, as these attacks circumvent the perimeter and enable easy access into the rest of the unprotected environment. Teams managing security using WAF can therefore be lulled into a false sense of security by assuming their whole architecture is secure just because of their perimeter.
Working Down Into Workloads
As mentioned, the perimeter-based approach to security is no longer efficient. And, when it comes to protecting cloud-native workloads, WAF as the sole security mechanism is not a viable approach.
Cloud-native environments present a challenge because there is no well-defined perimeter to secure. This architecture is built on containerized workloads that are highly ephemeral and communicate extensively with other containers and internet-connected resources outside the environment. These interconnections and elasticity make containerized applications more efficient — and make infiltrations and lateral movement far easier if proper security controls are not in place.
To avoid the shortcomings of WAF for cloud-native architectures, security teams must bring application-layer security down into the workloads themselves. Unlike traditional firewalls that rely on fixed network addresses, workload-based security controls apply security policies as code to ensure consistent, deep, and granular container-level protection across multi-cloud and hybrid environments.
These security controls are provided as declarative policies, ensuring that every workload has the same level of protection regardless of the environment. This approach enables granular visibility into what is happening across an architecture so that rapid mitigation can occur in the event of a compromised asset.
Securing individual workloads also has the advantage of simplifying rule-making and reducing the security team’s burden. To return to our castle analogy, if you do everything at the gate, you’re forced to prepare for countless types of attacks — both known and unknown. However, establishing hardened checkpoints at every street corner will make any army’s advance significantly more difficult. This is the hallmark of a defense-in-depth (layered) strategy that has become a best practice for security practitioners.
Despite even the best efforts, it is always a best practice to assume bad actors will breach your environment at some point. Protecting cloud-native architectures, therefore, requires implementing a zero-trust architecture. In practice, this means allowing specific workloads to communicate with other resources only when and where necessary. Limiting this communication prevents bad actors from gaining a foothold and moving laterally through the environment to compromise additional assets.
Is WAF a Waste?
The increasing complexity of container-based application architectures and attacks requires a new approach to security. Teams relying only on traditional WAF for cloud-native architectures will experience significant problems, but it still has a role. For example, WAF provides effective protection against Distributed Denial of Service (DDoS) attacks. That said, WAF is not dead — it’s just insufficient on its own.
By implementing a defense-in-depth approach to security, teams can utilize WAF where it excels, while complementing it where it needs support. Coupling this layered approach with zero-trust protocols creates a security apparatus that reduces false positives, minimizes the attack surface and increases efficiency across the board. This is the most sustainable solution that will future-proof the environment against known and unknown vulnerabilities to ensure business services remain online and secure.
This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security magazine. Subscribe here.