Defending Bambora in AWS with Fastly

Bambora provides flexible software solutions that allow businesses to accept online payments. Customer data flows into AWS via Bambora’s API for payment processing. Originally using a CDN WAF that was costing them too much operationally, Bambora transitioned to AWS Shield for volumetric DDoS protection and Fastly’s Next-Gen WAF for application layer visibility and protection.

Bambora wanted a flexible solution that went beyond OWASP injection attacks. Fastly’s Next-Gen WAF delivered, providing defense capabilities against attacks like credential stuffing and abuses of business logic, targeting sensitive or high-risk transactions. Bambora found that AWS WAF, like other legacy WAF solutions, was limited in scope and would have been costly to manage. The Next-Gen WAF is scalable and enables Bambora to monitor and protect against application-specific risk and abuse in real time.

The challenge

Deploying Amazon Web Services Web Application Firewall (AWS WAF) to monitor and protect applications on AWS might seem like a simple option. In reality, its dependence on regular expression (regex) rules and proprietary applications make it difficult for organizations who need accurate blocking and flexibility to scale.

Lacks Modern Attack Detection Methods
AWS WAF Managed Rules rely on regex-based rules for attack detection. This simple matching technique is insufficient for today’s sophisticated attackers, as it can produce false positives for simple queries and traffic requests. It also doesn’t include advanced thresholding capabilities, which is a key mitigation technique for volumetric attacks.

High Maintenance Cost
AWS WAF rules don’t exist within the WAF on their own: you can only define rules by configuring a web ACL or a managed rule group. Writing and maintaining rules increases your TCO, as there are different rates and requirements for configuring rules within web ACLs or rule groups. Billing becomes unpredictable and complex, especially with unexpected traffic surges. This becomes increasingly burdensome to manage as applications and services scale.

Ecosystem and Third-Party Dependencies
Organizations that need tooling and environment flexibility can feel restricted within the AWS ecosystem, which highlights their own versions of popular DevOps tools alongside industry-standard software. Additionally, AWS WAF comes with a base set of rules, and any additional rules must be purchased within AWS or by third-party sets (Managed Rules Groups).

No Unified Management Across Multi-Cloud and Hybrid Cloud
If not all your properties run on AWS, you won’t have a unified view of the security of your non-AWS applications and services. AWS is a suitable candidate for application teams looking for native controls (a single cloud use case), but it lacks visibility to network security teams and enterprises with hybrid and multi-cloud environments.

The solution

Deploying applications in cloud environments provides organizations with greater business agility, data availability, and cost savings. Yet security remains a primary concern: 73% of organizations with cloud-native applications say they lack actionable, fine-grain, real-time insights into threats and ongoing attacks.

With Fastly’s Next-Gen WAF, cloud and DevOps teams can easily secure their applications, APIs, and microservices running in AWS. Our easy-to-install software supports any application without noticeably impacting performance. It protects against any attack, and integrates with any DevOps toolchain products for cross-team visibility.