Web Application Firewalls: The TCO Question



Similar documents
On the Radar: CipherCloud

On the Radar: Pulse Secure

Financial services perspectives on the role and real impact of cloud

Ovum Decision Matrix: Selecting an Enterprise File Sync and Share Product,

SWOT Assessment: BMC Remedy v9

SWOT Assessment: Alfresco, Alfresco One, v5.0

SWOT Assessment: BeyondTrust Privileged Identity Management Portfolio

Case Study: Vitamix. Improving strategic business integration using IT service management practices and technology

On the Radar: Tamr. Applying machine learning to integrating Big Data. Publication Date: Sept Product code: IT

Enterprise Content Management: The Suite Perspective

The Future of Payments 2015: Financial Institutions. The Payments Value Chain is Driven by Customers

On the Radar: ForgeRock

2015 Global Payments Insight: Bill Pay Services. With big change comes big opportunity

HP s revitalized workforce optimization suite is worth a fresh look

On the Radar: Alation harnesses crowdsourcing and machine learning to speed data access

Winning with Emerging CRM Channels. An Ovum White Paper

Data Center Automation: Market Landscape and Maturity Model

2016 Global Payments Insight Survey: Merchants and Retailers. Changing the merchant experience

How To Rank Customer Analytics Vendors

How To Understand The Implications Of Outsourced Testing

Load Balancing Security Gateways WHITE PAPER

The Critical Impact of Cloud for Insurance on Business Transformation

Ovum Decision Matrix: Selecting a Hybrid Cloud and Virtualization Management Solution,

Sample Global Network Security Market. 1 technavio insights

SWOT Assessment: FireMon Security Manager Suite v7.0

Ovum Decision Matrix: Selecting an Outsourced Testing Service Provider,

OSS/BSS market overview and vendor landscape, 2Q13-1Q14

SSL Performance Problems

On the Radar: Truphone

Healthcare Security and HIPAA Compliance with A10

How To Get Value From Data In An Enterprise Business

How To Understand The Internet Of Things

On the Case: HCL News Corp (News UK)

CA Service Management Solutions 14.1

Global Web Application Firewall Market

LTE450 Julian Bright, Senior Analyst LTE450 Global Seminar 2014 Copyright Ovum All rights reserved.

PCI DSS and the A10 Solution

White Paper A10 Thunder and AX Series Load Balancing Security Gateways

NEXT GENERATION FIREWALL COMPARATIVE ANALYSIS

Penta Security 3rd Generation Web Application Firewall No Signature Required.

Where every interaction matters.

SWOT Assessment: CoreMedia, CoreMedia 7

Achieve Deeper Network Security

On the Radar: NextPlane

DNS Server Security Survey

PCI DSS and the A10 Solution

Achieve Deeper Network Security and Application Control

CA Performance Management Solution for Communications Service Providers

Telstra s Symphony Initiative: Redefining the Enterprise Customer Experience with SDN/NFV

SWOT Assessment: Eccentex AppBase v5.0

Ovum Decision Matrix: Selecting an Enterprise Mobility Management Solution,

Case Study: Unifying ITSM Practices and Technology

Guidelines for Web applications protection with dedicated Web Application Firewall

SWOT Assessment: dotcms dotcms v2.5

4 Delivers over 20,000 SSL connections per second (cps), which

Importance of Web Application Firewall Technology for Protecting Web-based Resources

Staying Ahead of the Hacker Curve Turn-key Web Application Security Solution

IBM Advanced Threat Protection Solution

WEB APPLICATION VULNERABILITY STATISTICS (2013)

Asia-Pacific Web Application Firewall Market Increasing Attacks on the Application Layer are Driving the Market

Transforming Asset Information Management

WEB APPLICATION FIREWALL COMPARATIVE ANALYSIS

Subtitle. VoIP Trends. What to Expect in VoIP 2016 Compare Business Products

ADC Survey GLOBAL FINDINGS

Auditing the Security of an SAP HANA Implementation

How To Protect Your Employees From Being Hacked By A Corporate Firewall

Six Essential Elements of Web Application Security. Cost Effective Strategies for Defending Your Business

Contemporary Web Application Attacks. Ivan Pang Senior Consultant Edvance Limited

WildFire. Preparing for Modern Network Attacks

Reference Architecture: Enterprise Security For The Cloud

10 Things Every Web Application Firewall Should Provide Share this ebook

Ovum Decision Matrix: Selecting a Multichannel Cloud Contact Center Solution,

The State of Application Delivery in 2015

The New PCI Requirement: Application Firewall vs. Code Review

Transcription:

Web Application Firewalls: The TCO Question Ovum looks into total cost of ownership for WAFs Rik Turner

