Building Agile Edge Security Services
By Richard Yew, Senior Product Manager – Security Solutions
Cybersecurity is on the minds of many web content creators and commerce companies nowadays. With each new story about yet another security breach or massive outage from attacks, the hazards of delivering content online seem ever more pervasive. Most content delivery network (CDN) providers claim that their security systems are more than up to the task of protecting sensitive information on customers’ servers and ensuring uptime of their online businesses. However, delivering truly top-flight security requires more than just a strong Web Application Firewall (WAF) and DDoS protection. It requires something much rarer: the agility to respond to threats and implement security updates quickly. Here are three ways to enhance the effectiveness of the edge security services:
1. Speed up deployment
One of the key components of an edge security ecosystem is WAF. WAF acts like a giant filter that detects and defends against any perceived threat, including malicious bots and code injections using predetermined rulesets. The effectiveness of a WAF ruleset is determined by how good they are at identifying bad requests without unintentionally blocking legitimate users that run afoul of rules for innocent reasons – a.k.a. false positives that reveal flaws in the security system and potentially cause denial of service or outages for legitimate users.
While false positives are rare, when they are identified, web content operators need to quickly deploy any necessary changes to the security rulesets to ensure minimal impact to legitimate users. However, it could take some CDN providers up to 45 minutes to release security changes across their networks. By that time, users impacted by false positives may have already written some angry tweets or negative online reviews, damaging the company’s brand image. These sorts of outages also have financial impacts: on a high-volume sales day like Black Friday, a company might lose thousands of dollars in revenue per minute while the rulesets went uncorrected. A best-in-class edge security solutions, by contrast, should deploy such updates in fewer than five minutes, correcting false positives without excessive downtime for users.
2. Security without sacrificing performance
In addition to swift deployment, an agile security service should offer rich defense mechanisms without sacrificing performance. Many large CDN security providers blindly run all of their customers’ traffic through a series of complex security rulesets, potentially creating additional latency and server overhead. A smarter solution is to only run the traffic destined for the origin server (non-cacheable or cache-miss content) through advanced security rulesets to ensure maximum protection of mission-critical data, while taking advantage of the massive CDN capacity for cacheable/static content to maximize performance.
Caching more contents on a CDN makes you less vulnerable to downtime from a DDoS attack. It also makes the cached content less susceptible to application layer attacks, since these hacking attempts will not reach the origin servers. Protecting the origin against security breaches, ensuring origin uptime and maximizing the availability of customer web services to users are what matters most for an edge security service. Running security rulesets only on request that cannot be served from cache helps to achieve that without impacting performance, an important consideration since performance is the main reason for using a CDN in the first place.
3. Accelerate ruleset updates without downtime
Threat landscapes are constantly evolving, so it’s important for web content operators to be able to constantly keep security rulesets updated. When it is time for a WAF ruleset update, some CDN providers put their customers between a rock and a hard place. Here’s a paradox the security operators commonly face: Will the new ruleset, which is supposed to make the origin more resilient unleash a flood of false positives, causing severe outages? There are only two ways to tell.
The first option is for customers to switch their current WAF rulesets to non-blocking mode, replace them with the new ruleset, then keep running that ruleset in non-blocking mode for a brief period of time. This avoids false positives, but also leaves the app or website vulnerable to attacks. Alternatively, they can pay their CDN providers to create a custom version of each new rule and run it alongside their production (blocking) rulesets, which can be costly in both money and time.
Best-in-class CDN security can help customers avoid this dilemma by giving them the option to run two different WAF rulesets in parallel. The first ruleset can be configured to block suspicious activity like normal, while the second only logs such activity, keeping track of the attacks it would block if it were activated. Using the second parallel ruleset, customers can enable and perform quality assurance on a new ruleset without worrying about causing outages from false positives or leaving a security gap from having to put the production ruleset in non-blocking mode. This allows seamless transition between old and new rulesets without the risk of outages or increasing the system’s vulnerability – a key differentiator for best-in-class CDN security.
A good CDN security service can also help users speed up the update process by providing both a portal user interface (UI) and an application programming interface (API) where customers can update rulesets in bulk.
For commerce companies, financial and public service providers, OTT content creators and other CDN customers, every moment counts when their network experiences security incidents. An agile CDN security system helps minimize lost revenue, preserve brand identity and improve the overall speed and performance of web applications. Trust us; we’re worth the investment.