Web Application Firewalls: The TCO Question

Transcription

1 Web Application Firewalls: The TCO Question Ovum looks into total cost of ownership for WAFs Rik Turner

2 Summary Catalyst Ovum has carried out a series of interviews with companies in North America, Europe, and Asia- Pacific (see Methodology) with a view to understanding how the market for web application firewalls (WAFs) is evolving, how wide adoption of the technology is, whether there is a prevalence of onpremise or cloud-based offerings, and what determines companies preferences for either. The survey then went on to pose a series of questions with a view to determining the total cost of ownership (TCO) for on-premise as well as cloud-based WAFs, although this proved difficult. Ovum view Of respondents, 18% have no WAF Application firewalls, of which WAFs are a subset designed specifically to work with the Web, have a long history, dating back to work carried out as long ago as 1991, with the first commercially available application firewall, the Gauntlet, coming to market in Much has changed since that time, of course: the Internet has become a ubiquitous part of doing business around the world, and security exploits against websites are now a daily occurrence. As a result, WAFs have become a key category in their own right. The first data point that jumps out from the survey results is that a significant minority of companies do not have any form of WAF protection. Of respondents, 18% said they had no WAF of any kind in their organization. Because all these companies have websites and Internet connections, this raises the question what form of protection they do have from exploits such as cross-site scripting and SQL injection Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 2

3 What kind of WAF do you have? Source: Ovum They are probably relying on content filtering carried out in other security devices, such as a UTM appliance or a web filtering device. Alternatively, they may simply have no adequate protection from application-layer attacks. Either way, it is clear that application owners need to do more to secure themselves if another year of breaches is to be avoided. Of the companies that are employing WAF technology, the majority, 74% of our respondents, are using on-premise devices, with a further 8% using a cloud-based service. There is considerable variety among on-premise WAFs installed Another interesting aspect of the survey results is that, while there are clear market leaders in the onpremise WAF market, there is considerable variety among the devices in use. The survey asked specifically whether WAFs installed came from F5, Citrix, or Imperva, but all three of these vendors scored only a small percentage of the total, with the vast majority (89% of on-premise respondents) running devices from other manufacturers. Furthermore, in one case, one respondent said it had F5 installed, but then when asked which model, answered Check Point, suggesting some confusion (it has been corrected to be a non-f5 device), while another said they had Imperva, but then added that they also had F5 and Check Point devices in their infrastructure. Meanwhile, alongside these names, were quite a lot of Cisco and Sonicwall devices, as well as ones from Cyberoam, Fortinet, and Check Point Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 3

4 Who is your on-premise WAF provider? Source: Ovum 2014 Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 4

5 WAFs and NGFWs are often conflated in customers minds Not all these names are actually associated with WAF technology, and some of them are vendors of so-called next-generation firewalls (NGFWs). A further conclusion from a number of the responses to the questions about vendors and models is that there is a reasonable degree of confusion regarding what constitutes a WAF and how it differs from an NGFW. An NGFW is an evolution of the conventional network firewall, which performs stateful packet inspection. The enhancements that justify the next-generation epithet tend to fall into the category of application awareness (the ability to inspect traffic at Layer 7 of the OSI model). WAFs, like all application firewalls, have the same capability. However, whereas NGFWs application-aware functionality focuses on securing and/or restricting internal clients when accessing the Internet, they do not secure internal web applications from external threats such as cross-site scripting (XSS), cross-site request forgery (XSRF or CSRF), URL access, or SQL injection. This is the preserve of the WAF, and WAFs and NGFWs are therefore distinct and discrete types of functionality. The survey reveals a tendency to conflate and even confuse the two, which is further evidence of the need for a different attitude to web application security. A greater understanding of web application threats, and therefore of the need to implement WAF technology, is urgently required in In its most recent ranking of the top 10 web threats, ranked both by frequency and severity (for 2013), the Open Web Application Security Project (OWASP) rated injection flaws at number 1, XSS at number 3, and XSRF at number Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 5

6 Capabilities of NGFW and WAF XSS = Cross-site scripting XSRF = Cross-sire request forgery Source: Ovum Incumbency is an issue when companies consider switching to cloud-based WAF While 8% of respondents said they were taking a cloud-based WAF service rather than running an onpremise device, a further 9% that do have on-premise said they had considered a cloud-based service offering. Asked why they had opted instead for on-premise, one answered that their organization had done so to have a better control over things, without specifying the particular controls to which this referred. Another group (4% of total respondents) said they already had an onpremise device when they looked at a cloud service. They therefore decided to stick with it, either because they still needed to amortize their investment, or because they felt more comfortable with what they already knew. These answers represent a challenge to providers of cloud-based WAF, which need to demonstrate not only that their services can give customers an equivalent level of control to what on-premise devices can deliver, but also that there can be commercial advantages to switching to them, even if a customer is currently running an on-premise device and has yet to fully depreciate its cost Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 6