Summary Catalyst Ovum has carried out a series of interviews with companies in North America, Europe, and Asia- Pacific (see Methodology) with a view to understanding how the market for web application firewalls (WAFs) is evolving, how wide adoption of the technology is, whether there is a prevalence of onpremise or cloud-based offerings, and what determines companies preferences for either. The survey then went on to pose a series of questions with a view to determining the total cost of ownership (TCO) for on-premise as well as cloud-based WAFs, although this proved difficult. Ovum view Of respondents, 18% have no WAF Application firewalls, of which WAFs are a subset designed specifically to work with the Web, have a long history, dating back to work carried out as long ago as 1991, with the first commercially available application firewall, the Gauntlet, coming to market in 1993. Much has changed since that time, of course: the Internet has become a ubiquitous part of doing business around the world, and security exploits against websites are now a daily occurrence. As a result, WAFs have become a key category in their own right. The first data point that jumps out from the survey results is that a significant minority of companies do not have any form of WAF protection. Of respondents, 18% said they had no WAF of any kind in their organization. Because all these companies have websites and Internet connections, this raises the question what form of protection they do have from exploits such as cross-site scripting and SQL injection. 2014 Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 2

What kind of WAF do you have? Source: Ovum They are probably relying on content filtering carried out in other security devices, such as a UTM appliance or a web filtering device. Alternatively, they may simply have no adequate protection from application-layer attacks. Either way, it is clear that application owners need to do more to secure themselves if another year of breaches is to be avoided. Of the companies that are employing WAF technology, the majority, 74% of our respondents, are using on-premise devices, with a further 8% using a cloud-based service. There is considerable variety among on-premise WAFs installed Another interesting aspect of the survey results is that, while there are clear market leaders in the onpremise WAF market, there is considerable variety among the devices in use. The survey asked specifically whether WAFs installed came from F5, Citrix, or Imperva, but all three of these vendors scored only a small percentage of the total, with the vast majority (89% of on-premise respondents) running devices from other manufacturers. Furthermore, in one case, one respondent said it had F5 installed, but then when asked which model, answered Check Point, suggesting some confusion (it has been corrected to be a non-f5 device), while another said they had Imperva, but then added that they also had F5 and Check Point devices in their infrastructure. Meanwhile, alongside these names, were quite a lot of Cisco and Sonicwall devices, as well as ones from Cyberoam, Fortinet, and Check Point. 2014 Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 3

Who is your on-premise WAF provider? Source: Ovum 2014 Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 4

WAFs and NGFWs are often conflated in customers minds Not all these names are actually associated with WAF technology, and some of them are vendors of so-called next-generation firewalls (NGFWs). A further conclusion from a number of the responses to the questions about vendors and models is that there is a reasonable degree of confusion regarding what constitutes a WAF and how it differs from an NGFW. An NGFW is an evolution of the conventional network firewall, which performs stateful packet inspection. The enhancements that justify the next-generation epithet tend to fall into the category of application awareness (the ability to inspect traffic at Layer 7 of the OSI model). WAFs, like all application firewalls, have the same capability. However, whereas NGFWs application-aware functionality focuses on securing and/or restricting internal clients when accessing the Internet, they do not secure internal web applications from external threats such as cross-site scripting (XSS), cross-site request forgery (XSRF or CSRF), URL access, or SQL injection. This is the preserve of the WAF, and WAFs and NGFWs are therefore distinct and discrete types of functionality. The survey reveals a tendency to conflate and even confuse the two, which is further evidence of the need for a different attitude to web application security. A greater understanding of web application threats, and therefore of the need to implement WAF technology, is urgently required in 2015. In its most recent ranking of the top 10 web threats, ranked both by frequency and severity (for 2013), the Open Web Application Security Project (OWASP) rated injection flaws at number 1, XSS at number 3, and XSRF at number 8. 2014 Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 5

Capabilities of NGFW and WAF XSS = Cross-site scripting XSRF = Cross-sire request forgery Source: Ovum Incumbency is an issue when companies consider switching to cloud-based WAF While 8% of respondents said they were taking a cloud-based WAF service rather than running an onpremise device, a further 9% that do have on-premise said they had considered a cloud-based service offering. Asked why they had opted instead for on-premise, one answered that their organization had done so to have a better control over things, without specifying the particular controls to which this referred. Another group (4% of total respondents) said they already had an onpremise device when they looked at a cloud service. They therefore decided to stick with it, either because they still needed to amortize their investment, or because they felt more comfortable with what they already knew. These answers represent a challenge to providers of cloud-based WAF, which need to demonstrate not only that their services can give customers an equivalent level of control to what on-premise devices can deliver, but also that there can be commercial advantages to switching to them, even if a customer is currently running an on-premise device and has yet to fully depreciate its cost. 2014 Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 6

