The cloud web application and API protection market is growing rapidly. This Magic Quadrant will help you identify cloud WAAP providers that offer easy-to-use controls and specialized protections against advanced bots and evolving API attacks.

Strategic Planning Assumptions

By 2024, 70% of organizations implementing multicloud strategies for web applications in production environments will favor cloud web application and API protection platform (WAAP) services over WAAP appliances and IaaS-native WAAP.

By 2026, 40% of organizations will select a WAAP provider on the basis of its advanced API protections and web application security features — up from less than 15% in 2022.

By 2026, more than 40% of organizations with consumer-facing applications that initially relied only on a WAAP for bot mitigation will seek additional anomaly detection technology from specialized providers — up from less than 10% in 2022.

Market Definition/Description

Cloud web application and API protection platforms (WAAPs) mitigate a broad range of runtime attacks, notably the Open Web Application Security Project (OWASP) top 10 for web application threats, automated threats and specialized attacks on APIs. Cloud WAAPs are cloud-delivered services that primarily protect public-facing web applications and APIs.

Core capabilities of cloud WAAPs include:

• Web application firewall (WAF): A WAF combines positive security models, signatures, heuristics and anomaly detection to detect and prevent exploitation of application vulnerabilities.
• Distributed denial-of-service (DDoS) protection: This can mitigate volumetric and “low and slow” attacks by offering sufficient bandwidth, rate limits and anomaly detection. It also offers distributed points of presence (POPs) to mitigate attacks closer to their sources.
• Bot management: This detects malicious behavior from automated sources through reputation-based, fingerprinting, heuristic and machine learning techniques. It also provides assurance that authorized bots can get through.
• API protection: This discovers, categorizes and applies specialized controls to API traffic. It can also extract policies from API schemes.

Optional capabilities of cloud WAAPs include:

• Client-side protection.
• Protection against web defacement.
• Vulnerability scanning.
• Mobile app security.
• DNS services and DNS security.
• Content delivery network (CDN), load balancing, access management and other features.

Cloud WAAPs may integrate with infrastructure providers, security operation tools, and continuous integration/continuous delivery (CI/CD) pipelines.

The Context section of this Magic Quadrant explains the change in the scope of this edition and the impact of this change, especially on vendors that offer WAAP appliances in addition to cloud WAAP services.

The Market Overview section later in this document highlights some of the recent trends in the WAAP market.

Magic Quadrant

Figure 1: Magic Quadrant for Web Application and API Protection

Source: Gartner (August 2022)

Vendor Strengths and Cautions

Akamai

Akamai is a Leader in this Magic Quadrant. It is well-suited to appear on the cloud WAAP service shortlists of organizations that want to protect business-critical, web-scale applications. This is especially the case for organizations that have a broad and diverse portfolio of web applications and APIs.

Akamai is a global cloud and security provider with almost 10,000 employees. It is headquartered in Cambridge, Massachusetts, U.S. Akamai’s primary offerings include a CDN and application and application security services. It has continued to expand its security portfolio, notably with the acquisition of the microsegmentation vendor Guardicore in October 2021.

In November 2021, Akamai updated its offering by merging Web Application Protector (WAP), its simplified offering for midsize enterprises, with Kona Site Defender. The new product, App & API Protector, includes some basic bot mitigation. Multiple add-ons are available, including an advanced security management subscription.

Since the 2021 edition of this Magic Quadrant, the most significant change in Akamai’s WAAP has been this repackaging of capabilities. Akamai also released Account Protector to protect against account takeover, an updated version of its Adaptive Security Engine (ASE), and support for Terraform deployments.

Strengths

• Platform advantage: By combining and integrating a broad range of web application and web application security features, Akamai’s global platform appeals to large organizations looking to make a comprehensive set of features available in front of all their web applications.
• Advanced capabilities: Akamai offers leading threat intelligence capabilities with its client reputation feature, and often releases new controls before the rest of the market. This is apparent in terms of Akamai’s API threat protection capabilities, as it is improving on its existing discovery and classification capabilities at a time when many other vendors have not even released API discovery features.
• Feedback about support: Akamai’s customers continue to rate its support highly, which is a notable achievement for a large platform provider. Consistently strong customer support creates trust and drives adoption for Akamai when prospective customers ask for references from their peers.
• DDoS: Akamai gets high marks for its DDoS feature evaluation. Although it is relatively rare for prospective customers to consider DDoS protection a differentiator, spikes in DDoS activity, especially against APIs, still require strong application and volumetric defenses, which Akamai provides.

Cautions

• Price: Gartner continues to hear from prospective customers for whom the high overall price charged by Akamai is a key reason for expanding their shortlists of vendors or reducing the scope of Akamai deployments. Midmarket enterprises often prefer a less expensive alternative.
• Confusion about portfolio transition: Gartner has received feedback from clients that Akamai is not always clear about whether App & API Protector replaces or complements Kona Site Defender. Some perceive the subscription reshuffle as a way to make them pay more or to subscribe to more options.
• False positives: Akamai has invested in false-positive reduction with its improved ASE, but clients continue to note a high rate of false positives, especially for bot detections.
• UI complexity: Akamai has simplified its onboarding process, but still faces the difficulty of combining many features and modules — for a variety of WAAP use cases, deployment should be simpler. Users have welcomed the improvement in Terraform support, but they remain more likely to use the UI, and report that Akamai’s ASE and traditional policy management could be more integrated.

Amazon Web Services

Amazon Web Services (AWS) is a Challenger in this Magic Quadrant. AWS WAAP is suitable for clients looking for native controls, a platform approach and vendor consolidation. Premium professional services for developers and integration with DevOps tools make it a popular shortlist candidate for application teams.

AWS is a cloud service provider (CSP) subsidiary of Amazon. It is headquartered in Seattle, Washington, U.S. It offers several application and API security products, including a network firewall (AWS Network Firewall), managed DDoS and WAF (AWS Shield Advanced). AWS’s WAF is primarily available on the top of Application Load Balancer (ALB) or Amazon CloudFront (AWS CDN).

Since the 2021 edition of this Magic Quadrant, AWS has made feature enhancements to its WAAP offering and expanded its CDN and WAAP infrastructure in Asia/Pacific. The feature updates related to WAAP include enhancements to application layer DDoS mitigation and bot mitigation, the addition of versioning and roll-back capability for managed rules.

Strengths

• Infrastructure: AWS focuses on increasing its infrastructure’s global availability. AWS’s WAF is deployed on all CloudFront POPs. It is available in 25 AWS Regions (general availability) and more than 310 CloudFront edge nodes with over 310 POPs. In 2021, AWS added over 80 POPs, including in Asia/Pacific.
• DDoS mitigation: AWS has a comprehensive DDoS mitigation offering through AWS Shield and the AWS WAF service. AWS offers mitigation for very high volumes of traffic, including attacks from bots. AWS Shield protects against layer 3, 4, and 7 volumetric and application-based DDoS attacks. AWS Shield DDoS protection is available in Standard and Advanced forms. Shield Standard protection is included at no additional cost for all AWS customers.
• Pricing: AWS uses a transparent, consumption-based pricing model that is easy to understand and manage; it is published clearly on its website. AWS offers optional security features, such as bot control, CAPTCHA, and account takeover prevention as chargeable add-ons to the base WAF service. It also offers a Free Tier for bot control and account takeover prevention, with usage cap. Shield Standard is also offered to all AWS customers as a basic DDoS mitigation service.
• Managed ruleset: AWS Managed Rules (AMR) is a strong WAAP feature. New feature enhancements, such as account takeover protection and WAF CAPTCHA configuration based on rate, attributes and labels from AMR, improve the product’s administration and deployment. A JavaScript/mobile SDK enables the AMR feature to protect the application’s login page against credential-stuffing attacks and other anomalous login activities.

Cautions

• API security: AWS lags behind in terms of API threat protection, compared with many WAAP vendors. It offers only direct support to JSON payloads, and supports GraphQL through AWS AppSync integration. It also lacks machine learning (ML) features for API threat protection and ML-based autodiscovery to categorize API endpoints.
• Insufficient customization: Some AWS customers find the lack of ability to customize WAF rules a drawback. They also regret the relative lack of detailed logging and monitoring alerts on the dashboard.
• Catchup strategy: AWS’s WAAP lacks innovation. To close feature gaps, AWS continues to regularly add features that are already offered by leading competitors. As a result, clients for whom best-of-breed bot mitigation and API threat protection are key criteria often select other vendors.
• Single cloud use case: AWS’s WAAP is a suitable candidate for application teams looking for native controls, but it lacks visibility to network security teams and enterprises with hybrid and multicloud environments, compared with offerings from many other WAAP vendors.

Barracuda

Barracuda is a Niche Player in this Magic Quadrant. It has headquarters in Campbell, California, U.S. It performs well for existing Barracuda customers and relatively small enterprises, but faces strong competition for larger enterprise pure-play cloud WAAP deals.

Barracuda Cloud Application Protection includes web application security products and services, the most important being Barracuda’s cloud WAAP (Barracuda WAF-as-a-Service) and WAAP appliances (Barracuda Web Application Firewall). The vendor also offers bot management (Barracuda Advanced Bot Protection), DDoS and threat intelligence services. In recent months, Barracuda has added an initial version of automated discovery of APIs and support for GraphQL.

In April 2022, investment firm KKR announced its intention to acquire Barracuda. In the past, Barracuda has changed hands several times, without noticeable adverse impacts on its WAAP product portfolio or roadmap.

Strengths

• Modular UI: Barracuda’s modular approach to security enables organizations to advance their WAAP deployment by adding new categories of controls as they make progress.
• Accessible control refinements: Convenient risk-scoring and recommendation engines make it easier to tackle refinements of controls, after an initial deployment.
• API threat protection: Barracuda continues to enhance its API discovery and controls. It has introduced new features such as a “confidence level” when discovering APIs and dedicated configuration for graphQL. Gartner has limited feedback on these new capabilities, however.
• Security for file uploads: Barracuda’s WAAP provides a good combination of malware inspection and form protection for applications that require secure file uploads (for example, applications that receive applicants’ resumes).

Cautions

• Visibility in shortlist: Barracuda’s cloud WAAP struggles for visibility beyond Barracuda’s existing customers in North America. When customers do evaluate Barracuda, Gartner tends to receive feedback that the product is good enough but does not stand out.
• Bot mitigation: Barracuda, which acquired a bot mitigation vendor in 2019, is not innovating advanced bot management features as quickly as its leading competitors in the WAAP market. Tuning of bot mitigation is primarily a back-end activity, which is not transparent to end users. Response options are less flexible than those of leading competitors, and, until recently, dedicated advanced credential protection features were lacking.
• Incident response: Barracuda’s real-time incident response depends too much on external integrations. Native event views are basic and lack some reports that security operations centers (SOCs) use for external communication about their activities.
• Support quality: Feedback from Barracuda customers about its support varies greatly. Many express concern about the time it takes to get a precise answer when an issue concerns more than a basic configuration.

Cloudflare

Cloudflare is a Leader in this Magic Quadrant. It is based in San Francisco, California, U.S. It has quickly become very visible on cloud WAAP shortlists seen by Gartner, and has developed a set of security features to compete with other Leaders.

Cloudflare has more than 3,000 employees, who are building its portfolio of cloud-delivered application and security services. Its application security portfolio includes a cloud WAAP offering (Cloudflare WAF), and DDoS and client-side protection (Cloudflare Page Shield).

In recent months, Cloudflare has continued to expand beyond application protection and delivery. Recent WAAP features include API discovery, scheme ingestion and semiautomated rate limiting. The vendor also improved its bot mitigation module.

Strengths

• Threat intelligence: Cloudflare’s large base of small and midsize business (SMB) and personal customers helps feed its global threat intelligence in order to detect new attacks more quickly. The vendor combines its own analysis with third-party feeds, and recently acquired Area1 Security, which further diversifies its sources.
• Expanding presence in Asia/Pacific: Cloudflare’s infrastructure in Asia/Pacific is already one of the most developed in the WAAP market. The vendor continues to invest in this region, as is shown, for example, by a recent increase in its hiring.
• Pervasive presence: Cloudflare has a strong ecosystem of channel and technical partnerships. These make Cloudflare an extremely common choice by organizations in their infancy. They also mean that its technology is an important one to work with for application platforms.
• Platform advantage: By making security service edge (SSE) features available, Cloudflare has increased the chance of it being selected for enterprise platform and consolidation projects. This has considerably increased its attractiveness to large enterprises.

Cautions

• Lack of hybrid deployment: Cloudflare is a pure-play cloud-delivered WAAP provider. Its offering lacks the option to run as an agent, a Kubernetes sidecar or a containerized WAAP. The lack of these hybrid deployment options might deter organizations deploying API architecture and looking for a way to monitor east-west traffic.
• Support: Although there have been some improvements to Cloudflare’s presales support, Cloudflare’s larger enterprise customers continue to expect more consistent and better postsale support. Gartner observes discrepancies in phone support quality and occasional failures to follow up requests consistently.
• Forensic analysis: Large enterprises with in-house SOCs continue to complain about Cloudflare’s basic reporting capabilities and insufficient embedded features for incident response drill-down, although these have improved recently.
• User interface: Gartner continues to receive comments from users stating that Cloudflare’s management interface can appear cluttered and confusing. Although they like its embedded dashboards, they would like to see easier ways to perform custom security configuration from the UI. Cloudflare has, however, recently updated its WAAP UI, based on customer feedback.

F5

F5 is a Niche Player in this Magic Quadrant. Headquartered in Seattle, Washington, U.S., F5 is a large vendor, with roots in the application delivery controller market, that now provides a portfolio of application delivery and security products. It employs more than 6,500 staff, including a large web application security team. F5’s WAAP portfolio includes multiple solutions. Its main cloud-based WAAP offering is Distributed Cloud WAAP, built by combining its BIG-IP Advanced WAF, Volterra and Shape Security acquisitions. It also offers managed services (Silverline Web Application Firewall), Silverline DDoS Protection, Silverline Shape Defense, and a new cloud-managed Distributed Cloud Account Protection service for fraud prevention. F5 also offers an appliance-based WAF (BIG-IP Advanced WAF) and a lightweight module for NGINX called App Protect.

F5 launched its Distributed Cloud WAAP product in February 2022, combining Shape, Volterra and F5 WAAP technology into a single cloud-based WAAP platform. This is an important milestone in F5’s strategic transition to a cloud-native platform. F5 has also acquired Threat Stack to improve its ability to provide cloud security and compliance for infrastructure and applications.

Strengths

• Ease of reporting: Distributed Cloud WAAP’s management console includes useful reporting features out of the box. These include the ability to view the health of microservices through a service mesh view and transactions of APIs through a service graph and API endpoint reports.
• Flexibility of pricing model: F5 offers a free tier to enable organizations to get started with load balancing and very basic WAF policies for its Distributed Cloud WAAP, which appeals to small and midsize organizations.
• Managed-service and support team investment: F5 invests heavily in its support capability and keeps a good number of personnel in both its managed service and support teams. Customer feedback about Distributed Cloud WAAP is limited because of this offering’s recent release, but F5 has a strong reputation for support.
• Product strategy: Consolidating into a distributed cloud platform backed by many modules shows good vision from F5 in responding to the market trend for consolidation of WAAP features.

Cautions

• Distributed WAAP is new and maturing: Early feedback from clients indicates that F5’s new Distributed Cloud WAAP is still a work in progress and does not have feature parity with Silverline at the time of writing. F5 has, however, announced progress in reaching feature parity with the June 2022 version of Distributed Cloud WAAP.
• Disjointedness of WAAP portfolio: F5 continues to invest in separate WAAP products, which leads to feature disparities. For example, the iRules feature is not carried over into the Distributed Cloud WAAP offering (it is replaced by Service Policies). Organizations that adopt multiple F5 WAAP products for hybrid WAAP scenarios need to evaluate the operational complexity of managing different WAAP policies.
• Complexity of configuration: Within Distributed Cloud WAAP, every origin pool and WAAP instance is tied to a load balancer configuration and requires configuration for load balancers in addition to WAAP policies.
• Roadmap execution: The shift from on-premises WAF appliance vendor to cloud WAAP provider is proving challenging for F5. Distributed Cloud WAAP remains a work in progress, and the UI reproduces configuration workflows that sometimes mimic an appliance form factor. F5 has made slower progress than its leading competitors in terms of key capabilities such as bot mitigation, application security and API threat protection, as it has focused its efforts on rebuilding features for its new platform.

Fastly

Fastly is a Challenger in this Magic Quadrant. Headquartered in San Francisco, California, U.S., Fastly is a CDN and DDoS provider that offers a cloud-based WAAP through integration of its Signal Sciences acquisition. The Fastly Next-Gen WAF solution can be deployed as a runtime agent on top of an NGINX proxy and as a WAAP service. The foundation of Fastly’s technology places minimal focus on traditional signatures. It relies on its proprietary SmartParse engine, which uses a proprietary mix of rules to parse requests: vendor rules; templated rules, with some customization; and custom rules (“power rules”).

