EC News DeskF5 has a customer-focused approach to Application Protection, which has been bolstered by new offerings and our recent acquisition of Shape Security. Informed by customer use cases, prominent industry attack practices, and threat intelligence from F5 Labs, our portfolio safeguards all applications without impacting the end-user experience or slowing time-to-market. Furthermore, as a leader in WAF and API security technology, F5 delivers application security with consistent policies and controls across hybrid- and multi-cloud environments.
F5’s application security portfolio spans four solution areas that correlate directly to the areas organisations must protect to deliver applications and services: Application Layer Security; Trusted Application Access; Application Infrastructure Security; and Intelligent Threat Services:
- Application layer security comprises security at or near the application, typically referring to layers 4 through 7 of the OSI model. This area focuses on protecting applications against exploits, deterring unwanted bots and other automated attacks, and reducing utilisation costs in the cloud. F5 solutions guard against application threats, such as application layer denial of service, malicious scripting, and injection attacks. Further, with the Shape acquisition F5 has the ability to provide game-changing defences in depth across the application layer, with Shape Enterprise Defence already mitigating more than one billion application layer attacks tied to app fraud and abuse every day.
- Secure access solutions generally sit in front of applications, in prime position to enforce access security policies. The F5 identity-aware proxy also adds value by enabling single sign-on and multi-factor authentication policies to help organisations realise the benefits of modern authentication and authorisation protocols like OAuth or OpenID Connect, as well as take advantage of contemporary identity services such as Microsoft Active Directory, to integrate SSO with their on-premises applications. This approach boosts access controls to protect against account takeover, phishing, and other threats in support of a Zero Trust model integrated into an organisation’s overall risk management framework.
- Extending beyond applications, app infrastructure protection defends the systems on which applications depend. These security solutions expose threats hidden within encrypted traffic and protect against network attacks, DDoS, and protocol abuse. As an example of F5’s approach, the company offers a managed service focused on DDoS through Silverline to help protect customers from volumetric or reflected amplification attacks. Additionally, Aspen Mesh further addresses microservice security challenges by providing role-based access control with Traffic Claim Enforcer, allowing enterprises to easily enforce the level of least privilege, and with Secure Ingress that enables applications to connect securely to the Internet.
- As the final area detailed in F5’s approach, these services feed security intelligence into all the other areas. It combines multiple security data feeds from F5, Shape, crowdsourced, open source, and third-party inputs. More than just data collection, F5’s intelligent threat services use advanced analytics to transform the data sets into tactical intelligence that is both relevant and consumable by portfolio solutions. Cross-platform visibility and analytics help increase accuracy and predict malicious behaviour to ensure that attack traffic is clearly distinguished from legitimate use. These horizontal services also enable organisations to gain an overarching view of risk so their efforts can be more effectively managed, which is of particular importance for multi-cloud environments.
Digital transformation is completely reshaping the way organisations do business, and apps are firmly at the core. They are the business. Together with cloud-based services, these apps create a platform for new business models, innovative service offerings, and enhanced customer experiences that drive new business revenue.
According to the sixth annual State of Application Services report, 88% of surveyed EMEA organisations are now leveraging multi-cloud environments, compared to 87% in the Americas and 86% in the APCJ region.
27% of EMEA respondents also claimed they will have more than half of their applications in the cloud by the end of 2020. Meanwhile, 54% agree that cloud in all its forms is the top strategic trend for the next two to five years.
Interestingly, the SOAS report goes on to note that EMEA organisations are now more likely than any other region to choose cloud platforms that support applications on a case-by-case basis, with 43% opting for the increasingly popular approach, compared to 42% worldwide. This chimes with the fact that 70% state that it is very important to be able to deploy and enforce the same security policies on-premises and in the cloud. In the Americas 69% of respondents concurred, with APCJ slightly behind on 65%.
Fundamentally, inflexible, one-size-fits-all solutions don’t work well in the cloud anymore, so it is encouraging to see that per-application strategies are becoming more widespread in EMEA.
Every application is unique and serves a specific function, such as finance, sales, or production. Each will have end users that scale from less than a hundred to into the millions. And each has a different risk exposure that can span from a breach being simply embarrassing to costing the business billions of dollars’ worth of damage.”
Today, cybercrime tools have become commoditised and more easily available, resulting in a corresponding rise in the number and types of attacks. At the same time, targeted attacks, such as those from organised crime and nation states, are becoming more sophisticated and can cause business impacts including application downtime, compromised sensitive data, and fraudulent transactions.
At the same time, few organisations are unaffected by limited access to security talent. It is a highly competitive field and it can take time to fill vacancies. The biggest challenge facing the industry relates to threat hunting, security engineering and development. These are areas where we really need people who have a strong security background.
Ultimately, solutions need to reduce friction and enable agile security across organisations in an accessible and progressive way. Increasingly, this means benefiting from technologies like machine learning and AI at a much deeper level, giving customers superior application protection that can more easily be improved, orchestrated, and automated. In addition, it is important to have flexible deployment and consumption options, such as via use-based models, SaaS, and managed service offerings.
CISOs want optimum app performance with maximised uptime, lower overall costs, and reduced losses due to fraud or abuse. Next generation solutions are all about increasing business velocity and implementing adequate protections. This means freeing developers to focus on the application business logic and customer experience while also providing world-class threat protection with policy and control consistency across on-prem and cloud environments.
However, it is important to note that there is no technological silver bullet. We also need to concurrently and relentlessly focus on building strong teams, programmes and processes. Spending money on tech is just half the solution. The missing piece of the puzzle is all too often investing in people and their ongoing education.
Cybersecurity solutions require very highly skilled individuals, and it is not easy to have that level of expertise in-house at all times. According to the SOAS report, as many as 66% of EMEA organisations believe they lack necessary security talent going forward. Today’s specialisms are tomorrow’s norm. In the future, all organisations will operate with a digital-first mindset. It is our collective responsibility to develop the talent required to make that happen. Tech vendors like F5 need to continue to play influential roles both in terms of providing training and career opportunities, but also through collaborations with industry, educational institutions and government.
By Tabrez Surve, Regional Director, Gulf, Levant and Turkey, F5 Networks.
