Hybrid vs. Cloud-Based Web Security: Anatomy of a Breach

Companies that connect to and conduct business online—essentially all businesses at this point—understand the need for web security. A content delivery network (CDN)-based web application firewall (WAF) provides the easiest way to set up basic web application protection. It makes perfect sense, especially for small companies. Larger companies and enterprises are less willing to share the traffic of its customers with a third-party provider even if the provider is trusted. But recent news on the reliability of WAF vendors has raised red flags for security professionals on whether to depend on fully cloud-based WAF solutions at all.

Weakest Link

The front-end activity—the CDN/WAF interface, which is a single point of access for all incoming unencrypted data—is all centralized. The security of this centralized server is the weakest link in the web application and API security of all its clients. When the main entrance is redirected to the provider, that becomes a front door for the hackers.

The cloud-based security services that are meant to protect websites from vulnerabilities by filtering the incoming traffic are themselves vulnerable to client-side vulnerabilities, such as cross-site request forgery (CSRF) or cross-site scripting (XSS) attacks. They’re also susceptible to access takeover attacks (credentials being hacked) and vulnerabilities that arise during any online transaction.

Exploiting these vulnerabilities, hackers can exfiltrate valuable customer data such as customer SSL certificates, as just one example. Exposure is further amplified by the difficulty of protecting APIs with regular-expression-based solutions. Legacy WAFs lack the ability to properly parse complicated API formats such as REST/JSON/SOAP/XML.

The latest example of a cloud-based service being hacked is the breach reported by Imperva Incapsula this week. As the company has disclosed, the following data were exposed:

  • Email addresses
  • Hashed and salted passwords
  • API keys
  • Customer-provided SSL certificates

SSL certificates disclosure is especially worrisome. Exposure of SSL keys would allow attackers full access to unencrypted data of service customers and would further enable a number of attacks, including man-in-the-middle.

Better Web Security

By contrast to CDN-based WAF, cloud-native deployment as a reverse proxy (Docker, Kubernetes or just from Linux packages) preserves data privacy and keeps sensitive data within the customer infrastructure. With the hybrid solutions, initial processing and detection are performed by filtering nodes that work as part of local load balancing infrastructure.

Neither SSL certificates nor API keys need to be shared outside of the client organization. Data exposure and threat vectors are limited, which reduces the compliance perimeter and the potential risk of data exposure.

Minimizing the overall attack surface and eliminating single points of failure are both solid best practices for cybersecurity in general—and web security specifically. If you don’t want to put your web traffic at risk, it makes sense to explore alternatives to CDN-based WAF solutions.

Tony Bradley

Featured eBook
The Dangers of Open Source Software and Best Practices for Securing Code

The Dangers of Open Source Software and Best Practices for Securing Code

More and more organizations are incorporating open source software into their development pipelines. After all, embracing open source products such as operating systems, code libraries, software and applications can reduce costs, introduce additional flexibility and help to accelerate delivery. Yet, open source software can introduce additional concerns into the development process—namely, security. Unlike commercial, or ... Read More
Security Boulevard

Tony Bradley

I have a passion for technology and gadgets--with a focus on Microsoft and security--and a desire to help others understand how technology can affect or improve their lives. I also love spending time with my wife, 7 kids, 2 dogs, 4 cats, 3 rabbits, 2 ferrets, pot-bellied pig and sulcata tortoise, and I like to think I enjoy reading and golf even though I never find time for either. You can contact me directly at tony@techspective.net. For more from me, you can follow me on Twitter and Facebook.

tony-bradley has 115 posts and counting.See all posts by tony-bradley