Since the 2021 edition of this Magic Quadrant, Fastly has introduced edge rate limiting and a managed service called Response Security Service (RSS). It has also added support for GraphQL inspection and HTTP/3.

Strengths

• Flexibility of deployment model: Fastly’s deployment model lets customers deploy its WAAP in multiple environments, such as the Fastly edge cloud. They can also deploy it in various ways, such as within a traditional application, as a reverse proxy, or integrated with containers and platform as a service (PaaS) environments.
• Sales and support experience: Customers give Fastly high scores for its lower-than-expected false-positive rates, after tuning. Clients rate Fastly highly for overall sales and support, praising both the timeliness of its responses and the quality of its support team.
• Native DevOps support: Fastly supports native integration with containers. It also offers support for Terraform, as well as a variety of other DevOps tools for integration, such as Ansible. Additionally, there is integration with Slack for alerting. Customers praise Fastly’s capabilities, with integration for DevOps teams being the reason that many choose Fastly over other WAAP vendors.
• Ease of onboarding: Fastly customers frequently identify ease of onboarding in blocking mode as a strength of Fastly’s product, especially when they are migrating from a legacy WAF that required a large number of tuning policies.

Cautions

• Slowness of roadmap execution: Fastly introduces new features more slowly than many vendors in this market. This results in a widening capability gap between Fastly and its competitors in areas such as API and application security features.
• International presence: Although Fastly has invested in expanding its sales staff outside North America, it still derives most of its revenue from U.S. customers. Clients outside North America looking to utilize Fastly’s edge should verify how it is supported in their country.
• Bot management features: Fastly continues to lag behind its main competitors in terms of bot mitigation capabilities, and client feedback indicates that its bot reporting is weak. Fastly lacks a curated credential-stuffing database and still offers only basic blocking techniques, such as blocking based on velocity.
• Native reporting: Fastly customers frequently complain that integration with a third party is required for richer and more flexible reporting capabilities.

Fortinet

Fortinet is a Niche Player in this Magic Quadrant. Fortinet sells a WAAP service called FortiWeb Cloud. It also offers a WAAP appliance product line called FortiWeb, which is shortlisted mainly by existing network firewall customers who want to consolidate on a single vendor.

Headquartered in Sunnyvale, California, U.S., Fortinet is an established infrastructure and security vendor with over 10,000 employees. Its primary product line remains its range of FortiGate firewall appliances, but it has developed a large portfolio of security products and is slowly expanding into cloud services.

During the evaluation period for this Magic Quadrant, Fortinet acquired Sken.ai, a DevSecOps application security vendor, which could enhance the ability of Fortinet’s WAAP to integrate with dynamic DevSecOps teams or pipelines and processes. Feature updates to Fortinet’s WAAP service include a new threat analytics service, ML for anomaly detection updates, and ML-based API discovery and protection.

Strengths

• Market dynamics: FortiWeb Cloud’s presence is growing faster than the average for offerings in this market, albeit from a small base. Fortinet is able to benefit from its large global customer base by adding its cloud WAAP offering to existing deployments of Fortinet solutions.
• Geographic presence: Fortinet has an established global presence and a large sales channel. Its strong direct presence in EMEA and high number of local support centers helps with initial presale and postsale interactions.
• Investment in machine learning techniques: Fortinet has advanced its ML techniques over the past few years. It provides clear ML dashboards with detailed explanations of the use of ML.
• Threat intelligence: FortiWeb’s risk-scoring view includes a trend-level history view that enables users to compare their organization’s threat level with the average threat level within Fortinet’s customer base.

Cautions

• Hybrid deployment: Fortinet’s cloud WAAP cannot be managed from FortiManager, Fortinet’s central management platform. Fortinet customers with hybrid deployments (appliances and cloud WAAP) must manage their appliances using FortiManager and FortiWeb Cloud from a portal. This limits Fortinet’s supposed advantage for central management of hybrid WAAP deployments.
• Architectural limits: When competing with CDN-based WAAP providers, Fortinet’s architectural limitations, such as the lack of a tunnel mode, the absence of remote hardware security module (HSM) support and inability to run custom code at the edge, reduce its appeal.
• Bot mitigation: Despite recent improvements, FortiWeb Cloud’s bot mitigation features are not yet on a par with those of many of its competitors. This is especially true for advanced response capabilities and when managing authorized bots. Prospective customers should seek peer feedback on this feature, as most improvements are recent.
• Customer experience: Clients often express dissatisfaction with the basic logging features of FortiWeb Cloud. Although the number of FortiWeb cloud POPs has increased, customers continue to request more POPs for FortiWeb Cloud, especially outside the Americas.

Imperva

Imperva is a Leader in this Magic Quadrant. It is headquartered in San Mateo, California, U.S. Imperva has a long history in application security, and is well known for making advanced features available in a cloud WAAP form factor. Imperva is a privately held application and data security vendor, part of Thoma Bravo’s portfolio of security vendor equity investments.

Imperva Cloud WAF is the vendor’s cloud WAAP service offering. It is part of the “Imperva Anywhere” portfolio, which also includes a WAAP gateway (the Imperva Web Application Firewall Gateway), database security (Imperva Data Security) and other security services, including DNS security and runtime application self-protection (RASP).

In the past year, noticeable changes have included improved Imperva’s CDN and caching features, support for external HSMs, and numerous improvements to the advanced bot protection service, including a new tarpit action.

Strengths

• Product maturity: Longtime Imperva customers appreciate the stability and incremental improvement of the UI, and the additional security controls. They trust the results of the threat intelligence feeds and consider that the overall product gives good protection out of the box.
• Event analytics: Imperva relies on multiple ML approaches for bot mitigation and for event aggregation that shows promise for simplifying the management and incident response process.
• Account takeover detection: The Imperva Account Takeover Protection module includes several interesting features, such as detection of credential stuffing, and is designed to determine malicious intent from successful logins or impossible logins.
• Application security portfolio: The “Imperva Anywhere” strategy resonates with security teams willing to centrally manage WAAP enforcement points in different form factors and to consider adjacent application security approaches, such as RASP and database security.

Cautions

• Executive churn: Over the past few years, Imperva’s leadership has changed a lot, especially in its sales and distribution channel teams. Although its product strategy remains consistent, Gartner has observed some adverse impact on Imperva’s roadmap execution and overall market presence in the past 12 months.
• DevOps deployment: Imperva’s cloud WAAP offering can be deployed as a sidecar proxy on Envoy, but is not available as a containerized WAAP offering. Imperva lags behind other vendors in supporting this deployment use case.
• Global infrastructure: Imperva often struggles against its CDN competitors due to direct comparisons of distributed infrastructure and presence. Imperva’s presence in Asia/Pacific lags behind that of its direct competitors. Its cloud service does not have local POPs in China and has only two in India.
• Customer experience: Imperva’s customers would like to see it be more responsive when it comes to supporting features regarded as “low-hanging fruit.” They highlight its late support for TLS 1.3 and lack of single sign-on (SSO) for back-end applications, and they expect better certificate management.

Microsoft

Microsoft is a Niche Player in this Magic Quadrant. Its Azure Web Application Firewall (WAF) remains basic, compared with the majority of competing offerings, but the desire to consolidate on fewer vendors remains a key reason why organizations choose it.

Microsoft is a large IT and digital workplace vendor, based in Redmond, Washington, U.S. It has a large product portfolio. Its infrastructure as a service (IaaS) and PaaS offering, Microsoft Azure, includes a WAF (Azure WAF) built on top of its CDN (Azure Front Door), which is also available with its application delivery solution (Azure WAF on Azure Application Gateway). Microsoft also offers other security products, notably DDoS protection, API security and a security information and event management (SIEM) tool (Microsoft Sentinel).

In the past 12 months, Microsoft has added multiple features. These include a new proprietary WAF engine, updated bot classification and Default Rule Set 2.0, based on Microsoft threat intelligence, which adds anomaly-based scoring and support for JSON and XML through Azure Front Door.

Strengths

• Infrastructure: Microsoft is expanding its global Azure infrastructure to increase its presence in different regions of the world. Microsoft Azure now has 179 POPs and over 60 Azure regions. In the past 12 months, Microsoft has added 25 POPs.
• Breadth of security portfolio: Microsoft has a huge product portfolio. In addition to Azure products, it offers multiple security, compliance and identity applications, artificial intelligence and other product lines. Many of its product lines have a huge market share, which makes Microsoft a desirable vendor for organizations seeking to consolidate their technology vendors.
• Customer feedback: Azure WAF customers praise its integration with Azure Front Door CDN and other native Azure tools. Microsoft also offers WAF integration with Microsoft Sentinel, which many customers recommend.
• Volumetric DDoS: Microsoft offers volumetric DDoS protection to mitigate the impact of large numbers of attacks. It has a highly distributed infrastructure to protect against distributed volumetric DDoS attacks. Microsoft also offers a subscription to its DDoS rapid response team for help with configuration or forensic investigation.

Cautions

• Bot mitigation: Azure WAF offers only basic bot mitigation and lacks features offered by the majority of WAAP vendors. It lacks features such as fingerprinting, JavaScript challenges, and ML capabilities to detect good and bad bots. This makes it less desirable for enterprises seeking mature bot mitigation within their WAAP solution.
• API security: Azure WAF offers only basic API threat protection. It lacks features such as autodiscovery and categorization of APIs, which are being offered by many WAAP competitors. This makes it a less desirable candidate for mature API threat protection integrated as a WAAP feature.
• Pace of execution: Azure WAF lacks many of the standard features offered by the majority of WAAP vendors. Microsoft’s execution timelines for closing security feature gaps in its WAAP products are longer than those of other competitors.
• Customer feedback: Azure WAF customers find its logging and monitoring feature to be basic and its integration with third-party SIEM products to be challenging. Azure WAF also lacks native incident response alerts for the OWASP API top 10 threats.

Radware

Radware is a Visionary in this Magic Quadrant. It is trying to apply its differentiated approach to application security, which combines ML techniques and rules, to the cloud WAAP segment. Radware is also heavily invested in providing innovative WAAP form factors for DevOps environments.

Radware is based in Tel Aviv, Israel and Mahwah, New Jersey, U.S. It is primarily known for its DDoS protection (DefensePro and Cloud DDoS Protection Service). Radware offers WAAP in various form factors, including appliances, in a containerized envelope (Kubernetes Web Application Firewall [KWAF]) and as a cloud WAAP service (Cloud WAF Service).

Since the 2021 edition of this Magic Quadrant, Radware has added API threat protection features to its cloud WAAP, including API discovery and automated detection of API changes. It has also introduced a feature that automatically detects potential false positives and notifies customers of potential signature changes to minimize false positives.

Strengths

• Suitability for DevOps environments: SecurePath, a fully managed, out-of-band cloud WAF deployment mode with connectors to NGINX and Amazon CloudFront, appeals to cloud architects and DevOps teams looking for nonintrusive third-party web app security.
• Innovation: Radware’s recent roadmap includes advances in application security. Examples include automated false-positive detection and the introduction of SecurePath.
• Security techniques: Gartner clients value the automated learning approach that Radware takes, even if they are using it only on a “trust but verify” basis.
• Threat research team: Radware effectively packages its threat research with support from its emergency response team (ERT). It also provides detailed technical blog posts that demonstrate the depth of its knowledge in this area.

Cautions

• Transition strategy: Radware is continuing with its transition from appliance-based application delivery controllers to cloud and application security. Radware’s success in selling cloud WAAP services is not yet on par with that of the large platform and CDN providers.
• Fragmentation of management consoles: Radware’s cloud portal can only manage its cloud WAAP. Radware’s appliance management console handles appliances and Kubernetes containers. Hybrid use cases therefore require the use of at least two management consoles, which limits the advantage of using the same vendor. The most frequent complaint Gartner hears from Radware customers is about the weakness of its management capabilities.
• Solution architecture: Radware’s ad hoc attack signature set is less extensive than those of the leading vendors in the market. This causes some non-Radware WAF users to question the efficacy of its solution.
• Bot mitigation: Over the past 12 months, customer feedback about Radware’s bot mitigation module’s ease of use has worsened. This is often due to configuration options that are less granular and intuitive than those of Radware’s leading competitors.

ThreatX

ThreatX is a Niche Player in this Magic Quadrant. This cloud-native security startup vendor, which was launched in 2015 and has its main headquarters in Boston, Massachusetts, U.S., is expanding its operations around the world. It relies on its automated, risk-based classification of events to differentiate itself from other WAAP providers.

The ThreatX WAAP Platform comprises containerized processing units, which can be deployed in various environments, and a cloud-hosted analysis engine. ThreatX offers managed security services, including a 24/7 managed SOC supported by a small team and automated procedures.

Since the 2021 edition of this Magic Quadrant, ThreatX has introduced API discovery, schema ingestion and support for GraphQL, which complement its API protection features by showing discovered API endpoints. It has also made available a modernized Attack Dashboard.

Strengths

• API discovery: ThreatX has introduced intuitive API autodiscovery, and is increasingly being shortlisted for API protection-centric use cases.
• Capabilities: ThreatX’s WAAP offers three options for blocking: risk-based, per request and manual (detection only). Most clients like the ability to combine the risk-based approach with the per-request blocking option as it ensures limited risk and limited impact in the event of false positives.
• Product strategy: ThreatX’s container-driven product strategy gives it early traction in the distributed WAAP space, and could be useful for monitoring east-west API traffic.
• Customer experience: ThreatX receives high marks from customers for its ease of deployment and customer support, which, among other things, responds quickly to requests for rule customization.

Cautions

• Geographic strategy: ThreatX operates primarily from the U.S. Its management console is available only in English, as is its product documentation. Support is delivered from U.S.-based locations and Estonia. ThreatX has yet to introduce many POPs outside North America.
• Size of team: Although ThreatX’s platform can be used without managed services, the vendor strongly encourages use of these services, which are included in the cost of its WAAP platform. Given the small size of ThreatX’s support team, large organizations should check whether ThreatX can support them with these included services.
• Learning curve: ThreatX has a relatively small, but growing, customer base. It takes a proprietary approach that relies on detecting attacker behavior and lacks good explainability and fine-grained configuration options. Organizations that do not use its managed services may require additional training to make full use of the platform for optimal protection.
• Bot mitigation: ThreatX lacks some features that its competitors offer. It offers only a limited number of the bot mitigation features often requested in customers’ RFIs, such as bot farm detection, mouse and keyboard analytics, and a predefined set of good bots. It also lacks client-side protection.

Vendors Added and Dropped

We review and adjust our inclusion criteria for Magic Quadrants as markets change. As a result of these adjustments, the mix of vendors in any Magic Quadrant may change over time. A vendor’s appearance in a Magic Quadrant one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. It may be a reflection of a change in the market and, therefore, changed evaluation criteria, or of a change of focus by that vendor.

Added

None.

Dropped

None.

Inclusion and Exclusion Criteria

Each vendor of a cloud WAAP corresponding to the description in the Market Definition/Description section of this Magic Quadrant was considered for inclusion if:

• Its offering(s) can protect applications and APIs running on different types of host environments, such as web servers, service containers and PaaS.
• Its WAF technology is known to be approved by qualified security assessors as a solution for Payment Card Industry Data Security Standard (PCI DSS) Requirement 6.6, which covers the OWASP top 10 threats, in addition to others.
• It offers a cloud WAAP as a service.
• Its cloud WAAP service was generally available as of 1 January 2021.
• Its data centers are in at least two metropolitan areas, separated by a minimum of 250 miles, on separate power grids.
• It offers an SLA, with a minimum of 99.9% availability, with committed financial penalties in case of failure to meet the SLA.
• Its cloud WAAP service demonstrates global presence, features and scale relevant to enterprise-class organizations. It must have either:
  • Generated $20 million in cloud WAAP revenue during 2021 and had at least 80 enterprise customers use its cloud WAAP products under support as of 31 December 2021, including:
    • At least 25 net new enterprise cloud WAAP customers in 2021.
  • Or generated $5 million in annual recurring revenue (ARR) for its cloud WAAP, for the 12 months of 2021, and had two years of compound annual revenue growth (CAGR) of at least 50%.
• It demonstrates at least the minimum signs of global presence by:
  • Presenting Gartner with strong evidence that more than 10% of its cloud WAAP service’s customer base is outside its home region (the Americas, EMEA or Asia/Pacific).
  • Offering a POP in at least two of the following regions: North America, EMEA and Asia/Pacific.
• It offers 24/7 support, including phone support — in some cases, this is an add-on, rather than being included in the base service.
• It is a significant player in the market, as determined by Gartner on the basis of its market presence, competitive visibility or technology innovation.
• It is a top provider in terms of Gartner-estimated market share or mind share for relevant segments of the overall WAAP market.
• It is the subject of inquiries from users of Gartner’s client inquiry service, and has competitive visibility, client references and local brand visibility.
• Its WAF technology provides more than a repackaged ModSecurity engine and signatures.
• It provides evidence to show that it meets the above inclusion requirements.