TCO is simpler to calculate, and frequently lower, for cloud The survey also set out for insight into the total cost of ownership (TCO) of a WAF, be it on-premise or in the cloud. We asked those with on-premise devices what they are paying (generally calculated on a monthly basis for a pre-agreed volume of throughput), as well as what they are paying for maintenance. There was a variety of answers to the question regarding how many WAF boxes those with on-premise solutions were running, ranging from one all the way to 17, but because all respondents are paying on a per-month basis for a given level of throughput, Ovum did not factor these answers into any calculations. For those running on-premise devices, the survey asked whether a load-balancing capability was included in the purchase price, since clearly, if it wasn t, it would bring the overall price down but would mean that the customer would probably need to make other arrangements for load balancing, with the concomitant extra cost that that would imply. Just over half of those with on-premise WAFs said they did buy load balancing as part of the package. The survey also asked whether they employ a full-time member of staff dedicated to managing the WAF, updating its rules, and so on. If they did, we further asked them how much they are paying that person, because this must also be factored into the TCO calculation. Another question for the on-premise WAF customers was what their policy was regarding depreciation of the asset, and over what time period they carried out the depreciation in their financial reporting. The answers here varied considerably, from three months at one end of the spectrum to seven years at the other, but most respondents depreciate over somewhere between two and five years. For cloud-based WAF users, we asked what they were paying monthly for the service, as well as the questions about a staffer dedicated to WAF management. Monthly salaries varied greatly from one country to another, but the average across all those who answered (36% of respondents) was $3,382 a month. Calculating an average TCO proved challenging. On the on-premise side, very few of the respondents knew both the monthly throughput and the monetary consideration their company was paying for it, making it hard to compare them, or to come up with an average figure. For those that did know both figures, Ovum calculated an average cost of $3,754 for a throughput of 2.25Gbps. Not surprisingly, the monthly remuneration at the companies that had a full-time employee looking after their WAF also varied hugely. At one extreme, an Indian company said it was paying its staffer just over $160 a month on a WAF handling an undisclosed volume of traffic. At the other, a German respondent is paying someone 5,000 a month on a WAF handling some 4Mbps of traffic. Turning to the respondents with cloud-based WAFs, they all said they have a staff member dedicated to managing the service. While half of them declined to reveal the salary involved, Ovum calculated an average for those that did reply of $6,019 a month. What all the cloud-based respondents have in common is that they do not pay their WAF provider for maintenance, which among the on-premise WAF users varied from $100 a month to $2,500 a month, with both these respondents based in the US. 2014 Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 7

The cost of on-premise and cloud-based WAF Source: Ovum and industry sources Appendix Methodology Ovum conducted 50 interviews with IT decision-makers across North America, Europe, and Asia- Pacific. The survey was run in December 2014 via a telephone interview methodology. Of the 300 respondents approached, 50 qualified to be interviewed. Qualification criteria was based on a representative spread of geography and industry. Geographically, the interviews were split 20 North America, 20 Europe, and 10 Asia-Pacific. While no industry quotas were imposed, no single sector accounts for more than 20% of the total number of respondents. Author Rik Turner, Senior Analyst, Infrastructure Solutions rik.turner@ovum.com 2014 Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 8

Ovum Consulting We hope that this analysis will help you make informed and imaginative business decisions. If you have further requirements, Ovum s consulting team may be able to help you. For more information about Ovum s consulting capabilities, please contact us directly at consulting@ovum.com. Copyright notice and disclaimer The contents of this product are protected by international copyright laws, database rights and other intellectual property rights. The owner of these rights is Informa Telecoms and Media Limited, our affiliates or other third party licensors. All product and company names and logos contained within or appearing on this product are the trademarks, service marks or trading names of their respective owners, including Informa Telecoms and Media Limited. This product may not be copied, reproduced, distributed or transmitted in any form or by any means without the prior permission of Informa Telecoms and Media Limited. Whilst reasonable efforts have been made to ensure that the information and content of this product was correct as at the date of first publication, neither Informa Telecoms and Media Limited nor any person engaged or employed by Informa Telecoms and Media Limited accepts any liability for any errors, omissions or other inaccuracies. Readers should independently verify any facts and figures as no liability can be accepted in this regard - readers assume full responsibility and risk accordingly for their use of such information and content. Any views and/or opinions expressed in this product by individual authors or contributors are their personal views and/or opinions and do not necessarily reflect the views and/or opinions of Informa Telecoms and Media Limited. 2014 Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 9

CONTACT US www.ovum.com askananalyst@ovum.com INTERNATIONAL OFFICES Beijing Dubai Hong Kong Hyderabad Johannesburg London Melbourne New York San Francisco Sao Paulo Tokyo 2014 Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information