Defending CommonBond in AWS with Fastly

As a provider of student loan refinancing with an online application process, security is paramount to CommonBond. As an AWS customer, they considered AWS WAF for their web application protection, but they preferred the modern approach of Fastly.

CommonBond deployed Fastly’s Next-Gen WAF in their Kubernetes environment. The solution has proven to be both effective and extremely easy to manage. Being a very lean team, a solution that worked “out of the box” was a huge win. Anticipating future growth both in users and application footprint, CommonBond values the flexible deployment methods and DevOps toolchain integrations that will allow them to protect their applications however and wherever deployed, now and in the future.

The challenge

Deploying Amazon Web Services Web Application Firewall (AWS WAF) to monitor and protect applications on AWS might seem like the simple option. Deploying Amazon Web Services Web Application Firewall (AWS WAF) to monitor and protect applications on AWS might seem like a simple option. In reality, its dependence on regular expression (regex) rules and proprietary applications make it difficult for organizations who need accurate blocking and flexibility to scale. In their evaluation, Commonbond found that the AWS WAF had several deficiencies as compared to the Fastly Next-Gen WAF.

Lacks Modern Attack Detection Methods
AWS WAF Managed Rules rely on regex-based rules for attack detection. This simple matching technique is insufficient for today’s sophisticated attackers, as it can produce false positives for simple queries and traffic requests. It also doesn’t include advanced thresholding capabilities, which is a key mitigation technique for volumetric attacks.

High Maintenance Cost
AWS WAF rules don’t exist within the WAF on their own: you can only define rules by configuring a web ACL or a managed rule group. Writing and maintaining rules increases your TCO, as there are different rates and requirements for configuring rules within web ACLs or rule groups. Billing becomes unpredictable and complex, especially with unexpected traffic surges. This becomes increasingly burdensome to manage as applications and services scale.

Ecosystem and Third-Party Dependencies
Organizations that need tooling and environment flexibility can feel restricted within the AWS ecosystem, which highlights their own versions of popular DevOps tools alongside industry-standard software. Additionally, AWS WAF comes with a base set of rules, and any additional rules must be purchased within AWS or by third-party sets (Managed Rules Groups).

No Unified Management Across Multi-Cloud and Hybrid Cloud
If not all your properties run on AWS, you won’t have a unified view of the security of your non-AWS applications and services. AWS is a suitable candidate for application teams looking for native controls (a single cloud use case), but it lacks visibility to network security teams and enterprises with hybrid and multi-cloud environments.

The solution

Deploying applications in cloud environments provides organizations with greater business agility, data availability, and cost savings. Yet security remains a primary concern: 73% of organizations with cloud-native applications say they lack actionable, fine-grain, real-time insights into threats and ongoing attacks.

With Fastly’s Next-Gen WAF, cloud and DevOps teams can easily secure their applications, APIs, and microservices running in AWS. Our easy-to-deploy solution supports any application without noticeably impacting performance. It protects against any attack, and integrates with any DevOps toolchain products for cross-team visibility.