WAAP and WAF vendors not included in this Magic Quadrant may have been excluded for one or more of the following reasons:

• The vendor primarily has a network firewall or IPS with a non-enterprise-class WAAP.
• The vendor is:
  • Primarily a managed security service (MSS) provider and its WAF/WAAP sales are mostly part of broader MSS provider contracts.
  • A service provider using third-party WAF or WAAP technology.
  • A WAAP provider offering a cloud WAAP in the form of WAAP virtual machines (VMs) managed by third parties.
• The vendor offers only a fully managed WAAP, with no self-service.
• The vendor is not actively providing WAAP products to enterprise customers, or has minimal continued investment in the enterprise WAAP market.
• The vendor has minimal or negligible apparent market share among Gartner clients, or is not actively shipping products.
• The vendor is not the original manufacturer of the firewall product. This includes hardware OEMs, resellers that repackage products that would qualify from their original manufacturers, and carriers and internet service providers that offer managed services. We assess the breadth of OEM partners as part of the WAAP evaluation, and do not rate platform providers separately.
• The vendor has only a host-based WAF, WAAP, web access management (WAM), RASP or API gateway (these are considered distinct markets).

Honorable Mentions

In addition to the vendors included in this Magic Quadrant, Gartner tracks vendors that did not meet our inclusion criteria because of a specific vertical market focus and/or shortcomings in terms of WAAP revenue and/or competitive visibility in WAAP projects. The following merit mention here:

• Alibaba Cloud is a large cloud service provider based in China. It offers the Alibaba Cloud Web Application Firewall (with built-in bot management and API protection features) and Alibaba Anti-DDoS products as part of its cloud service offering. It appeals to customers who are implementing cloud services from Alibaba. Alibaba Cloud did not qualify for inclusion in this Magic Quadrant due to its more regional presence and the lack of feature parity for WAF and DDoS protections outside its home region.
• Citrix is a large infrastructure and security vendor based in the U.S. In 2020, it launched Citrix Web Application and API Protection (CWAPP), a cloud-based WAAP service. While expanding CWAPP, Citrix continues to be successful at selling its WAF as an add-on to its application delivery controllers (ADCs). Citrix did not qualify for inclusion in this Magic Quadrant primarily because it did not meet the customer thresholds for cloud WAAP service.
• Cloudbric is a cloud-native web application security vendor based in South Korea. It is a spinoff from Penta Security Systems, which offers WAAP appliances (called WAPPLES). Cloudbric’s WAAP as a service is primarily available in the vendor’s home region. Cloudbric did not qualify for inclusion in this Magic Quadrant due to insufficient presence outside its home region.
• Google is a large cloud service provider headquartered in the U.S. Google is investing in WAAP-related services, including Cloud Armor for DDoS protection and a web application firewall, reCAPTCHA Enterprise to combat automated bots and detect online fraud, and Apigee for API protection. Google is not included in this Magic Quadrant because it did not have a generally available cloud WAAP offering as of 1 January 2021.
• Indusface is a WAAP vendor based in India. It sells the AppTrana WAAP solution primarily bundled with managed services. It continues to attract positive feedback from customers who use its product and like its managed-services approach to WAAP. Indusface did not qualify for inclusion in this Magic Quadrant because it offers a primarily managed solution and lacks sufficient presence outside its home region.
• NSFOCUS is a security vendor based in China. It offers a cloud WAAP service and a range of appliance and WAAP service offerings that appeal to clients looking for a WAAP in China, and it continues to grow its presence in other regions. NSFOCUS did not qualify for inclusion in this Magic Quadrant because it did not meet the thresholds for cloud WAAP service and had insufficient presence outside its home region.

Evaluation Criteria

Ability to Execute

Product or Service: This criterion includes the core cloud WAAP technology offered by the technology provider that competes in and serves the defined market. It also includes current product or service capabilities, quality, feature sets and skills, whether offered natively or through OEM agreements and partnerships, as defined in the Market Definition/Description section. Strong execution means that a vendor has demonstrated to Gartner that its products or services are successfully and continually deployed in enterprises. Execution is not primarily about company size or market share, although these factors can considerably affect a company’s Ability to Execute. Some key features, such as the ability to support complex deployments (including on-premises and cloud options) with real-time transaction demands, are weighted heavily. Product evaluation also considers other cloud WAAP core security functions. These include DDoS protection services, bot management (such as bad-bot mitigation and good-bot management) and API threat protection, which might be bundled or integrated with WAF features.

This year’s evaluation increases the importance of delivering specialized controls when protecting APIs. Integration with other markets, such as those for cloud access service brokers (CASBs) and application security testing (AST), is evaluated as well, but more lightly.

This year’s evaluation increases the importance of delivering specialized controls when protecting APIs.

Overall Viability: This criterion assesses the organization’s overall financial health, and the financial and practical success of the business unit. Also assessed are the likelihood that individual business units will continue to invest in a cloud WAAP, offer cloud WAAP products and advance the state of the art within the organization’s portfolio of products.

Sales Execution/Pricing: This criterion encompasses the technology provider’s capabilities in all presales activities and the structure that supports them. It includes deal management, pricing and negotiation; presales support; and the overall effectiveness of the sales channel. It also includes deal size, and the use of the product or service in large enterprises with critical public web applications, such as banking and e-commerce applications. Low pricing will not guarantee strong execution or client interest. Buyers want good results even more than they want bargains. Buyers balance cloud WAAP security requirements and pricing; they do not consider best pricing only.

For cloud WAAP providers with multiple security products, or a WAAP appliance offering, this criterion also evaluates the ability to craft a pricing model adapted to a cloud WAAP. This model should not inherit characteristics from pricing models used for other product offerings that are unsuitable for a cloud WAAP.

Market Responsiveness/Record: This criterion assesses the ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, and security trends and customer needs evolve. It includes a vendor’s responsiveness to new or updated web application frameworks and standards, as well as its ability to adapt to market dynamics (such as the relative importance of PCI compliance) and changes. This criterion also considers the provider’s history of releases, but gives greater weight to its responsiveness during the most recent product life cycle.

Marketing Execution: This criterion assesses the clarity, quality, creativity and efficacy of programs designed to deliver the organization’s message. It is aimed at influencing the market, promoting the brand and business, increasing product awareness, and establishing positive identification with the product, brand and organization among buyers. This mind share can be driven by a combination of publicity, promotional activities, thought leadership, word of mouth and sales activities.

Customer Experience: This criterion assesses the relationships, products, services and programs that enable clients to be successful with the products that are being evaluated. Specifically, it includes the ways in which customers receive technical support or account support. It can also include ancillary tools, customer support programs (and the quality thereof), the availability of user groups, and SLAs that enable the organization to operate effectively and efficiently on an ongoing basis.

Operations: This criterion evaluates the organization’s ability to meet its goals and commitments. Factors include the quality of the organizational structure. For vendors with multiple WAAP form factors (such as appliances), this criterion evaluates the organization’s alignment with the offer of a cloud-delivered WAAP. For vendors with a broad security portfolio, it also evaluates the ability to maintain focus on the cloud WAAP service offering.

Table 1: Ability to Execute Evaluation Criteria

Source: Gartner (August 2022)

Completeness of Vision

Market Understanding: This criterion assesses the vendor’s ability to understand buyers’ wants and needs, and to translate that understanding into products and services. Vendors with the most vision listen to and understand buyers’ requirements, and can shape or enhance them. They also determine when emerging use cases will greatly influence how the technology has to work. Vendors that better understand how changes in web applications affect security receive higher scores. Trends include cloud, IaaS, agile methodologies, web services and microservices, continuous integration, and the growing importance of APIs.

Marketing Strategy: This criterion looks for a clear, differentiated set of messages that is consistently communicated throughout the organization and externalized through the website, advertising, customer programs and positioning statements. Assessment includes the vendor’s ability to communicate effectively about how its solution is a good fit for emerging use cases.

Sales Strategy: This criterion looks for a strategy that uses an appropriate network of direct and indirect sales, marketing, service and communication affiliates to extend the scope and depth of a vendor’s market reach, skills, expertise, technologies, services and customer base. The ability to attract new customers who need web application security only is weighted heavily.

Compared with the 2021 edition of this Magic Quadrant, this criterion has been revised to reflect strategies adapted to cloud-delivered WAAP and “as a service” offerings.

Offering (Product) Strategy: This criterion assesses a vendor’s approach to product development and delivery, with an emphasis on differentiation, functionality, methodology and feature sets, in relation to current and future requirements. As attacks change and become more targeted and complex, we give heavy weightings to vendors’ efforts to move their WAAPs beyond rule-based web protections that are limited to known attacks by, for example:

• Combining rules, heuristics and ML to detect abnormal behaviors.
• Using a weighted scoring mechanism based on a combination of techniques to shape the WAAP’s responses.
• Providing updated security engines to handle all protocols and standards updates, and remaining efficient in relation to changes in how older web technologies are used.
• Providing dedicated protection techniques for emerging web application use cases, such as mobile and Internet of Things (IoT) applications.
• Offering bot mitigation that is not limited to reputation-based controls.
• Providing API protection.
• Analyzing user behavior.
• Countering evasion techniques actively.
• Enabling a positive security model with automatic and efficient policy learning.

In this year’s Magic Quadrant, we have increased the weighting for delivery of differentiated security controls when protecting APIs, including automated discovery and anomaly detection.

This criterion also evaluates the depth of features provided, especially features that ease management of the solution, and its integration with other solutions, such as SIEM tools, API gateways and other technologies (CASBs, for example).

Vertical/Industry Strategy: This criterion assesses the vendor’s strategy to direct resources, skills and offerings to meet the specific needs of individual market segments, including vertical industries. Vendors focusing on a single vertical receive lower scores. Vendors with differentiated vertical strategies and the ability to reproduce success across several verticals receive higher scores.

Innovation: This criterion examines the direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, defensive or preemptive purposes. It includes product innovation and quality differentiators, such as:

• New methods for detecting web attacks and avoiding false positives.
• Resistance to evasion and detection of new attack techniques.
• A management interface, monitoring and reporting that contribute to easy web application setup and maintenance, better visibility, and faster incident response.
• Automated delivery of detection and protection.
• Ability to integrate with DevOps processes and tools.
• Integration with companion security technologies, which improves overall security.

Geographic Strategy: This criterion assesses a vendor’s strategy to direct resources, skills and offerings to meet the specific needs of geographies outside its “home” country or region. This can happen directly or through partners, channels and subsidiaries, as appropriate for the geography and market. This criterion considers a vendor’s infrastructure (POPs), but is not limited to technical components. It also considers how the vendor adapts its strategy to local cloud demands and privacy requirements.

Table 2: Completeness of Vision Evaluation Criteria

Source: Gartner (August 2022)

Quadrant Descriptions

Leaders

Leaders can shape the market by introducing additional capabilities to their offerings, raising awareness of the importance of those features and being the first to do so. Leaders also meet enterprises’ requirements for different uses of web application security.

Leaders have strong market shares and steady growth, but these alone are not sufficient to qualify as a Leader. Leaders in the cloud WAAP market require strong distributed infrastructure and must ensure high-level security and smooth integration into a web application environment. They also require advanced web application behavior learning; superior ability to block common threats (such as SQL injection [SQLi], cross-site scripting [XSS] attacks and cross-site request forgery [CSRF]), protect custom web applications and avoid evasion techniques; strong deployment, management and real-time monitoring; and extensive reporting. Leaders should also provide, and regularly improve, DDoS protection, and be ahead of the market in terms of bot mitigation and API security capabilities.

In addition to providing technology that is a good match for customers’ requirements, Leaders exhibit superior vision and execution for anticipated requirements, and drive evolution in web applications that requires changes to the security paradigm.

Challengers

Challengers have a sound customer base, but do not lead in terms of security features. Challengers draw on existing clients from other markets (such as the IaaS and CDN markets) to sell their cloud WAAP technology, rather than competing to win deals through product differentiation. Challengers may be well-positioned and have good market shares in a specific segment of the WAAP market (such as a specific cloud infrastructure segment), but do not address the entire market (and may not be interested in doing so).

Visionaries

Visionaries provide key innovations to address web application security concerns. They devote many resources to security features that help protect critical business applications against targeted attacks. However, they lack the ability to influence a large portion of the market. They either have not expanded their sales and support capabilities on a global basis, or they lack the funding to execute with the same capabilities as Leaders or Challengers. They also have a smaller presence in the cloud WAAP market, as measured by installed base, revenue size or growth, or in terms of overall company size or Gartner’s assessment of long-term viability.

Niche Players

The Niche Players quadrant primarily includes vendors of cloud WAAPs that are a good match for specific use cases (such as PCI compliance) or vendors with a limited reach in relation to cloud WAAP deployments. The cloud WAAP market includes several European and Asian vendors that serve clients in their regions well with local support, and that can quickly adapt their roadmaps to specific needs, but that do not sell outside their home countries or regions.

Even when selling large-scale products, some Niche Players offer features that only suit the needs of SMBs.

Niche Players may also have a small installed base because their cloud WAAP products are recent, in transition, or limited, according to Gartner’s criteria, by various factors. These factors may include limited investment or capabilities, and other inhibitors to providing a broader set of capabilities to enterprises both now and during the next 12 months.

Niche Players may be in the early stages of building a broader product. Inclusion in the Niche Players quadrant does not reflect negatively on a vendor’s value within its more narrowly focused service spectrum.

Context

This Magic Quadrant evaluates vendors of WAAP offerings that are delivered as cloud services (WAAP services), in contrast to previous editions that covered vendors of both appliances and cloud WAAP technologies. This change alters the customer expectations we have considered and the relative positions of evaluated vendors.

WAAP vendors with an existing appliance portfolio are now evaluated primarily for their cloud WAAPs. Vendors are now evaluated against other cloud WAAP vendors only. This changes their positioning, as WAAP appliances are not weighted as in the previous Magic Quadrant.

Gartner’s inclusion and exclusion criteria include a requirement to derive meaningful revenue from outside a vendor’s home region, as well as a requirement for a minimum number of customers for the WAAP service. This has led to the exclusion of some smaller or more regional vendors (see the Honorable Mentions section).

The adjacent WAAP appliance market is closer than the cloud WAAP market to its WAF roots and many of the vendors evaluated in this Magic Quadrant have their appliance technology at the core of their cloud WAAPs. Some organizations continue to select WAAP appliances, instead of cloud WAAPs, to ensure a unified management and reporting console across on-premises and cloud data centers. Additional reasons to use WAAP appliances include insufficient, or a complete lack of, cloud WAAP POPs in a particular country, other local data residency regulations, and discomfort with the consumption-based licensing of cloud WAAPs.

The cloud WAAP market includes historical WAAP appliance providers that are building a cloud presence by using infrastructure as a service (IaaS) and offerings from CDN and IaaS providers. Because many local or platform providers might wrap a WAF around a ModSecurity engine, and use one of the available rule sets, many legacy WAF solutions are available and compete with WAAP offerings. These products are not evaluated in this Magic Quadrant.

Gartner generally recommends that clients consider products from vendors in every part of a Magic Quadrant, based on their specific functional and operational requirements. This is especially true for the cloud WAAP market, which includes many relatively small vendors, as well as larger vendors that derive only a small share of their revenue from cloud WAAP offerings. Product selection decisions should be driven by organization-specific requirements. These relate to factors such as deployment constraints and scale, the relative importance of compliance, the characteristics and risk exposure of business-critical and custom web applications, and vendors’ local support and market understanding.

Security managers considering cloud WAAP deployments should first define their deployment constraints, especially their:

• Tolerance for a full, in-line reverse proxy with blocking capabilities in front of web applications.
• TLS decryption/re-encryption and other scalability requirements.
• Detailed needs for bot management, especially advanced and nonintrusive responses.
• Requirements to protect applications hosted on multiple cloud and on-premises locations.
• Ability to secure the more recent API architectures (such as Microservices architectures).

Market Overview

The overall cloud WAAP market is mature, though some segments are quite dynamic, such as bot management and API threat protection. Unlike the WAAP appliance market, which is dominated by replacement purchases, the cloud WAAP market continues to experience double-digit growth, thanks to new customers, new applications to protect, and shifts from appliances to cloud-delivered security.

In the past 12 months, cloud WAAP has been the dominant form factor for new deployments in the Americas and EMEA. The remaining WAAP appliance deployments continue to fuel many renewal purchases, especially in the form of virtual appliances. The WAAP appliance form factor is also a serious contender for hybrid deployments.

API security is becoming a key part of WAAP evaluations in situations where WAAP providers compete against more specialized API threat protection vendors. Gartner has observed noticeable improvements in some API protection offerings from vendors evaluated this year. However, API protection features integrated into cloud WAAPs often look like initial versions and tend to lack depth, especially in terms of providing context relevant to API specialists in alerts and business context management for discovery modules. More vendors have introduced decent API discovery capabilities in the past year.