7 TCO is simpler to calculate, and frequently lower, for cloud The survey also set out for insight into the total cost of ownership (TCO) of a WAF, be it on-premise or in the cloud. We asked those with on-premise devices what they are paying (generally calculated on a monthly basis for a pre-agreed volume of throughput), as well as what they are paying for maintenance. There was a variety of answers to the question regarding how many WAF boxes those with on-premise solutions were running, ranging from one all the way to 17, but because all respondents are paying on a per-month basis for a given level of throughput, Ovum did not factor these answers into any calculations. For those running on-premise devices, the survey asked whether a load-balancing capability was included in the purchase price, since clearly, if it wasn t, it would bring the overall price down but would mean that the customer would probably need to make other arrangements for load balancing, with the concomitant extra cost that that would imply. Just over half of those with on-premise WAFs said they did buy load balancing as part of the package. The survey also asked whether they employ a full-time member of staff dedicated to managing the WAF, updating its rules, and so on. If they did, we further asked them how much they are paying that person, because this must also be factored into the TCO calculation. Another question for the on-premise WAF customers was what their policy was regarding depreciation of the asset, and over what time period they carried out the depreciation in their financial reporting. The answers here varied considerably, from three months at one end of the spectrum to seven years at the other, but most respondents depreciate over somewhere between two and five years. For cloud-based WAF users, we asked what they were paying monthly for the service, as well as the questions about a staffer dedicated to WAF management. Monthly salaries varied greatly from one country to another, but the average across all those who answered (36% of respondents) was $3,382 a month. Calculating an average TCO proved challenging. On the on-premise side, very few of the respondents knew both the monthly throughput and the monetary consideration their company was paying for it, making it hard to compare them, or to come up with an average figure. For those that did know both figures, Ovum calculated an average cost of $3,754 for a throughput of 2.25Gbps. Not surprisingly, the monthly remuneration at the companies that had a full-time employee looking after their WAF also varied hugely. At one extreme, an Indian company said it was paying its staffer just over $160 a month on a WAF handling an undisclosed volume of traffic. At the other, a German respondent is paying someone 5,000 a month on a WAF handling some 4Mbps of traffic. Turning to the respondents with cloud-based WAFs, they all said they have a staff member dedicated to managing the service. While half of them declined to reveal the salary involved, Ovum calculated an average for those that did reply of $6,019 a month. What all the cloud-based respondents have in common is that they do not pay their WAF provider for maintenance, which among the on-premise WAF users varied from $100 a month to $2,500 a month, with both these respondents based in the US Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 7

8 The cost of on-premise and cloud-based WAF Source: Ovum and industry sources Appendix Methodology Ovum conducted 50 interviews with IT decision-makers across North America, Europe, and Asia- Pacific. The survey was run in December 2014 via a telephone interview methodology. Of the 300 respondents approached, 50 qualified to be interviewed. Qualification criteria was based on a representative spread of geography and industry. Geographically, the interviews were split 20 North America, 20 Europe, and 10 Asia-Pacific. While no industry quotas were imposed, no single sector accounts for more than 20% of the total number of respondents. Author Rik Turner, Senior Analyst, Infrastructure Solutions [email protected] 2014 Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 8

9 Ovum Consulting We hope that this analysis will help you make informed and imaginative business decisions. If you have further requirements, Ovum s consulting team may be able to help you. For more information about Ovum s consulting capabilities, please contact us directly at [email protected]. Copyright notice and disclaimer The contents of this product are protected by international copyright laws, database rights and other intellectual property rights. The owner of these rights is Informa Telecoms and Media Limited, our affiliates or other third party licensors. All product and company names and logos contained within or appearing on this product are the trademarks, service marks or trading names of their respective owners, including Informa Telecoms and Media Limited. This product may not be copied, reproduced, distributed or transmitted in any form or by any means without the prior permission of Informa Telecoms and Media Limited. Whilst reasonable efforts have been made to ensure that the information and content of this product was correct as at the date of first publication, neither Informa Telecoms and Media Limited nor any person engaged or employed by Informa Telecoms and Media Limited accepts any liability for any errors, omissions or other inaccuracies. Readers should independently verify any facts and figures as no liability can be accepted in this regard - readers assume full responsibility and risk accordingly for their use of such information and content. Any views and/or opinions expressed in this product by individual authors or contributors are their personal views and/or opinions and do not necessarily reflect the views and/or opinions of Informa Telecoms and Media Limited Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 9

10 CONTACT US INTERNATIONAL OFFICES Beijing Dubai Hong Kong Hyderabad Johannesburg London Melbourne New York San Francisco Sao Paulo Tokyo 2014 Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 10