Cloud Hosting

Choosing the right Cloud WAF pricing model is like finding the perfect pair of shoes: its all about comfort, fit, and style for your organizations needs.

In this guide, well help you navigate the world of Cloud WAF pricing, exploring different options and factors so that you can find the perfect fit for your web application security requirements.

For those still evaluating Cloud vs. on-prem WAF, heres a detailed article onwhy cloud WAFs are better than on-premise WAFs.

WAFs provided by public clouds such as AWS and Azure typically price on a pay-as-you-go model.

On the other hand, specialized WAF providers such as Indusface, Akamai, and Cloudflare offer a subscription model.

There are many pay-as-you-go features offered even by subscription providers. The value addition that specialized WAFs provide is the availability of core rules that provide by-default protection against OWASP Top 10 vulnerabilities.

In public Cloud WAFs, youll typically need to either:

That said, several pay-as-you-go features are provided even by specialized WAF providers.

In the next section, we will cover all the factors that affect WAF pricing.

This is the first parameter that affects pricing. Even within this, there are two models:

a. Domain: One license for the domain, and this includes subdomains too. This model is typically used when similar applications are on different sub-domains, for example, qa.acme.com vs. acme.com.

While you can use this model for sub-domains that host different applications, the possibility of false positives is more as the same rule set is applied on multiple applications.

b. Application: Since every application differs, this model helps get fine-grained protection and custom rules. Usually, the license depends on a per-website model or a Fully Qualified Domain Name (FQDN).

For example, youll typically be charged one license for http://www.acme.com and one more for abc.acme.com.

Cloud WAFs act as filters before traffic hit your origin server. All the traffic passed over to your origin servers is billed as the bandwidth cost.

Here also, there are three models:

a. Requests: The pricing plan might have a set cost for a specific number of requests each month, plus extra charges for any extra requests over the set limit. Another option is that the pricing depends only on the total number of requests, so customers pay for what they use.

b. Peak Mbps : Some WAF companies use a peak Mbps (megabits per second) pricing plan. They charge customers based on the highest bandwidth (mainly in the 95th percentile) used in a set time, like a month. This model looks at the most traffic the WAF handles, not the total requests or data moved. Its important for organizations with changing traffic or different bandwidth needs.

c. Bandwidth: Some WAFs use a pricing plan based on the bandwidth over the wire. This includes both the request and response data. They charge customers for data moving through the system. This pricing model is easy to understand and works well for many organizations.

As discussed earlier, depending on the WAF provider, you may get charged for the following features:

a. DDoS & Bot Mitigation:This is probably the single most expensive feature addition. As per the application, the subscription to this feature alone typically costs a couple of thousand dollars per month in the subscription. In addition, some vendors even bill you for the bandwidth in case of a DDoS attack. In the case of Indusface AppTrana,DDoS is bundled as part of the monthly subscription plans.

b. API Security: Most popular WAFs now include an API security solution. This category is now called WAAP. However, this is generally priced as an add-on as API security needs special configuration, especially to create a positive security model. The AppTrana WAAP, by default, protects all APIs that are part of the same FQDN.See more details here.

c. Analytics: Getting analytics on the kind of attacks blocked is also, a big add-on, especially if you just get one WAF license and use that to protect multiple applications such as acme.com, payroll.acme.com, crm.acme.com along with acme.com. As these are all different applications, storing attack logs and analytics on these logs would be extremely expensive.

Hence, most WAF providers dont provide access on a single license. At Indusface, we often suggest taking additional licenses for critical applications requiring attack logs and analysis.

d. DAST scanners: DAST and WAF are not integrated and separate products in most organizations. This is a lost opportunity, as vulnerabilities found on a DAST could quickly be patched on the WAF. This process is called virtual patching, and it buys developers time before they patch these vulnerabilities on code.

At Indusface, we bundle DAST scanner Indusface WAS as part of the AppTrana WAAP. You save costs on subscriptions and integrate DAST and virtual patching into CI/CD pipelines so that security is handled even in an agile development cycle.

e. CDN: Since WAAP providers have some pricing component dependent on data transfer, enabling a CDN will lead to significant cost savings. In most WAFs, this is an add-on.

f. Support:24X7 phone, email, and chat support is yet another feature that most WAF vendors add only in enterprise contracts. At Indusface, you will get enterprise support at SMB pricing; see the WAAP pricing page here.

Managed services play a big part in application security, especially as threats evolve. For example,200+ application-level critical/high zero-day vulnerabilitiesare discovered monthly. Compute power is so cheap that a one-hour DDoS attack can be bought for $5, and this will get cheaper.

To combat all of this, any WAAP/WAF solution needs to evolve. While most Cloud WAFs keep the software updated, a key part of defense is the rule set, and unless the security teams have highly skilled security engineers, they wouldnt be able to touch any of the rule sets.

The other problem is that even if rules are sent as patches, the onus is on the application team to monitor for false positives and ensure 99.99% availability while preventing downtime. Often, application teams do not apply these patches; worse, most WAFs are perpetually in log mode, as in they dont block any attacks!

Then theres the problem of DDoS, which is a big ransomware threat, and sophisticated actions such as rate limits, Tarpitting, CAPTCHA, and blocks need careful monitoring as there is a high possibility of false positives.

So managed services are essentially an extended SOC/IT team to help with the following:

While every vendor can promise managed services, evaluating the SLAs with which they operate is critical. We highly recommend checking the support response times and SLAs, uptime guarantee, and latency with the vendor.

At Indusface, we are proud to ensure a 24-hour SLA on virtual patches for critical vulnerabilities.You can find more details on the SLA here.

Heres a step-by-step framework to help people choose a WAF based on pricing:

1. Identify your organizations requirements:

2. Research WAF providers

3. Analyse pricing models:

4. Evaluate included features and additional services

5. Assess data center locations and regions

6. Compare technical support and SLAs

7. Calculate the total cost of ownership (TCO)

8. Rank various WAF providers

9. Run product trials

By following this framework, you can systematically evaluate and compare different WAFs based on pricing, features, support, and other factors, ultimately selecting the most suitable and cost-effective solution for your organization.

In conclusion, selecting the right Cloud WAF is crucial for safeguarding your web applications and maintaining a strong security posture. A thorough understanding of Cloud WAF pricing, features, and service level agreements will enable your organization to make informed decisions, ensuring you invest in a solution that fits your budget and provides robust protection against ever-evolving cyber threats.

Stay tuned for more relevant and interesting security updates. Follow Indusface onFacebook,Twitter, andLinkedIn

The post Cloud WAF Pricing: All You Need to Know appeared first on Indusface.

*** This is a Security Bloggers Network syndicated blog from Indusface authored by Indusface. Read the original post at: https://www.indusface.com/blog/cloud-waf-pricing-all-you-need-to-know/

See the rest here:
Cloud WAF Pricing: All You Need to Know - Security Boulevard