Providers of the more mature bot mitigation modules face reinvigorated competition from the remaining bot mitigation specialists, and have focused their efforts on a few differentiators:

• Fine-grained categorization of malicious and authorized bots.
• Better controls against human-operated bots (“hu-bots”), especially CAPTCHA- solving services.
• Alternatives to traditional intrusive CAPTCHA services.
• Ability to distinguish between good and bad human actors, particularly to mitigate account takeovers.

Growth in the use of ML to detect and reduce false positives has leveled off in the past year, with no noticeable improvements and a slight de-emphasization from vendors that reflects general market fatigue about “ML hype.” ML could still be useful to overcome the more complex challenge of managing WAAP configurations at scale, while providing the right combination of change workflow management, reliable configuration auditing and change traceability, and a good mix of global, per-group and per-application settings. However, Gartner has not observed any noticeable improvement in this area.

Distributed WAAP Emerges as a Separate Segment of the WAAP Market

A growing number of cloud WAAP vendors are adding deployment options for the more automated cloud applications: Kubernetes sidecars, containerized WAAPs and WAAP agents. The future of this segment remains unclear, however. But embedded WAAPs cannot replace cloud-delivered WAAPs for every use case and requirement such as DDoS protection or the ability to deploy quickly in front of hundreds of applications hosted on various environments.

Distributed WAAPs are intended to improve DevSecOps practices to secure newly developed applications through “shift left” techniques, but they do not address the “shift right” needs of legacy and third-party applications. In future, large enterprises with mature DevOps practices will demand a combination of cloud gateway WAAPs and distributed WAAPs to enable DevSecOps and better protect existing applications.

WAAP controls, deployed closer to the applications they protect, could provide benefits such as:

• Gathering of better contextual information from applications and details of who or what is accessing a microservice, which could help reduce the false-positive rate.
• Classification of, and protection against, new categories of threats to microservices environments through the use of dedicated, unsupervised ML techniques.
• Enabling application development teams to declare application context programmatically and WAAPs to automatically enforce or modify the correct security rules at runtime.

The most likely scenario for the coming months is that WAAP agents, containers and VMs will be components of an integrated network and distributed WAAP. Centralized but flexible management and monitoring remains one of the biggest challenges for distributed WAAPs to overcome if they are to become a reality at scale. Vendors must also identify which features are most suitable for distributed WAAPs, such as specific, targeted protections for certain workloads, and which should be enforced at the network level, such as API discovery and bot mitigation.

Evaluation Criteria Definitions

Ability to Execute

Product/Service: Core goods and services offered by the vendor for the defined market. This includes current product/service capabilities, quality, feature sets, skills and so on, whether offered natively or through OEM agreements/partnerships as defined in the market definition and detailed in the subcriteria.

Overall Viability: Viability includes an assessment of the overall organization’s financial health, the financial and practical success of the business unit, and the likelihood that the individual business unit will continue investing in the product, will continue offering the product and will advance the state of the art within the organization’s portfolio of products.

Sales Execution/Pricing: The vendor’s capabilities in all presales activities and the structure that supports them. This includes deal management, pricing and negotiation, presales support, and the overall effectiveness of the sales channel.

Market Responsiveness/Record: Ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, customer needs evolve and market dynamics change. This criterion also considers the vendor’s history of responsiveness.

Marketing Execution: The clarity, quality, creativity and efficacy of programs designed to deliver the organization’s message to influence the market, promote the brand and business, increase awareness of the products, and establish a positive identification with the product/brand and organization in the minds of buyers. This “mind share” can be driven by a combination of publicity, promotional initiatives, thought leadership, word of mouth and sales activities.

Customer Experience: Relationships, products and services/programs that enable clients to be successful with the products evaluated. Specifically, this includes the ways customers receive technical support or account support. This can also include ancillary tools, customer support programs (and the quality thereof), availability of user groups, service-level agreements and so on.

Operations: The ability of the organization to meet its goals and commitments. Factors include the quality of the organizational structure, including skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently on an ongoing basis.

Completeness of Vision

Market Understanding: Ability of the vendor to understand buyers’ wants and needs and to translate those into products and services. Vendors that show the highest degree of vision listen to and understand buyers’ wants and needs, and can shape or enhance those with their added vision.

Marketing Strategy: A clear, differentiated set of messages consistently communicated throughout the organization and externalized through the website, advertising, customer programs and positioning statements.

Sales Strategy: The strategy for selling products that uses the appropriate network of direct and indirect sales, marketing, service, and communication affiliates that extend the scope and depth of market reach, skills, expertise, technologies, services and the customer base.

Offering (Product) Strategy: The vendor’s approach to product development and delivery that emphasizes differentiation, functionality, methodology and feature sets as they map to current and future requirements.

Business Model: The soundness and logic of the vendor’s underlying business proposition.

Vertical/Industry Strategy: The vendor’s strategy to direct resources, skills and offerings to meet the specific needs of individual market segments, including vertical markets.

Innovation: Direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, defensive or pre-emptive purposes.

Geographic Strategy: The vendor’s strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the “home” or native geography, either directly or through partners, channels and subsidiaries as appropriate for that geography and market.

The post Gartner: Magic Quadrant for Cloud Web Application and API Protection first appeared on Techcity Company Limited.

Edge computing is a method of processing data locally, close to users and devices. This saves bandwidth and reduces latency, resulting in the high-speed digital experiences people have come to expect.

What does edge mean?

The edge works like an ATM. No matter where you are, there is always one close by, so getting cash is quick, easy, and predictable. Processing data close to where users and devices are makes access from any location fast and frustration-free by reducing latency. Latency is that annoying delay you might experience between navigating to a website and waiting for the page load, or that tap on a mobile app and the extended time it takes to complete an action. This usually happens because data processing and storage are physically far away from you. When these processes are moved to the edge, geolocated near you, near real-time digital experiences are possible.

An evolving term, “edge” can refer to an edge server, a user’s computer, or an IoT device. It’s a place where processing and data are spread out away from the core of the data center to bring data and decisions closer to users and devices to deliver better user experiences.

As industry expert Gartner VP analyst Bob Gill described in The Edge Manifesto, the edge is designed “for the placement of content, compute and data center resources on the edge of the network, closer to concentrations of users. This augmentation of the traditional centralized data center model ensures a better user experience demanded by digital business.” 

The edge is architected to create nimble, massively distributed installations that provide access to services that help businesses minimize latency, maximize scale, and provide a consistent security posture for apps deployed on any platform. The result is a fast and seamless user experience.

How does edge computing work?

Edge computing is like a doctor’s office with its own lab. Get your exam, lab tests, and results right there, on the spot. With edge computing, your data is collected, analyzed, and processed at the edge, right where people are interacting with you online.

At the most basic level, edge computing brings data, insights, and decision-making closer to the things that act upon them, like an IoT device or a user’s computer. Rather than relying on a central location that can be thousands of miles away, the edge is as near to the “thing” as possible. It’s how the physical and digital world interact at the edge. Edge computing translates those interactions into data, which can be used to make a decision, look for patterns, or pass the data back to a storage or analytics application for further analysis. The goal is ultimately a reliable, scalable implementation so that data, especially real-time data, does not suffer latency issues that can impact the purpose or performance of an application.

What is edge computing used for?

Edge computing is in use all around us and continues to grow and expand. Consider the daily interactions you may take for granted where you expect the response to be instantaneous. This spans from tapping on mobile apps, buying things online, checking your bank balance, and streaming media — to interacting with a connected device like a light, doorbell, or car — even checking in for a train or flight. All of these services require real-time information processing at massive scale. They are all examples of where edge computing can make the difference between a great experience and a really slow, frustrating one.

Edge computing is not a new idea, but one that for decades was too far ahead of its time to be fully appreciated. High-speed stock market trading or optimizing and localizing services at branch offices are two long-standing examples of pushing business logic closer to where the action is. Modern technology brings more opportunities to leverage the power of edge computing, including enabling faster decisions for connected cars and other IoT devices or improving network processing speeds with 5G.

What are edge servers?

During the 1990s when content delivery networks (CDNs) were first created, edge servers were developed to serve web and video content faster by deploying it in close proximity to users. This was the dawn of the edge computing era, when the first commercial edge compute services that hosted applications like shopping carts and real-time data aggregators were born.

Simply put, edge servers are a type of device that run processing at an edge location as an entry point into a network so that users can access content and resources like web applications with immediacy.

Is a CDN the same as edge computing?

In the expanding definition of what “edge” means, a CDN may be considered a form of edge computing. CDNs are traditionally built from conventional servers to store cached data. However, in today’s world — if you’re already on a CDN and that vendor allows you to write code (to interact with the CDN), that’s CDN edge computing. Edge networks can run on anything from conventional servers to smartphones and IoT devices, and they are able to process and store data.

What is edge vs. cloud?

Cloud computing and edge computing are different technologies. They aren’t interchangeable. While cloud computing is used to process non-time-driven data, edge computing is used to process time-sensitive information.

Beyond being preferred for its latency reduction, edge computing is often chosen for remote locations where connectivity is poor or limited and local storage is required.

What is serverless computing?

Serverless computing is sometimes referred to, or confused with, edge computing. Although there are similarities, edge computing can provide dynamic content assembly, security protections, bot management, and much more to the edge — closer to end users’ devices. This allows businesses to configure and deploy these functions as part of their content delivery. 

Also known as function as a service (FaaS), serverless is a zero-management computing environment that allows developers to deploy and execute event-driven logic and contextual data without having to manage and maintain the underlying infrastructure. It is another style of cloud computing where the developer is only concerned about the code being run. The cloud vendor manages how the code is run — and any performance and scalability needs — automatically, so the developer has no need to manage the OS or middleware.

Serverless environments typically exist within centralized compute clouds or edge clouds and offer pricing models based on the resources that applications actually consume.

Core benefits of serverless include eliminating infrastructure maintenance tasks and shifting operational responsibilities to a cloud or edge vendor, and autoscaling to avoid the need to build out extra capacity in advance.

Serverless computing frees up developers so they can focus on key features of the digital experience. Additionally, serverless environments can provide scale, reliability, and cost efficiency, since you only pay for what you use. 

Traditionally, serverless environments provided a compute framework with programming language support, a read/write data store, and developer tools that assist in code management, activation, and monitoring.

What is the future of edge computing?

More and more, people and things, as well as systems of both, interact with one another. This presents new opportunities for edge computing solutions to provide value in layers of hardware, software, and code. 

According to some industry reports, enterprises may invest close to $250B on edge computing by 2024. Capturing this value demands that the edge be well understood, that edge platforms provide both integrated services and integrations with other ecosystem providers, and that businesses appreciate when latency and digital transformation require centralization versus distribution to capture value.

How is edge computing implemented?

Edge compute can be a complex theme and difficult to grasp. Let’s break it down into two simplified examples where businesses faced challenges with cloud platforms, and cloud computing and edge computing solved the problem.

Accelerating geolocation

Personalization is an important part of a modern user experience. Displaying local inventory and offers is key, yet not always easy to do. Geolocation allowed one popular automobile marketplace to tailor its inventory and information, and share market-value pricing, ratings, reviews, and sales information.  

As simple as it sounds, retrieving this data requires many calls to the web application. When a user accesses the app, a geolocation microservice allows the app to filter what it shows. Microservices are a way of developing software applications through independently deployable, modular services. The challenge was that the calls to retrieve up-to-date data add latency. The geolocation microservice made pages load between 500 milliseconds and 2 seconds slower. While that might not seem like a long wait, with the demands of today’s consumers for speed along with busy schedules, it is significant. Shifting the microservice to a solution that injected the geolocation data via a cookie at the edge saved 99% of the round-trip time. This means the microservice now returns geolocation data in 20 milliseconds. For someone looking to buy a car and quickly compare costs and specifications, this time improvement in delivering information was essential.

Global connections

Most people who have flown have experienced the following problem. You know your scheduled flight time. You download the airline app to get notifications. You check flight trackers and the airport website to verify. When you get to the airport, you check flight and gate information on the screens. And once you are at the gate, you look at the updates at the kiosk. More often than not, the information doesn’t match. 

Airlines face many challenges when sending and synchronizing critical data. Inconsistent internet and network speeds make real-time data coordination a real issue. Conflicting flight status information confuses passengers and increases demand for customer service resources. More accurate and timely information distribution increases customer satisfaction and decreases costs. 

One global airline solved this problem with an edge compute solution. It realized that standard web applications could not overcome the data synchronization challenge; there are too many applications to keep in sync. Also, web applications stay up to date by requesting information on a schedule (or in response to an event). For example, have you ever played with your phone’s email client configurations? There is a setting for pull versus push message delivery. Pull tells the app on your phone to request updates from the mail server. Push tells the mail server to send you information. You configure the timing of the push or pull based on how often you expect to get new mail. The problem with flight information is the number of applications. The mobile app, airport screens, websites, and gate kiosks pull at different intervals. This means flight delays will show up differently to each application. 

The airline used an edge compute solution to synchronize global flight information. This delivered three primary benefits: 

1. Messages are smaller and delivered faster and more reliably
2. Information is more secure because it is only sent to known subscribers
3. Every device that displays flight information receives it at the same time

The solution provided reliable automated message delivery and notification in real time, keeping the airline’s customers on time with consistent information at every access point.

The business value of edge computing

Many businesses are still trying to understand when, where, and how edge computing might make sense for their specific needs. Choosing edge computing versus cloud computing will come down to cost when both are viable options. There are some forms of compute that don’t make sense at the edge, just as there are edge computing use cases where low-latency requirements prevent centralizing computing in the cloud.

As broadcasters shift to digital, they need to understand subscriber preferences to design programming and ensure flawless viewing experiences. Designing programming is only really possible with data at rest (data that is not actively moving from device to device or network to network and is stored on a hard drive, flash drive, or laptop, or archived in another way). Data must be collected from a global base, then stored and processed to determine what content to create and how to produce it given the demographics of the subscriber base. Conversely, providing those subscribers with fast startup times and error-free viewing, in their local area, on the device they use, over their specific network connection, requires real-time monitoring, processing, and actions. Value in programming is measured in months and years, but in terms of viewer experience, value is created or lost in milliseconds.

Similarly, it’s important for retailers to understand customer preferences for omnichannel shopping experiences over thousands of interactions to design storefronts and offers that convert customers and maximize their lifetime value. These decisions can’t be made based on individual actions or in real time. This data is also only available at rest, through creating shopper cohorts and personas where merchandise can be presented and promoted to drive purchasing decisions. Assembling that information and adapting it — based on whether the shopper is in a store or online, which device they are using, and how the ecommerce application is behaving in the moment — requires real-time computing to maximize conversions. 

Understanding when and where data is valuable is critical. Businesses must assess where the cloud and the edge provide unique value, and then architect their infrastructure and applications appropriately to capture it. Data that maintains its value at rest will be prohibitively expensive to manage and secure at the edge because doing so will create redundancies that the centralized cloud is designed to overcome. Real-time hyperlocal data sent back to the cloud from the edge will fail to capture value while running up costs, because round trips can add latency and errors that result in poor user experiences. 

Said simply, if action needs to be taken based on data that is changing in real time, start with edge computing. If data can or must be aggregated, processed, and analyzed to be able to provide value, start with cloud computing.

Learn about Akamai’s industry-leading edge compute solutions

The Akamai edge compute platform helps to build and run applications and services elastically with unparalleled scale, reliability, and security.

For over two decades, Akamai has helped businesses develop edge computing solutions tailored to their specific growth and development needs. With the world’s largest and most sophisticated edge platform, over 4,200 locations and 1,400+ networks in 135 countries — we’re poised to deliver the best in serverless computing, edge apps, and cloud optimization.

Innovation on the edge

With EdgeWorkers, what you can imagine is what you can build. We’ve engineered EdgeWorkers to allow development teams to freely build logic that impacts customer experiences — from traffic routing to dynamic content assembly and beyond — within their existing toolsets and workflows.

EdgeWorkers and EdgeKV enable developers to create and deploy microservices across more than a quarter of a million edge servers deployed around the globe. When development teams activate code at the edge, they push data, insights, and logic closer to their end users. Akamai’s performant and scalable implementation model ensures that data and computation are not hampered by latency issues that can have a negative impact on digital experiences

The post What is edge computing? first appeared on Techcity Company Limited.

What is Zero Trust?

Zero Trust is a network security model based on a philosophy that no person or device inside or outside of an organization’s network should be granted access to connect to IT systems or services until authenticated and continuously verified.

The Pitfalls of Perimeter Security

What is the Zero Trust model?

In 2010, Forrester Research analyst John Kindervag proposed a solution he termed “Zero Trust.” 

