How to defend against Account Takeovers
Learn about account takeover threats, protection strategies, and detection methods to secure your digital accounts and prevent unauthorised access.
The Role of the WAF in the Cloud
A Web Application Firewall (WAF) is a critical security control that protects your web applications from common attacks like SQL injection, Cross-Site Scripting (XSS), and other vulnerabilities listed in the OWASP Top 10. When deploying applications in the cloud, you generally have two primary choices for implementing a WAF:
- Cloud-Based WAF (SaaS WAF): A fully managed, third-party service that sits at the network edge, in front of your cloud environment. Examples include Cloudflare, Akamai, and Imperva.
- Cloud-Native WAF: A WAF service provided directly by your cloud provider and integrated into their ecosystem. Examples include AWS WAF, Azure Application Gateway WAF, and Google Cloud Armor.
Choosing between them involves trade-offs in performance, features, management overhead, and cost.
Cloud-Based WAF (e.g., Cloudflare, Akamai)
A cloud-based WAF operates as a reverse proxy and is part of a larger edge security platform, often called a Web Application and API Protection (WAAP) or Secure Access Service Edge (SASE) solution. To use it, you change your application's DNS records to route all traffic through the WAF provider's global network.
Pros:
- Comprehensive Feature Set: These are specialized security products and often offer a richer set of features beyond a basic WAF, including advanced DDoS mitigation, sophisticated bot management, API security, and content delivery network (CDN) services.
- Platform Agnostic: Because it operates at the DNS level, a single cloud WAF can protect applications hosted anywhere—on AWS, Azure, GCP, on-premise, or in a multi-cloud environment. This provides a consistent security posture across all your assets.
- Managed Rulesets and Threat Intelligence: The provider manages and constantly updates the WAF rules based on global threat intelligence gathered from their entire network. This reduces the management burden on your team.
- Ease of Deployment: Basic setup is often as simple as a DNS change.
Cons:
- Cost: Can be more expensive than native WAFs, especially as traffic volumes and feature usage increase.
- Adds an External Dependency: You are relying on a third-party provider for a critical part of your application delivery path.
- Potential for Latency: While these providers have massive global networks, routing traffic through an additional hop can potentially add latency, although this is often offset by their integrated CDN performance.
Cloud-Native WAF (e.g., AWS WAF, Azure WAF)
A cloud-native WAF is a service that you provision and configure within your cloud provider's environment. It integrates directly with other services, such as load balancers (e.g., AWS Application Load Balancer, Azure Application Gateway).
Pros:
- Deep Integration with Cloud Ecosystem: It can be easily configured to protect resources within your Virtual Private Cloud (VPC) or Virtual Network (VNet). It integrates seamlessly with the provider's logging (CloudWatch, Azure Monitor) and automation tools (CloudFormation, Terraform).
- Lower Latency: Since the WAF operates within the same cloud provider network as your application, there is minimal added network latency.
- Pay-as-you-go Pricing: The cost is often based directly on usage (per request and per rule), which can be more cost-effective for applications with variable or low traffic volumes.
- Granular Control: You have direct, granular control over the rules and policies, allowing for highly customized configurations.
Cons:
- Higher Management Overhead: You are responsible for creating, tuning, and maintaining the WAF rules. While providers offer managed rulesets (often for an additional fee), the primary responsibility for configuration and monitoring lies with you.
- Provider Lock-in: A cloud-native WAF is tied to a specific cloud provider. If you have a multi-cloud or hybrid environment, you would need to manage a separate, different WAF for each environment, leading to inconsistent security policies.
- More Basic Features (Historically): While rapidly improving, native WAFs have historically lagged behind the specialized cloud WAFs in advanced features like bot management and behavioral analysis.
Which WAF Should You Choose?
The right choice depends on your specific architecture, team, and requirements.
| Consideration | Cloud-Based WAF (e.g., Cloudflare) | Cloud-Native WAF (e.g., AWS WAF) |
|---|---|---|
| Environment | Best for multi-cloud, hybrid, or platform-agnostic needs. | Best for applications running entirely within a single cloud provider. |
| Features | Best for those needing advanced, all-in-one solutions (DDoS, Bots, CDN). | Good for core WAF functionality with deep cloud integration. |
| Management | Best for teams that want a managed, "set-it-and-forget-it" approach. | Best for teams that want deep, granular control and have the resources to manage it. |
| Cost Model | Often subscription-based tiers. | Pay-as-you-go, can be cheaper for low-traffic apps. |
| Primary Strength | Comprehensive, managed security at the edge. | Tight integration and low latency within the cloud ecosystem. |
A Hybrid Approach: Some organizations use both. They might use a cloud-based WAF at the edge for DDoS protection and global traffic filtering, and then use a cloud-native WAF as a second layer of defense, closer to the application, for more specific, application-aware rules.
Ultimately, the decision should be based on a thorough evaluation of your security needs, operational capabilities, and architectural strategy.
Related Articles
What is an Account Takeover?
An overview of Account Takeover Attacks
Anatomy of a Credential Stuffing Attack
A step-by-step breakdown of how credential stuffing attacks are carried out, from obtaining stolen credentials to bypassing defenses and taking over accounts.
What is Anycast DNS?
An introduction to Anycast DNS
What is an Apex Domain?
A quick description about what an Apex Domain is.
Best Practices for API Key Management and Rotation
Learn the essential best practices for managing and rotating API keys to enhance security, prevent unauthorized access, and minimize the impact of key compromise.