It was a shift from the strategy of “trust but verify” to “never trust, always verify.” In the Zero Trust model, no user or device is trusted to access a resource until their identity and authorization are verified. This process applies to those normally inside a private network, like an employee on a company computer working remotely from home or on their mobile device while at a conference across the world. It also applies to every person or device outside of that network. It makes no difference if you have accessed the network before or how many times — your identity is not trusted until verified again and again. The idea is that you should assume every machine, user, and server to be untrusted until proven otherwise.

Historically, a castle-and-moat approach to security seemed workable — the idea of a network perimeter where everyone outside the network — or moat — was “bad” and everyone inside was “good” once prevailed. But just as castles and moats are a thing of the past, so should be the castle-and-moat approach to security. Just think about the current state of remote work. Today’s workforce and workplace have changed — when, how, and where people do their work have moved beyond the four walls of an office. With the rise of the cloud, the network perimeter no longer exists in the way it used to. Users and applications are just as likely to be outside of the moat as they are inside. And that introduces weaknesses in the perimeter that malicious actors can exploit. Once inside the moat, they are free to move around, accessing resources and high-value assets, like customer data (or the crown jewels!) — or launching a ransomware attack.

How Zero Trust works

Imagine the Zero Trust model like an extremely vigilant security guard — methodically and repeatedly checking your credentials before allowing you access to the office building where you work, even if they recognize you — then duplicating that process to verify your identity over and over. 

The Zero Trust model relies on strong authentication and authorization for every device and person before any access or data transfer takes place on a private network, no matter if they are inside or outside that network perimeter. The process also combines analytics, filtering, and logging to verify behavior and to continually watch for signals of compromise. If a user or device shows signs of acting differently than before, it is taken note of and monitored as a possible threat. For example, Marcus at Acme Co. typically logs in from Columbus, Ohio, in the United States, but today, he’s attempting to access Acme’s intranet from Berlin, Germany. Even though Marcus’ username and password were entered correctly, a Zero Trust approach would recognize the anomaly in Marcus’ behavior and take action, such as serving Marcus another authentication challenge to verify his identity. 

This basic shift in approach defeats many common security threats. Attackers can no longer spend time taking advantage of weaknesses in the perimeter, and then exploiting sensitive data and applications because they made it inside the moat. Now there is no moat. There are just applications and users, each of which must mutually authenticate, and verify authorization before access can occur. Mutual authentication takes place when two parties authenticate each other at the same time, such as a user with a login and password, and an application they are connecting with through a digital certificate.

Adaptive security and visibility model:

Core principles behind Zero Trust Network Access

The Zero Trust model is based on five basic principles:

• Every user on a network is always assumed to be hostile
• External and internal threats exist on the network at all times
• Network locality is not sufficient for deciding trust in a network
• Every device, user, and network flow is authenticated and authorized
• Policies must be dynamic and calculated from as many sources of data as possible

What are the components of Zero Trust?

The Zero Trust security model of today has expanded. There are many implementations of its principles, including Zero Trust architecture (ZTA), Zero Trust Network Access (ZTNA), and Zero Trust Edge (ZTE). Zero Trust security is also sometimes referred to as “perimeterless security.”

Don’t think of Zero Trust as one discrete technology. Rather, a Zero Trust architecture uses a variety of different technologies and principles to address common security challenges through preventive techniques. These components are designed to provide advanced threat protection as the boundaries between work and home disappear, and an increasingly distributed remote workforce becomes the norm.

Zero Trust Network Access capabilities:

• Control network flows between all assets
• Verify identity and grant access to the cloud
• Authentication and authorization, including multi-factor authentication (MFA)
• Application access vs. access to the entire network
• Least-privilege user access to all applications (IaaS, SaaS, and on-premises)
• VPN elimination
• Service insertion
• Security at the edge
• Improved application performance
• Improved security posture against advanced threats

Key benefits of Zero Trust architecture

A Zero Trust architecture works seamlessly for users, helps protect against cyberattacks, and simplifies infrastructure requirements. Different components of Zero Trust architecture can:

Help ensure network trust and thwart malicious attacks

IT teams need to ensure that users and devices can safely connect to the internet, regardless of where they are connecting from, without the complexity associated with legacy approaches. They also need to proactively identify, block, and mitigate targeted threats such as malware, ransomware, phishing, DNS data exfiltration, and advanced zero-day attacks for users. Zero Trust security can improve security postures while reducing the risk of malware.

Provide secure application access for employees and partners

Traditional access technologies, like VPN, rely on antiquated trust principles, and are particularly vulnerable through compromised user credentials that have led to breaches. IT needs to rethink its access model and technologies to ensure the business is secure, while still enabling fast and simple access for all users, including third-party users. Zero Trust security can reduce risk and complexity, while delivering a consistent user experience.

Reduce complexity and save on IT resources

Enterprise access and security is complex and constantly changing. Making changes with traditional enterprise technologies often takes days (and often across many hardware and software components) using valuable resources. A Zero Trust security model can reduce architectural complexity.

Why a Zero Trust security model is needed

In summary, the modern workforce is becoming increasingly mobile, accessing applications from multiple devices outside of the business perimeter. In the past, many enterprises adopted a “verify, then trust” model — which meant if someone had the correct user credentials, they were admitted to whichever site, app, or device they were requesting. This resulted in an increased risk of exposure, dissolving what was once the trusted enterprise zone of control and leaving many organizations exposed to data breaches, malware, and ransomware attacks. Protection is now needed within specific digital infrastructures where applications and data, and users and devices, are located.

Compelling reasons to employ a Zero Trust model

• Users, devices, applications, and data are moving outside of the enterprise perimeter and zone of control, away from traditional data centers
• New business requirements driven by digital transformation increase risk exposure
• “Trust but verify” is no longer an option, as targeted advanced threats are moving inside the corporate perimeter
• Traditional perimeters are complex, increase risk, and are no longer compatible with today’s business models
• To be competitive, businesses need a Zero Trust network architecture able to protect enterprise data, wherever users and devices are, while ensuring that applications work quickly and seamlessly

Implementing a Zero Trust architecture with Akamai

Akamai’s cloud security services can be combined to build a complete Zero Trust solution that best suits your specific business needs. By enabling safe application access in a cloud-native world, internal corporate networks can become a thing of the past.

Using our advanced distributed ZTNA solution, along with the power of the over 20-year-strong global Akamai Intelligent Edge Platform, you can easily move to a perimeterless world, phasing in applications, protecting your business, and enabling growth.

Akamai’s journey to Zero Trust security

Application access redefined: secure, simple, fast

Give your workforce fast, secure access with Zero Trust Network Access. Enterprise Application Access allows you to adapt to sudden workflow changes. In a matter of minutes, you can set up new applications and users through a single portal and scale remote access. Enterprise Application Access is designed to enable you to make smart decisions about access while reducing cost, complexity, and risk with a simplified cloud-delivered service and no virtual or physical applications to maintain.

Get Zero Trust Network Access with unmatched threat intelligence. Give the right users precise access to the right apps, not the entire network. With adaptive access controls that provide near-real-time security signals and risk scores, your apps are automatically protected.

Proactive protection against zero-day malware and phishing

Safely connect users and devices to the internet with Enterprise Threat Protector using a secure web gateway. Keep users and devices safe with the multilayered defense of real-time intelligence and detection engines on the world’s largest edge platform: a globally scalable solution that deploys in minutes and can reduce time-consuming security management.

Discover phish-proof multi-factor authentication

Akamai MFA prevents employee account takeover and data breaches, and provides unrivaled security. Security is provided by end-to-end cryptography and a sealed challenge/response flow. This method makes the authentication process unphishable and confidential.

An Updated Enterprise Security Model

Why Enable Network Security at the Edge?

Empower Your Network Security Transformation

Where to Start and What to Consider?

The post Zero Trust security model — what is Zero Trust? first appeared on Techcity Company Limited.

DDoS, or distributed denial of service, is a type of cyberattack that tries to make a website or network resource unavailable by flooding it with malicious traffic so that it is unable to operate.

What is a DDos Attack

DDoS Attack Meaning

In a distributed denial-of-service (DDoS) attack, an attacker overwhelms its target with unwanted internet traffic so that normal traffic can’t reach its intended destination.

But what does that really mean? Imagine your favorite zombie movie. Swarms of infected creatures all with the same goal — to overwhelm civilization as they spread their “zombie plague.” They swamp the resources of law enforcement organizations, deplete military forces, and take down healthcare services. Then, inevitably, there’s a giant traffic jam sprawling as far as the eye can see, as people flee for safety on the highway. That’s what a DDoS attack is like: a zombie apocalypse online. But instead of zombies, hordes of infected computers go after a targeted website, all at the same time — driving humans and business away.

A DDoS attack on a company’s website, web application, APIs, network, or data center infrastructure can cause downtime and prevent legitimate users from buying products, using a service, getting information, or any other access.

During a DDoS attack, attackers use large numbers of exploited machines and connected devices across the internet. including Internet of Things (IoT) devices, smartphones, personal computers, and network servers to send a flood of traffic to targets.

How does a DDoS Attack Work?

DDoS attacks exploit networks of internet-connected devices to cut off users from a server or network resource, such as a website or application they may frequently access.

To launch a DDoS attack, attackers use malware or take advantage of security vulnerabilities to maliciously infect and gain control over machines and devices. Each computer or infected device, called a “bot” or “zombie,” becomes capable of spreading the malware further and participating in DDoS attacks. These bots form bot armies called “botnets” that leverage their strength in numbers and amplify the size of an attack. And because the infection of IoT devices often goes unnoticed — just like that pesky B movie zombie that you didn’t realize was infected — legitimate device owners become secondary victims or unknowing participants, while attackers remain hard to identify by the victimized organization.

Once an attacker has built a botnet, they are able to send remote instructions to each bot,

directing a DDoS attack on the target system. When a botnet attacks a network or server, the attacker instructs individual bots to send requests to the victim’s IP address. Just as we humans have one-of-a-kind fingerprints, our devices have a unique address that identifies them on the internet or local network. The result of overwhelming traffic leads to a denial of service, preventing normal traffic from accessing the website, web application, API, or network.

Sometimes botnets, with their networks of compromised devices, are rented out for other potential attacks through “attack-for-hire” services. This allows people with malicious intent but no training or experience to easily launch DDoS attacks on their own.

Types of DDoS Attacks

There are many different types of DDoS attacks, and attackers often use more than one type to wreak havoc on their targets. Three key types are volumetric, protocol, and application-layer attacks. The purpose of all attacks is to severely slow down or stop legitimate traffic from reaching its intended destination. For example, this could mean stopping a user from accessing a website, buying a product or service, watching a video, or interacting on social media. Additionally, by making resources unavailable or diminishing performance, DDoS can cause business to grind to a halt. This can result in preventing employees from accessing email, web applications, or conducting business as usual.

To further understand how DDoS attacks work, let’s break down the different pathways attackers can take. The open system interconnection model, also referred to as the “OSI model,” is a layered framework for various networking standards and contains seven different layers. Each layer of the OSI model has a unique purpose, like the floors of an office building where different functions of a business take place on each floor. Attackers target different layers depending on what type of web or internet-facing asset they’d like to disrupt.

The Seven Layers of Network Connectivity in the OSI Model Involved in a DDoS Attack

Layer 7 – Application

The application layer is at the top and is closest to the end user. It’s where people interface with computers and devices and where networks connect with applications.

Layer 6 – Presentation

Data encryption and decryption occur on the presentation layer, enabling secure transmission.

Layer 5 – Session

The session layer allows devices, computers, or servers to communicate with one another and controls ports and sessions.

Layer 4 – Transport

At the transport layer, data is communicated via Transmission Control Protocol (TCP), which is built on top of the Internet Protocol (IP), also called TCP/IP.

Layer 3 – Network

The network layer determines the physical path that data will take to get to its destination.

Layer 2 – Data Link

The data link layer provides a way to transfer data between network entities. It’s also a means to detect and correct errors that can happen in the physical layer.

Layer 1 – Physical

The first and lowest layer, Layer 1 is the physical layer where raw bits are transmitted over a physical data link connecting network nodes.

Volumetric Attacks

The intent of a volume-based DDoS attack is to overwhelm a network with massive amounts of traffic by saturating the bandwidth of the intended victim resource. The large quantities of attack traffic block legitimate users from accessing the application or service, preventing traffic from flowing in or out. Depending on the target, stopping legitimate traffic could mean a bank customer may be unable to pay a bill on time, ecommerce shoppers are unable to complete online transactions, a hospital patient could be barred from their medical records, or a citizen could find themselves unable to view their tax records from a government agency. No matter the organization, blocking people from a service they expect to use online has a negative impact.

Volumetric attacks use botnets created with armies of individual malware-infected systems and devices. Controlled by an attacker, bots are used to cause congestion between a target and the internet at large with malicious traffic that saturates all available bandwidth.

An unforeseen onslaught of bot traffic can significantly slow down or prevent access to a web resource or internet-facing service. Since bots take over legitimate devices to amplify bandwidth-intensive DDoS assaults, often unknowingly to the user, the malicious traffic is difficult for the victimized organization to detect.

Common types of volume-based attacks

There are a variety of volumetric DDoS attack vectors used by threat actors. Many leverage reflection and amplification techniques to overwhelm a target network or service.

UDP Flood

UDP floods are frequently chosen for larger-bandwidth DDoS attacks. Attackers attempt to overwhelm ports on the targeted host with IP packets containing the stateless UDP protocol. The victim host then looks for applications that are associated with the UDP packets, and when not found, sends a “Destination Unreachable” back to the sender. The IP addresses are often spoofed to anonymize the attacker, and once the targeted host becomes inundated with attack traffic, the system becomes unresponsive and unavailable to legitimate users.

DNS reflection/amplification

DNS reflection attacks are a common type of vector where cybercriminals spoof the IP address of their target to send large amounts of requests to open DNS servers. In response, these DNS servers respond back to the malicious requests by the spoofed IP address, thereby creating an attack on the intended target through a flood of DNS replies. Very quickly, the large volume of traffic created from the DNS replies overwhelms the victim organization’s services, making them unavailable and preventing legitimate traffic from reaching its intended destination.

ICMP flood

Internet Control Message Protocol (ICMP) is primarily used for error messaging and typically does not exchange data between systems. ICMP packets may accompany Transmission Control Protocol TCP packets that enable application programs and computing devices to exchange messages over a network, when connecting to a server. An ICMP flood is a Layer 3 infrastructure DDoS attack method that uses ICMP messages to overload the targeted network’s bandwidth.

Protocol Attacks

Protocol attacks attempt to consume and exhaust compute capacity of various network infrastructure resources like servers or firewalls via malicious connection requests that exploit protocol communications. Synchronize (SYN) floods and Smurf DDoS are two common types of protocol-based DDoS attacks. Protocol attacks can be measured in packets per second (pps) as well as bits per second (bps).

SYN flood attack

One of the main ways people connect to internet applications is through the Transmission Control Protocol TCP. This connection requires a three-way handshake from a TCP service — like a web server — and involves sending what is called a SYN (synchronization) packet from where the user connects to the server, which then returns a SYN-ACK (synchronization acknowledgement) packet, that is ultimately answered with a final ACK (acknowledgement) communication back to complete the TCP handshake.

During a SYN flood attack, a malicious client sends a large volume of SYN packets (part one of the usual handshake) but never sends the acknowledgement to complete the handshake. This leaves the server waiting for a response to these half-open TCP connections that eventually run out of capacity to accept new connections for services that track connection states. 

A SYN flood attack is like a terrible prank by the entire graduating class of a really big high school, where each student calls the same pizza restaurant and orders a pie during the same time frame. Then, when the delivery person goes to pack up, she realizes that there are too many pizzas to fit in her car and there are no addresses on the orders — so all delivery stops.

Smurf DDoS attack

The name of this DDoS attack is based on the concept that tiny, numerous attackers can overwhelm a much larger opponent by sheer volume, just like the fictional colony of small blue humanoids that are its namesake.

In a Smurf distributed denial-of-service attack large numbers of Internet Control Message Protocol ICMP packets with an intended target’s spoofed source IP are broadcast to a computer network using an IP broadcast address. By default, most devices on a network will respond by sending a reply to the source IP address. Depending on the number of machines on the network, the victim’s computer may be slowed down to a crawl from being flooded with traffic.

Application-layer Attacks

Example: HTTP flood attack

Conducted by flooding applications with malicious requests, application-layer attacks are measured in requests per second (RPS). Also called Layer 7 DDoS attacks, these attacks target and disrupt specific web applications, not entire networks. While difficult to prevent and mitigate, they are among the easier DDoS attacks to launch.

In comparison, it’s easy to startle a herd of horses into a stampede but almost impossible to get them under control again. Application-layer attacks are like that: easy to implement, hard to slow down or stop, and specific to a target.

What are DDoS Attacks Used For?

Distributed denial-of-service DDoS attacks attempt to take down online services, websites, and web applications by flooding them with malicious traffic from multiple sources or exhausting compute resources of the targeted asset. The goal of the attacker is to make the target unavailable to legitimate users, because it’s all about disruption. DDoS attacks target a wide array of resources people depend on every day, including financial services, medical information, news outlets, educational systems, and online shopping. 

There are many reasons why threat actors launch DDoS attacks aimed at disrupting organizations. Common motivations can include:

• Hacktivism driven by political or social reasons
• Nation-state attackers aiming to cause economic or social disruption
• Attempts to attract business if a competing service or product is unavailable
• DDoS used as a smokescreen to distract an incident response team from a more elusive, sophisticated attack
• Extortion to drive financial gain and profits

More recently, DDoS extortion attacks in particular have been a popular motivator for cybercriminals. Also known as ransom DDoS (RDDoS) attacks, DDoS extortion attacks happen when threat actor groups (and copycats alike) threaten organizations with a DDoS event unless a ransom or extortion ultimatum is paid. Oftentimes these criminal actors launch a “show-of-force” attack to demonstrate their ability to cause disruption and increase the likelihood of extortion payment by the targeted company. To avoid being caught, attackers insist on payment in cryptocurrency, like Bitcoin.

Like an elementary school kid that a bully steals homework from, then makes him give over his lunch money to get it back, DDoS extortion attacks are all about ransom. In the sophisticated world of online bullying, the ransom money is digital and untraceable.

How to Defend Against DDoS Attacks

With a strong DDoS strategy and runbook in place, organizations can protect against and limit disruption from DDoS attacks. The high-capacity, high-performance, and always-on anti-DDoS protection of cloud-based solutions can prevent malicious traffic from reaching a website or interfering with communication by a web API. A cloud-based scrubbing service can quickly mitigate attacks that target non-web assets, like network infrastructure, at scale.

DDoS protection

In a constantly evolving attack landscape, DDoS protection through a mitigation provider that takes a defense-in-depth approach can keep organizations and end users safe. A DDoS mitigation service will detect and block DDoS attacks as quickly as possible, ideally in zero or a few seconds from the time that the attack traffic reaches the mitigation provider’s scrubbing centers. Because attack vectors keep changing and attack sizes keep getting bigger, to achieve the best DDoS protection a provider must continually invest in defense capacity. To keep up with large, complex attacks, the right technologies are needed to detect malicious traffic and begin robust defensive countermeasures to mitigate attacks quickly.

DDoS mitigation providers filter out malicious traffic to prevent it from reaching the intended targeted asset. Attack traffic is blocked by a DDoS scrubbing service, a cloud-based DNS service, or a CDN-based web protection service. Cloud-based mitigation removes attack traffic before it reaches the target.

DDoS cloud scrubbing

DDoS scrubbing can keep your online business up and running, even during an attack. Unlike CDN-based mitigation, a DDoS scrubbing service can protect across all ports, protocols, and applications in the data center, including web- and IP-based services. Organizations direct their network traffic in one of two ways: via a Border Gateway Protocol (BGP) route advertisement change or DNS redirection (A record or CNAME) to the mitigation provider’s scrubbing infrastructure. Traffic is monitored and inspected for malicious activity, and mitigation is applied if DDoS attacks are identified. Typically, this service can be available in both on-demand and always-on configurations, depending on an organization’s preferred security posture — although more organizations than ever before are moving to an always-on deployment model for the fastest defensive response.

CDN-based defense

A properly configured advanced content delivery network (CDN) can help defend against DDoS attacks. When a website protection service provider uses its CDN to specifically accelerate traffic using HTTP and HTTPS protocols, all DDoS attacks targeting that URL can then be dropped at the network edge. This means that Layer 3 and Layer 4 DDoS attacks are instantly mitigated, as this type of traffic is not destined for web ports 80 and 443. As a cloud-based proxy, the network sits in front of a customer’s IT infrastructure and delivers traffic from end users to the websites and applications. Because these solutions operate in-line, web-facing assets are protected at all times without human interaction from network-layer DDoS attacks. For application layer–specific defense, organizations should look to deploy a web application firewall to combat advanced attacks, including certain types of DDoS attacks like HTTP GET and HTTP POST floods, which aim to disrupt Layer 7 application processes of the OSI model.   

The benefits of DDoS mitigation services

Organizations can reduce their attack surface while also reducing risk of business-impacting downtime and disruption by deploying DDoS-specific security controls. This type of defense can thwart an attack while allowing legitimate visitors to access your organization online as they normally would. DDoS protection prevents malicious traffic from reaching its target, limiting the impact of the attack, while allowing normal traffic to get through for business as usual. 

How can you stop a DDoS attack?

During mitigation, your DDoS protection provider will deploy a sequence of countermeasures aimed at stopping and diminishing the impact of a distributed denial-of-service DDoS attack. As modern attacks become more and more advanced, cloud-based DDoS mitigation protection helps to provide defense-in-depth security at scale, keeping back-end infrastructure and internet-facing services available and performing in an optimal manner.

Through DDoS attack protection services, organizations can:

• Reduce the attack surface and business risk associated with DDoS attacks
• Prevent business-impacting downtime
• Increase speed to respond to a DDoS event and optimize incident response resources
• Shorten the time to understand and investigate a service disruption 
• Prevent loss of employee productivity 
• More quickly deploy countermeasures to defend against a DDoS attack
• Prevent damage to brand reputation and bottom line
• Maintain application uptime and performance across digital estates
• Minimize costs associated with web security
• Defend against new and evolving threats

Learn how Akamai can help protect your web and internet-facing services from DDoS attacks

How a holistic DDoS defense works

Akamai provides DDoS defense in depth through a transparent mesh of dedicated edge, distributed DNS, and cloud scrubbing defenses. These purpose-built cloud solutions are designed to strengthen DDoS security postures while reducing attack surfaces, improving the quality of mitigation, and reducing false positives, while increasing resiliency against the largest and most complex attacks.

Moreover, the solutions can be fine-tuned to the specific requirements of your web applications and internet-based services.

Edge Defense

Akamai architected its globally distributed intelligent edge platform as a reverse proxy to only accept traffic via ports 80 and 443. All network-layer DDoS attacks are instantly dropped at the edge with a zero-second SLA. That means that attackers launching network-layer DDoS attacks don’t stand a chance.

For application-layer DDoS attacks, including those launched via APIs, Kona Site Defender detects and mitigates the attacks, while simultaneously granting access to legitimate users.

DNS Defense

Akamai’s authoritative DNS service, Edge DNS, also filters traffic at the edge. Unlike other DNS solutions, Akamai specifically architected Edge DNS for availability and resiliency against DDoS attacks. Edge DNS also delivers superior performance, with architectural redundancies at multiple levels, including name servers, points of presence, networks, and even segmented IP Anycast clouds.

Cloud Scrubbing Defense

Prolexic protects entire data centers and hybrid infrastructures from DDoS attacks, across all ports and protocols, with 20 global scrubbing centers and more than 10 Tbps of dedicated DDoS defense. This capacity is designed to keep internet-facing assets available — a cornerstone of any information security program.

As a fully managed service, Prolexic can build both positive and negative security models. The service combines automated defenses with expert mitigation from Akamai’s global team of 225+ frontline SOCC responders. Prolexic also offers an industry-leading zero-second mitigation SLA via proactive defensive controls to keep data center infrastructure and internet-based services protected and highly available.

The post What is A DDoS Attack? first appeared on Techcity Company Limited.

Content delivery networks, or CDNs, make online experiences faster and more reliable by delivering content closer to users.

What is a CDN?

A content delivery network (CDN) is a group of geographically distributed servers that speed up the delivery of web content by bringing it closer to where users are. Data centers across the globe use caching, a process that temporarily stores copies of files, so that you can access internet content from a web-enabled device or browser more quickly through a server near you. CDNs cache content like web pages, images, and video in proxy servers near to your physical location. This allows you to do things like watch a movie, download software, check your bank balance, post on social media, or make purchases, without having to wait for content to load.

You could think of a CDN like an ATM. Having a cash machine on practically every corner makes it fast and efficient to get money. There’s no wait time in long bank lines, and the ATMs are placed in many convenient locations for immediate access.

CDN services were created to solve the problem of network congestion caused by delivering rich web content, such as graphics and video over the internet — much like a traffic jam. Getting content from centrally located servers to individual users simply took too long. CDNs have now grown to include everything from text, graphics, scripts, and media files to software downloads, documents, portals, ecommerce, live streaming media, on-demand video streaming media, and social media sites.

CDNs can also provide websites with increased protection against malicious actors and security concerns like distributed denial-of-service (DDoS) attacks.

What is an example of a CDN?

A large portion of all internet content is delivered through CDNs. Here is a simple example:

If you were in New York and wanted to view the website of your favorite store in London that’s hosted on a server in the UK, you would experience slow content load times if the request had to travel all the way across the Atlantic Ocean. To remedy this, a CDN would store a cached version of the London website content in multiple geographical locations around the world, also called “points of presence” (PoPs). These PoPs contain their own caching servers and are responsible for delivering that content close to where you’re located in New York.

Content delivered from a server closest to your physical location gives you a faster, high-performance web experience.

How does a CDN work?

The mission of a CDN is to reduce latency. Latency is that annoying delay you experience when trying to access a web page or video stream before it fully loads on your device. Although measured in milliseconds, it can feel like forever, and may even result in a load error or time-out. Some content delivery networks alleviate latency by reducing the physical distance that the content needs to travel to reach you. Therefore, larger, more widely distributed CDNs are able to deliver web content more quickly and reliably by putting the content as close to the end user as possible.

Let’s say it’s the weekend and you want to kick back and stream the latest Hollywood movie release — the CDN finds an optimal server on its network to serve up that video. Usually, that will be the server closest to your physical location. The media files will be cached and remain on that content delivery network server for other user requests in the same geographic area. If the content you requested is unavailable or outdated, the CDN service will store the newly fetched content to serve any future requests.

While the delivery of website content is a common use for CDNs, it’s not their only function. In fact, CDNs deliver a wide variety of content that includes: 4K and HD-quality video, audio streams, software downloads such as apps, games, and OS updates, and much more. Potentially any data that can be digitized can be delivered through a content delivery network.

What is a CDN host?

Although CDNs aren’t web hosts and don’t deliver items over the last mile to consumers, content delivery network servers are geographically distributed to cache content closer to users and their ISPs wherever they are in the world. This temporary content storage at the network edge makes it possible to reduce latency and deliver the same content to multiple users for more efficient access.

For network operators, also known as wireless service providers or mobile network carriers, that are struggling to keep up with the never-ending demand for online video, a CDN hosting platform can be a highly effective and cost-efficient solution to stay competitive. A content delivery network can enable operators to provide a fast, secure, reliable online experience with the consistent quality that people expect on every web-enabled device.

Why is a CDN needed?

For over 20 years, CDNs have formed the unseen backbone of the internet — delivering online content for shopping, banking, healthcare, and other businesses quickly and at scale.

Without CDNs, with their ability to replicate and store information from origin servers and then bring digital content close to where users access the web, the internet might be slowed to a crawl.

You may not realize it, but if you’ve done almost anything online, a CDN has probably helped provide you with a fast, reliable, and consistent experience. Here’s a simple example of how content delivery networks manage traffic behind the scenes to make that happen:

A CDN balances overall traffic to give everyone accessing internet content the best web experience possible. Think about it like routing traffic in the real world. There may be one route that’s usually the fastest from point A to point B if no other cars take it — but if it starts getting congested, it’s better for everyone if the traffic gets spread out over a few different routes. That may mean that you get sent on a roadway that’s a few minutes longer (or microseconds, when scaled to internet speeds) but you don’t get stuck in the traffic jam that’s forming on the route that is typically the fastest. It may also mean that you get sent on that fastest regular route, but without getting bogged down in traffic, because other cars are being sent on longer paths. So, it’s not a matter of slowing down, it’s about load-balancing and fully using all available resources.

The fact is, without CDNs, we’d all be stuck in traffic jams a lot more often when surfing the web. 

Who uses CDNs?

Almost everyone that accesses the web uses a CDN. They were created to provide a faster and more reliable experience for people accessing the internet. They are used by the content and application owners and network service providers that supply those benefits to their customers.

CDNs for End Users

Websites and web applications delivered through a CDN experience faster page loads, faster transactions, and a more consistent online experience. However, people may have no idea they are connecting through a content delivery network as they enjoy its benefits, because the technology works behind the scenes. They simply receive what they requested from their ISP or mobile provider.

CDNs for content owners

Content and application owners — including ecommerce sites, media properties, and cloud computing companies — use CDNs to improve customer experiences, lower abandonment rates, increase ad impressions, improve conversion rates, and strengthen customer loyalty. Using a content delivery network can also improve web security, for instance by helping to absorb and mitigate a distributed denial-of-service (DDoS) attack.

CDNs for Network Service Providers

With the explosive growth of online streaming and other rich media services and higher user expectations about web performance across multiple device types, many of today’s network service providers are finding it necessary to deploy their own content distribution networks. For network operators, deploying a content delivery network can reduce subscriber churn, facilitate the development of value-added services, reduce traffic on the core network, and enable operators to sell CDN services to enterprises and third-party content owners.

One of the biggest benefits of a CDN is offload. By responding to a request for web content with a cached version in closer physical and network proximity to the end user — instead of from the server where the content originates — a CDN offloads traffic from content servers and improves the web experience. This means that content can stay within the network operator’s network and reduce the need to engage in peering with other networks or navigating the broader internet to deliver information.

What are the benefits of a CDN?

CDNs carry a large portion of the world’s internet traffic. They help solve the toughest challenges of delivering content over the internet. Businesses from small and medium content providers to the world’s large corporations use content delivery networks to provide a seamless web experience to their customers.

Because the internet was not originally designed to handle the demands of massive amounts of data, live high-definition video, flash sales, and large downloads, CDNs were built to make the internet work better. They help to securely deliver media at scale and enable all of the connected experiences that are part of daily life for most of us today. 

By providing solutions for performance, availability, security, and intelligence, CDNs help the world’s top companies and organizations do business successfully online

Performance

Performance is the difference between a click giving you immediate access to new content and a click followed by a seven-second wait while a page loads or a video buffers. Buffering is that wait time, symbolized by a familiar swirling circle icon on screen, that happens when the internet connection provided by an ISP can’t supply data fast enough.

How does it work? When requested content is cached (pre-saved) by a CDN’s servers, an end user’s ISP or mobile provider gets that content by connecting to a server on the CDN’s network, rather than waiting for their request to go directly to the origin. An origin server, where the content you are trying to access lives, may be far away from your physical location. If so, a CDN will bring that content closer to you, improving speed and performance. For example, let’s say that Fashion House X (FHX) from Milan, Italy, releases its new lineup for online orders. Fashion lovers in New York, Paris, Rio De Janeiro, and Tokyo all go online to make their orders. If FHX isn’t using a cloud content management system, the request from each end user must go all the way to Milan and back. However, if FHX uses a CDN and has preloaded its content across the CDN, each user can access the new content from servers directly in their city, saving their data hundreds or thousands of miles in round-trip time. 

If the content isn’t already pre-saved, the CDN uses its programmed knowledge of the necessary connections to overcome any challenges. Advanced CDNs use additional technologies that resolve any issues in the delivery of dynamic, or uncacheable, content and to determine the appropriate type of content to deliver to different devices. 

All of this means that, when using a CDN, content providers can deliver fast, quality web experiences to all their end users; no matter what location, browser, device, or network they’re connecting from. Web pages render more quickly, video buffering time is reduced, and users stay more engaged.

Availability

Availability means that content remains accessible to end users even during periods of excessive user traffic when many people are accessing content at the same time or if there are server outages in some parts of the internet. 

When traffic loads peak at millions of requests per second, even the most powerful servers are put to the test. Without a content delivery network, all this traffic must be absorbed by a content provider’s infrastructure. This can cause failures and poor end user experiences. The widely distributed server infrastructure offered by CDNs is designed to alleviate these issues. Advanced CDNs, with their highly distributed architecture and massive server platforms, can absorb tens of Tbps of traffic and make it possible for content providers to stay available to even larger user bases.

As an example, let’s return to FHX in Milan. Its brand is beloved by millions of fashion lovers, and its new lineup generates a lot of excitement. At the moment of launch, fashion lovers from all over the world go online to FHX’s website at the same moment. If FHX is not using a CDN, all of those users would hit its origin server at the same time, causing it to fail. However, if FHX is using a CDN, all of that traffic will be served across the CDN’s hundreds of thousands of servers, keeping FHX’s origin from failing and delivering a quality experience to fashion lovers across the globe. 

Security

As the volume of high-value data and transactions on the internet continues to grow, so do the forces of attackers looking to exploit it. Attacks by malicious actors can cost organizations big money. Along with crimes committed by malicious insiders, DDoS and web-based attacks have been found to be the costliest. 

Denial-of-service attacks and web-based exploits (SQL injection, cross-site scripting, and local or remote file-inclusion attacks) are becoming more common. These attacks are increasingly launched in conjunction using a DDoS attack to divert attention while causing more serious damage with other exploits. In both types of attacks, it is often difficult to distinguish bad traffic from legitimate traffic, and attack strategies continue to evolve rapidly over time, requiring significant dedicated security resources in order to stay up to date on mitigation strategies. 

Given the increasing volatility of the internet threat landscape, helping to secure websites is a critical CDN requirement. Today’s most advanced content delivery networks have made information security a core competency, providing unique cloud-based solutions. CDNs should protect content providers and users by mitigating against a wide array of attacks without malicious entities ever compromising delivery and availability.

Intelligence

As carriers of nearly half of the world’s internet traffic, CDN providers generate vast amounts of data about end-user connectivity, device types, and browsing experiences across the globe. They can use this data to help their customers, giving them critical, actionable insights, and intelligence into their user base. These services may include real-user monitoring and media analytics to measure end-user engagement with web content and cloud security intelligence to keep track of online threats.

Cloud versus CDN

The modern digital experience has expanded how companies deploy their content. CDNs and cloud computing were developed to address challenges the demand for web content and applications create in terms of performance and scalability. But how are they different?

Cloud

Cloud computing environments store information on internet servers instead of on your computer’s hard drive. For end users, this can be a convenient and reliable means for things like web-based email, file storage, file sharing, and backing up data. It’s also how people readily access web applications like social media platforms. Cloud environments consist of hundreds of PoPs with servers centralized in regional locations.

For businesses, the cloud offers lower upfront costs and the ability to scale application infrastructure as needed, expand into new geographies without having to invest in costly new infrastructure, and take advantage of related cloud services to build the latest digital experiences or enterprise applications. 

While the cloud can offer many benefits, organizations often experience unexpected costs when building applications in or migrating applications to the cloud. The dynamic nature of cloud migration projects can make it difficult to maintain performance and availability of digital experiences. 

CDN

A CDN is a network of servers that distributes content from an “origin” server throughout the world by caching content close to where each end user is accessing the internet via a web-enabled device. The content they request is first stored on the origin server and is then replicated and stored elsewhere as needed. By caching content physically close to where a user is and reducing the distance it has to travel, latency is reduced. This process also decreases stress on origin servers by distributing the load geographically across multiple servers.

Some people refer to content delivery networks as “the edge.” The edge is where the physical and digital world meet and interact at the network perimeter. With thousands of PoPs widely distributed around the globe and unmatched capacity and scale, CDNs provide closer proximity to end users. 

This means wherever you are in the world — using your mobile phone, tablet, computer, or other internet-enabled device — the content you want to access will load more quickly. You could be watching a video at home on the couch or checking in to your flight on another continent, and get the same seamless digital experience because of a content delivery network.

CDN Solutions from Akamai, the latest in edge delivery

Akamai’s CDN services were born from a challenge posed by internet founder Tim Berners-Lee, to solve what came to be known as the “world wide wait.” We pioneered edge computing more than 20 years ago by developing sophisticated new techniques to route web traffic, getting content from centrally located servers to early internet users faster. Today, the world’s biggest brands trust Akamai’s solutions and expertise to protect and deliver their digital experiences.

No matter the type of content — from websites, apps, APIs, video, or software — our comprehensive set of content delivery solutions is designed to deliver amazing digital experiences for every user, regardless of location, device, or network. 

Akamai has an unmatched global network capacity of 300+ Tbps and is unparalleled at scale with over 4,200 locations and upwards of 1,400 networks that span 135 countries. With the largest edge delivery platform, we see more of what’s happening on the internet. This means we can deftly avoid bottlenecks and defend at the edge. 

Automated acceleration to deliver the best website and mobile app experiences imaginable

Today’s users demand visually engaging, personalized experiences that are fast on every device, all the time. To deliver on customer expectations, digital businesses craft increasingly complex applications that are loaded with high-res images, videos, personalization, and other third-party content. The outcome can be very costly to optimize, operate, and maintain. The Akamai Ion intelligent performance automation and controls continuously analyze, optimize, and accelerate web and mobile app experiences.

High-quality video playback experiences to any screen

Online audiences may not know, or care, about the challenges you face when it comes to delivering online video. They expect fantastic video playback at all times, despite the many online content delivery challenges that stand in your way. Adaptive Media Delivery is optimized to provide consistent, high-quality video playback experiences across any screen to growing online audiences.

Seamless download delivery

End users expect frictionless download experiences, combining fast downloads and nearly instant updates. An effective and reliable content distribution and download strategy is a key factor in maximizing download completion rates, customer satisfaction, and revenue — whether they are downloading software, an application, a game, or a security patch across the device landscape. Download Delivery is a reliable, high-performance solution optimized to deliver large, file-based content over the internet. 

API Acceleration

APIs play a critical role in today’s fast-paced digital environment where connection speeds are measured in milliseconds. It’s becoming increasingly challenging to meet user expectations as the number of API requests are growing at a relentless pace and with frequent and sudden spikes in demand. When public-facing APIs aren’t delivered quickly, this can lead to poor user experiences, revenue loss, and downtime. Working with a partner that can take concerns about reliability, scalability, and performance out of the equation is a necessity.

API Acceleration is optimized for API delivery and other small payload traffic to enable fast and engaging user experiences across apps and sites. The solution offloads requests from origin infrastructures and provides predictable high performance for large volumes of XML, JSON, and other small transactional and programmatic traffic types critical to application success.

The post Content Delivery Networks — What is a CDN? first appeared on Techcity Company Limited.

Doanh nghiệp có một số lựa chọn khi chuyển dữ liệu từ trung tâm dữ liệu cục bộ lên Public Cloud. Chúng bao gồm việc sử dụng Internet công cộng hoặc kết nối mạng riêng / chuyên dụng. Một tùy chọn khác là chuyển dữ liệu ngoại tuyến, trong đó một tổ chức tải dữ liệu cục bộ của mình lên một thiết bị và sau đó vận chuyển thực tế thiết bị đó đến một nhà cung cấp Public Cloud, nhà cung cấp này sau đó sẽ tải dữ liệu lên đám mây. Loại di chuyển dữ liệu mà doanh nghiệp chọn – trực tuyến hoặc ngoại tuyến – phụ thuộc vào số lượng và loại dữ liệu mà doanh nghiệp muốn di chuyển, cũng như tốc độ cần thiết để hoàn thành quá trình di chuyển.

Có thể không thực tế nếu bỏ qua kết nối internet của bạn trong một khoảng thời gian dài. Trong một số trường hợp, sẽ có ý nghĩa hơn khi sử dụng xe tải để truyền dữ liệu thay vì kết nối internet. Việc vận chuyển vật lý có thể không loại bỏ nhu cầu đồng bộ hóa bổ sung, nhưng nó có thể cắt giảm thời gian và chi phí để di chuyển dữ liệu.

Trước khi tiến hành dịch chuyển, khối lượng công việc cần được kiểm tra kỹ lưỡng và tối ưu hóa để mang lại hiệu suất có thể chấp nhận được. Việc kiểm tra các điều kiện hỏng hóc cũng như các hệ thống dự phòng cũng rất quan trọng.

Khi quá trình di chuyển đám mây hoàn tất, nhân viên sẽ chuyển sự tập trung sang hiệu suất, mức sử dụng và tính ổn định của dữ liệu. Hãy đảm bảo ngân sách cho những công cụ này, vì chúng thường bị lãng quên trong kế hoạch ban đầu.

Đây là nơi mà các nhân viên CNTT nhận thấy sự thay đổi lớn nhất trong vai trò hỗ trợ của họ. Có một số giảm việc hỗ trợ chung cho phần cứng. Nhưng khối lượng công việc trên đám mây vẫn phải được quản lý, vì vậy việc bổ sung một số lớp đào tạo về quản lý đám mây cho nhóm là rất hợp lý. Có thể có một số cân nhắc đặc biệt đối với thực tế bảo mật mới trong quá trình di chuyển.

Đảm bảo bảo mật ứng dụng trên đám mây luôn là mối quan tâm hàng đầu, đặc biệt là trong quá trình di chuyển trực tiếp lên đám mây. Di chuyển máy ảo là điều cần thiết để cân bằng nhu cầu về tính toán, lưu trữ và các nhu cầu ứng dụng khác của khối lượng công việc.

Di chuyển trực tiếp thông qua mạng làm cho khả năng nhiều loại tấn công có thể xảy ra. Kẻ tấn công có thể chụp nhanh máy ảo và tạo máy ảo trong bối cảnh khác với mục đích ban đầu của nó. Những thông tin đăng nhập bị đánh cắp đó có thể sao chép và lấy cắp ảnh chụp nhanh hoặc cài đặt rootkit hoặc phần mềm độc hại khác để có thêm quyền truy cập. Thrashing là một cuộc tấn công từ chối dịch vụ liên tục, trong đó tin tặc buộc phải di chuyển nhiều lần và làm gián đoạn các quy trình tính toán bằng cách tiêu thụ tài nguyên hệ thống.

The post Quá trình di chuyển qua đám mây (P2) first appeared on Techcity Company Limited.

Quá trình di chuyển qua đám mây

Các bước hoặc quy trình mà doanh nghiệp tuân theo trong quá trình di chuyển trên đám mây khác nhau dựa trên các yếu tố như loại di chuyển mà doanh nghiệp muốn thực hiện và các tài nguyên cụ thể mà doanh nghiệp muốn di chuyển. Điều đó nói rằng, các yếu tố chung của chiến lược di chuyển qua đám mây bao gồm:

• đánh giá hiệu suất và các yêu cầu bảo mật;
• lựa chọn nhà cung cấp đám mây;
• tính toán chi phí;
• bất kỳ yếu tố tái cấu trúc nào được cho là cần thiết.

Đồng thời, hãy chuẩn bị để giải quyết một số thách thức phổ biến trong quá trình di chuyển qua đám mây:

• khả năng tương tác;
• dữ liệu và tính khả năng di chuyển của ứng dụng;
• tính toàn vẹn và bảo mật của dữ liệu; 
• tính liên tục trong kinh doanh.

Nếu không có kế hoạch phù hợp, việc di chuyển có thể làm giảm hiệu suất khối lượng công việc và dẫn đến chi phí CNTT cao hơn – do đó làm mất đi một số lợi ích chính của điện toán đám mây.

Cố gắng để không lạm chi khi chuyển sang môi trường Cloud

Tùy thuộc vào chi tiết của việc di chuyển, một doanh nghiệp có thể chọn chuyển một ứng dụng sang môi trường lưu trữ mới của mình mà không cần bất kỳ sửa đổi nào – một mô hình đôi khi được gọi là di chuyển nhấc lên và dịch chuyển. Trong trường hợp này, khối lượng công việc di chuyển trực tiếp từ các máy chủ cục bộ sang đám mây mà không có bất kỳ thay đổi nào. Đây thực chất là động thái 1-1 được thực hiện chủ yếu như một biện pháp khắc phục ngắn hạn để tiết kiệm chi phí cơ sở hạ tầng.

Trong các trường hợp khác, việc thay đổi mã hoặc kiến ​​trúc của ứng dụng có thể có lợi hơn. Quá trình này được gọi là tái cấu trúc ứng dụng hoặc cấu trúc lại. Việc cấu trúc lại một ứng dụng trước khi di chuyển qua đám mây là rất hợp lý, nhưng nó thường xảy ra trở về trước. Điều này thường xảy ra khi rõ ràng rằng việc nâng và thay đổi đã làm giảm hiệu suất của ứng dụng.

Việc tái cấu trúc một ứng dụng có thể tốn kém, vì vậy ban quản lý CNTT nên xem xét liệu điều này có hợp lý về mặt tài chính hay không. Đừng quên tính toán chi phí, hiệu suất và bảo mật khi bạn phân tích ROI của mình. Có khả năng một ứng dụng sẽ yêu cầu ít nhất một số cấu trúc lại, cho dù việc chuyển đổi là tối thiểu hay toàn diện.

Nếu quá trình di chuyển được thực hiện trực tuyến, bạn sẽ cần tính toán lượng băng thông cần thiết để thực hiện việc di chuyển.

Xem tiếp phần 2 tại đây.

The post Quá trình di chuyển qua đám mây (P1) first appeared on Techcity Company Limited.

Các giai đoạn chính của quá trình di chuyển qua đám mây là gì?

Mặc dù có nhiều cách để phác thảo quá trình di chuyển của khối lượng công việc lên đám mây, nhưng quá trình này thường diễn ra trong ba giai đoạn chính: lập kế hoạch, triển khai và bảo trì.

Giai đoạn một: Lập kế hoạch

Trong giai đoạn này, hãy xác định khối lượng công việc nào sẽ chuyển lên đám mây và khối lượng công việc nào sẽ ở lại cơ sở. Đánh giá trường hợp kinh doanh cho mỗi lần di chuyển mà bạn xem xét, cũng như các lợi ích dự kiến ​​của việc di chuyển. Trường hợp kinh doanh phải bao gồm các yêu cầu, mục tiêu hoặc số liệu có thể định lượng hiệu quả của việc di chuyển. Ví dụ: mục tiêu kinh doanh có thể là mở rộng quy mô ứng dụng để hỗ trợ số lượng người dùng lớn hơn mà không cần tăng đầu tư vào trung tâm dữ liệu địa phương. Biện pháp hiệu quả có thể là theo dõi độ trễ của ứng dụng hoặc các giao dịch để đảm bảo hiệu suất khối lượng công việc.

Việc lập kế hoạch cũng liên quan đến việc đánh giá ứng dụng để xác định tính phù hợp của nó đối với việc di chuyển, cũng như đánh giá các nhà cung cấp đám mây tiềm năng. Doanh nghiệp phải xác định xem có thể di chuyển khối lượng công việc mong muốn hay không và nhà cung cấp nào sẽ đáp ứng tốt nhất các yêu cầu về quy định, bảo mật và hiệu suất của nó. Cuối cùng, giai đoạn lập kế hoạch thành công sẽ dẫn đến quyết định tiếp tục di chuyển.

Giai đoạn hai: Triển khai

Bước tiếp theo trong quá trình di chuyển khối lượng công việc là triển khai. Trong giai đoạn này, các doanh nghiệp cần thiết kế hoặc kiến ​​trúc việc triển khai đám mây của họ, cũng như hiểu các dịch vụ đám mây và loại phiên bản nào mà khối lượng công việc của họ cần.

Rất hiếm khi di chuyển hoàn toàn khối lượng tất cả các công việc khi đang trong quá trình sản xuất. Thay vào đó, có một khoảng thời gian gỡ bỏ, trong đó nhóm CNTT sao chép khối lượng công việc vào môi trường đám mây và sau đó kiểm tra, tối ưu hóa và xác thực việc triển khai đó, trong khi khối lượng công việc tiếp tục hoạt động bình thường trong nội bộ. Điều này giúp doanh nghiệp có thời gian để giải quyết và khắc phục mọi sự cố di chuyển cũng như tinh chỉnh mọi vấn đề về thủ tục, chẳng hạn như định cấu hình và xác minh các bản sao lưu.

Sau khi khối lượng công việc được xác thực và các bên liên quan đăng ký triển khai trên đám mây, quản trị viên có thể chuyển sang ứng dụng đã di chuyển. Tuy nhiên, bạn nên tạm thời giữ lại khối lượng công việc cục bộ trong trường hợp có các vấn đề không lường trước được.

Giai đoạn ba: Bảo trì

Sau khi triển khai, các ứng dụng đám mây yêu cầu hỗ trợ liên tục. Ví dụ, quản trị viên cần theo dõi các số liệu về hiệu suất và tính khả dụng của ứng dụng, cũng như nhật ký truy cập và dữ liệu xu hướng để lập kế hoạch năng lực.

Các ứng dụng này cũng sẽ yêu cầu các bản vá lỗi và cập nhật tính năng thường xuyên khi chúng chạy trên đám mây. Một số bản cập nhật có liên quan khá nhiều – đặc biệt là khi một ứng dụng được phân phối hoặc nhóm giữa nhiều nút. Cuối cùng, bảo trì ứng dụng thường liên quan đến một số khắc phục sự cố.

Một số công cụ di chuyển trên đám mây là gì?

Có nhiều công cụ khác nhau có thể hỗ trợ đánh giá di chuyển trên đám mây, cũng như giúp thực hiện và quản lý chính quá trình di chuyển thực tế.

Không có công cụ duy nhất nào có thể hỗ trợ tất cả các dự án di chuyển trên đám mây. Các tổ chức cần chọn một công cụ đánh giá /di chuyển tốt nhất cho nhà cung cấp đám mây dự kiến ​​và có thể lập bản đồ chính xác cơ sở hạ tầng và các yếu tố phụ thuộc liên quan đến khối lượng công việc mục tiêu. Nếu không, việc đánh giá – và bất kỳ kế hoạch di chuyển nào – có thể không thành công.

The post Việc di chuyển lên đám mây cần phải đánh giá trước khi triển khai (P2) first appeared on Techcity Company Limited.

Việc di chuyển lên đám mây cần phải đánh giá trước khi triển khai

Mặc dù Public Cloud có thể giúp một tổ chức loại bỏ nhu cầu dài hạn, tốn kém của một trung tâm dữ liệu cục bộ, nhưng nó không phải là môi trường lưu trữ tốt nhất cho tất cả khối lượng công việc của doanh nghiệp.

Điều này làm cho thấy việc quan trọng là phải đánh giá cẩn thận tính phù hợp, yêu cầu và sự sẵn sàng của từng ứng dụng trước khi di chuyển qua đám mây. Hãy cùng xem xét một số vấn đề chính liên quan đến việc thực hiện đánh giá di chuyển trên đám mây, cũng như các bước và công cụ có thể giúp các nhóm chuẩn bị cho việc chuyển sang đám mây.

Cần xem xét những yếu tố chính nào trong đánh giá di chuyển qua đám mây?

Có nhiều vấn đề mà doanh nghiệp cần phải đánh giá vì nó đánh giá khối lượng công việc nào sẽ phù hợp với Public Cloud. Một số điều quan trọng nhất là các yêu cầu quy định, bảo mật và hiệu suất.

Quy định ràng buộc

Việc quản lý theo quy định có thể đặt ra những giới hạn nghiêm ngặt đối với vị trí thực của dữ liệu ứng dụng nhạy cảm, cũng như vị trí thực của ứng dụng tương ứng. Điều này có nghĩa là mục tiêu di chuyển qua Public Cloud có thể bị hạn chế đối với các trang web trung tâm dữ liệu của nhà cung cấp tồn tại trong biên giới của một quốc gia cụ thể hoặc ranh giới địa chính trị khác. Những hạn chế tương tự này có thể áp dụng cho việc sao lưu dữ liệu và khôi phục sau thảm họa.

Ví dụ: nếu nhà cung cấp dịch vụ đám mây không có khu vực khả dụng hoặc khu vực nằm trong ranh giới địa chính trị có thể chấp nhận được, thì doanh nghiệp có thể không di chuyển được một số ứng dụng nhạy cảm nhất định. Một vấn đề tương tự có thể phát sinh khi một nhà cung cấp đám mây hiện diện nhưng thiếu các dịch vụ bảo mật chính.

Bảo mật

Trước khi doanh nghiệp chuyển một ứng dụng lên Public Cloud, doanh nghiệp đó phải hiểu mô hình trách nhiệm chung. Trong khi nhà cung cấp đám mây bảo mật và quản lý cơ sở hạ tầng và dịch vụ cơ bản mà ứng dụng đó sẽ chạy, doanh nghiệp vẫn chịu trách nhiệm đảm bảo quyền truy cập vào dữ liệu của mình. Sự thay đổi trách nhiệm này có thể gây nhầm lẫn cho những người sử dụng đám mây mới và đôi khi có thể dẫn đến những lỗi nghiêm trọng trong ứng dụng và bảo mật dữ liệu.

Ngoài ra, nhà cung cấp đám mây phải cung cấp tính minh bạch cho cơ sở hạ tầng của mình và cho phép các doanh nghiệp theo dõi, ghi nhật ký và kiểm tra hoạt động của ứng dụng và người dùng. Là một phần của đánh giá di chuyển qua đám mây, hãy đảm bảo tìm kiếm các công cụ này ở một nhà cung cấp tiềm năng.

Hiệu suất

Không có gì đảm bảo rằng một ứng dụng sẽ hoạt động tốt trên Public Cloud như trong trung tâm dữ liệu cục bộ. Đây có thể là một vấn đề nghiêm trọng trong quá trình di chuyển trên đám mây, đặc biệt khi người dùng phụ thuộc vào hiệu suất và tính khả dụng của ứng dụng. Các ứng dụng cũ, nguyên khối – đặc biệt là những ứng dụng có phần cứng nghiêm ngặt hoặc phụ thuộc phần mềm phức tạp – gặp nhiều rắc rối nhất và có thể hoạt động tốt hơn tại chỗ. Mặt khác, các ứng dụng gốc đám mây – hoặc những ứng dụng được thiết kế và mã hóa ngay từ đầu để chạy trên các phiên bản Public Cloud – thường mang lại hiệu suất và khả năng mở rộng tốt nhất.

Các công cụ đánh giá di chuyển qua đám mây, bao gồm các công cụ từ các nhà cung cấp IaaS công cộng, cũng như các công cụ của bên thứ ba, có thể giúp các doanh nghiệp đánh giá các vấn đề về hiệu suất. Tuy nhiên, điều quan trọng vẫn là kiểm tra khối lượng công việc trong triển khai bằng chứng nguyên tắc để thu thập các chỉ số và đưa ra quyết định di chuyển dựa trên hiệu suất đã đo được.

Xem tiếp phần 2 tại đây.

The post Việc di chuyển lên đám mây cần phải đánh giá trước khi triển khai (P1) first appeared on Techcity Company Limited.

Bảo mật cho Public Cloud

Bảo mật là mối quan tâm của nhiều doanh nghiệp vì tính chất nhiều đối tượng thuê của Public Cloud. Các tổ chức lưu trữ dữ liệu nhạy cảm và khối lượng công việc quan trọng trên Cloud, vì vậy việc bảo vệ môi trường là ưu tiên hàng đầu. Các nhà cung cấp Public Cloud cung cấp các dịch vụ và công nghệ bảo mật khác nhau, nhưng bảo mật trên Cloud đòi hỏi sự nghiêm túc của cả nhà cung cấp và khách hàng.

Chia sẻ trách nhiệm

Nhiệm vụ bảo mật Public Cloud được phân chia giữa nhà cung cấp và người dùng đám mây, được nêu trong mô hình trách nhiệm chung. Khuôn khổ này chỉ định các khía cạnh cụ thể của bảo mật – và trách nhiệm giải trình – đối với nhà cung cấp và người dùng. Các nhiệm vụ chi tiết cụ thể trong một thỏa thuận bảo mật khác nhau tùy thuộc vào nhà cung cấp đã chọn và mô hình Public Cloud. Ví dụ: mô hình chia sẻ trách nhiệm Techcity tuyên bố rằng Techciy chịu trách nhiệm bảo mật cơ sở hạ tầng hỗ trợ môi trường đám mây, bao gồm phần cứng, phần mềm, mạng, lưu trữ và các cơ sở tại chỗ được sử dụng để chạy các dịch vụ đám mây Techcity. Trong khi đó, người dùng đám mây có trách nhiệm bảo mật bất cứ thứ gì chạy trên đám mây, cụ thể là các ứng dụng và dữ liệu khách hàng.

Những thách thức về bảo mật Public Cloud

Các tổ chức phải hiểu có rất nhiều thách thức liên quan đến bảo mật đám mây để bảo vệ các ứng dụng được lưu trữ trên đám mây. Public Cloud yêu cầu bảo vệ chống lại các mối đe dọa bên ngoài, chẳng hạn như các cuộc tấn công độc hại và vi phạm dữ liệu, cũng như các rủi ro bảo mật nội bộ, bao gồm các tài nguyên được định cấu hình sai và các chính sách quản lý truy cập. Bảo mật đám mây lai tạo ra thêm một loạt thách thức khác nữa. Những phức tạp như bảo mật dữ liệu khi truyền qua internet công cộng và các thành phần mạng cho các môi trường khác nhau đòi hỏi các biện pháp tăng cường bảo vệ.

Các công cụ và phương pháp bảo mật

Các dịch vụ và công nghệ bảo mật của nhà cung cấp đám mây bao gồm mã hóa và các công cụ quản lý truy cập và nhận dạng (IAM). Một chiến lược bảo mật toàn diện dựa trên sự kết hợp của những yếu tố này.

Giám sát bảo mật đám mây là một phần quan trọng của chiến lược bảo mật để cung cấp khả năng phát hiện mối đe dọa. Các công cụ giám sát bảo mật quét và quan sát các dịch vụ và tài nguyên trong môi trường đám mây của bạn và tạo cảnh báo khi phát sinh vấn đề bảo mật tiềm ẩn. Kiểm soát truy cập cũng rất quan trọng đối với bảo mật Public Cloud. Thiết lập các chính sách IAM mạnh mẽ chỉ phân bổ ở mức quyền cần thiết. Cập nhật nhất quán các chính sách IAM và xóa quyền truy cập đối với những người dùng không còn yêu cầu các quyền nhất định. Sử dụng xác thực đa yếu tố để tăng cường xác minh người dùng.

Ngoài các công cụ và chính sách bảo mật, đội ngũ nhân viên CNTT được đào tạo tốt là không thể thiếu để đảm bảo một môi trường đám mây an toàn. Nhiều lỗ hổng là sản phẩm của việc cấu hình sai tài nguyên do lỗi của con người. Đảm bảo nhân viên CNTT của bạn luôn cập nhật các chính sách bảo mật và thực tiễn cấu hình phù hợp.

The post Bảo mật cho Public Cloud first appeared on Techcity Company Limited.

Kiến trúc của Public Cloud

Public Cloud là một môi trường được ảo hóa hoàn toàn dựa vào kết nối mạng băng thông cao để truyền dữ liệu. Nhà cung cấp xây dựng kiến ​​trúc để nhiều người thuê cho phép người dùng – hoặc người thuê – chạy khối lượng công việc trên cơ sở hạ tầng dùng chung và sử dụng cùng một tài nguyên máy tính. Dữ liệu của người thuê trong Public Cloud được phân tách một cách hợp lý và vẫn bị cô lập với dữ liệu của những người thuê khác.

Các nhà cung cấp vận hành các dịch vụ đám mây ở các vị trí biệt lập hợp lý trong các khu vực Public Cloud. Những vị trí này, được gọi là vùng khả dụng, thường bao gồm hai hoặc nhiều trung tâm dữ liệu vật lý được kết nối, có tính khả dụng cao. Các tổ chức lựa chọn các khu vực khả dụng dựa trên sự tuân thủ và mức độ gần gũi với người dùng cuối. Tài nguyên đám mây có thể được nhân rộng trên nhiều vùng khả dụng để dự phòng và bảo vệ khỏi sự cố ngừng hoạt động.

Kiến trúc Public Cloud có thể được phân loại thêm theo mô hình dịch vụ. Đây là ba mô hình dịch vụ phổ biến nhất:

• Cơ sở hạ tầng như một dịch vụ (IaaS), trong đó nhà cung cấp lưu trữ các thành phần cơ sở hạ tầng, chẳng hạn như máy chủ và lưu trữ, cũng như một lớp ảo hóa. Nhà cung cấp IaaS cung cấp các tài nguyên máy tính được ảo hóa, chẳng hạn như máy ảo, qua internet hoặc thông qua các kết nối chuyên dụng.
• Nền tảng dưới dạng dịch vụ (PaaS), trong đó nhà cung cấp cung cấp các công cụ phần cứng và phần mềm – thường là những công cụ cần thiết để phát triển ứng dụng, bao gồm cả hệ điều hành – cho người dùng dưới dạng dịch vụ.
• Phần mềm như một dịch vụ (SaaS), trong đó nhà cung cấp lưu trữ các ứng dụng và cung cấp chúng cho khách hàng qua internet.

Mô hình dịch vụ xác định mức độ kiểm soát của người dùng đối với các khía cạnh nhất định của đám mây. Ví dụ: trong triển khai IaaS, khách hàng đám mây tạo máy ảo, cài đặt hệ điều hành và quản lý cấu hình mạng đám mây. Nhưng trong các mô hình PaaS và SaaS, kiến ​​trúc mạng đám mây được quản lý hoàn toàn bởi nhà cung cấp.

Ngoài ba mô hình dịch vụ chính, mô hình chức năng như một dịch vụ còn tóm tắt thêm về cơ sở hạ tầng và tài nguyên đám mây. Điều này đặc biệt hữu ích cho những khách hàng tạo microservices. Nó dựa trên máy tính không máy chủ, một cơ chế chia khối lượng công việc thành các thành phần tài nguyên nhỏ, theo hướng sự kiện và chạy mã lệnh mà không cần cố ý tạo và quản lý các máy ảo. Điều này cho phép các tổ chức thực thi các tác vụ dựa trên mã theo yêu cầu khi được xử lý; các thành phần chỉ tồn tại miễn là nhiệm vụ được giao chạy. Trong mô hình này, nhà cung cấp xử lý việc bảo trì máy chủ bên dưới.
Các tổ chức cũng có thể chọn nhà cung cấp dịch vụ lưu trữ trên Public Cloud. Nhà cung cấp cung cấp một nền tảng lưu trữ với các dịch vụ như lưu trữ vật lý, đối tượng lưu trữ và các ứng dụng lưu trữ, chẳng hạn như sao lưu và lưu trữ.

The post Kiến trúc của Public Cloud first appeared on Techcity Company Limited.

Lưu ý các chi phí cho Public Cloud

Chi phí cho Public Cloud thường được lập hóa đơn theo cấu trúc trả tiền cho mỗi lần sử dụng, trong đó người dùng Cloud trả tiền cho các tài nguyên mà họ sử dụng. Trong nhiều trường hợp, điều này giúp giảm chi phí CNTT, vì một đơn vị không còn cần phải đầu tư và duy trì cơ sở hạ tầng vật lý cho các bộ phận kinh doanh của mình mà đơn vị triển khai lên một IaaS Public Cloud. Ngoài ra, một công ty có thể hạch toán chi phí Public Cloud dưới dạng chi phí hoạt động thay vì đầu tư hoặc chi phí cố định. Điều này có thể mang lại sự linh hoạt hơn cho doanh nghiệp, vì các quyết định chi tiêu hoạt động này thường yêu cầu các đánh giá hoặc lập kế hoạch ngân sách ít chuyên sâu hơn.

Tuy nhiên, rất dễ bị lạm chi quá mức trên Cloud và mất những lợi ích của nó mang lại vì có thể khó theo dõi chính xác việc sử dụng dịch vụ đám mây trong mô hình tự phục vụ. Những nguyên nhân để lạm chi Public Cloud phổ biến bao gồm tài nguyên cung cấp quá mức, không giải quyết được khối lượng công việc nhàn rỗi và phí xuất dữ liệu không cần thiết. Ngoài những thách thức về chi phí này, các nhà cung cấp dịch vụ Public Cloud sẽ có một số mô hình định giá với mức giá thay đổi theo khu vực và dịch vụ. Việc không hiểu mô hình định giá của nhà cung cấp có thể khiến chi phí ẩn làm tăng hóa đơn.

Các đơn vị phải tính đến tất cả các thành phần tạo nên chi tiêu cho điện toán đám mây của họ. Điều này bao gồm chi phí cho việc di chuyển ứng dụng, truyền dữ liệu, lưu trữ và tiêu thụ tài nguyên, cùng với các sản phẩm để quản lý và duy trì môi trường.

Các chiến lược tối ưu hóa chi phí

• Để kiềm chế chi phí Cloud, hãy áp dụng các công cụ và chiến lược ước tính chi phí và xác định các mô hình chi tiêu. Các nhà cung cấp dịch vụ đám mây cung cấp công cụ tính giá và giám sát chi phí, chẳng hạn như các bảng giá chi tiết dịch vụ mà Techcity đang áp dụng.
• Có được sự hiểu biết vững chắc về môi trường đám mây bạn đã chọn để trợ giúp tài nguyên có kích thước phù hợp và chỉ trả tiền cho những gì bạn cần. Ngoài ra, hãy khám phá các chương trình giảm giá của nhà cung cấp, chẳng hạn như các lựa chọn thay thế rẻ hơn cho các nguồn tài nguyên theo yêu cầu. Ví dụ: Techcity cung cấp các phiên bản đặt trước với giá thấp hơn, để đổi lấy cam kết sử dụng một lượng dung lượng nhất định trong một khoảng thời gian nhất định.
• Tự động thay đổi quy mô là một cách khác để giảm chi phí. Các tính năng tự động thay đổi quy mô điều chỉnh quy mô ứng dụng để đáp ứng nhu cầu, tránh phải trả cho dung lượng không cần thiết. Khả năng hiển thị phù hợp vào môi trường đám mây cũng giúp các nhóm CNTT xác định và đóng khối lượng công việc nhàn rỗi để tránh phải trả cho các tài nguyên không sử dụng và ngăn chặn sự lan rộng của đám mây.
• Doanh nghiệp nên theo dõi nhất quán hóa đơn đám mây của mình và đánh giá lại các mô hình triển khai để đảm bảo phương pháp tiếp cận hiệu quả nhất về chi phí. Ví dụ, một đơn vị có phí truyền dữ liệu cao có thể tối ưu để hạn chế chí.

The post Lưu ý các chi phí cho Public Cloud first appeared on Techcity Company Limited.