F5 Networks released their 2015 State of Application Delivery report this week. When we think of application delivery and the associated appliance, the Application Delivery Controller (ADC), we instantly associate a number of features, functionalities, and other characteristics. For many, the ADC will always be first and foremost, a load-balancer, designed to enable applications to scale beyond a single server. For others, the ADC provides SSL offload, content-based switching, caching, and other connection optimizations. Regardless, security is still not the first thing that leaps to mind as a core function of the ADC despite the SSL capabilities.
So it comes as no surprise that availability and performance trump security among those surveyed for the State of Application Delivery report. It is tempting to attribute this response to sample bias since the survey respondents are largely ADC administrators. However, anyone who has worked as a security practitioner – architect, engineer, or otherwise – can attest that availability and performance almost always trump security. That being said, web application firewall (WAF), access management gateway, and DDoS mitigation are common features of many ADC solutions. These advanced security features are often only possible on the ADC owing to the visibility owed to the aforementioned SSL termination features.
It would be easy to be cynical, in this age of high-profile breaches, DDoS attacks, and critical vulnerabilities, to decry the notion that availability and performance should ever trump security. Though I’m focused on security these days, my career has been spent largely supporting and building systems with availability and performance in mind. Security will always come second because an application that isn’t both available and responsive will see little use, rendering security measures moot. Raising the philosophical question, if a web site is attacked in the forest and no one sees it, does it make a sound?
Rather than be cynical, I find it encouraging that the survey respondents, whose roles are likely primarily focused on availability and performance, have listed security as the #2 concern immediately after their primary tasks. This data point signals to me that security is becoming more visible and infused into every area of the infrastructure. In customer conversations, we’re seeing big shifts in attitudes about SSL termination at the ADC. In environments where previously the only requirements were load-balancing, SSL is in play not for the performance benefit, but rather for the purposes of centralized and enforceable encryption policy, validated by the 73% of respondents planning SSL/TLS offload projects in 2015. As I’ve written previously, the trend toward an all-HTTPS Internet is accelerating at an unprecedented pace. With the waves of SSL vulnerabilities, and the increasing load on web applications that may have been previously unencrypted, the ADC is becoming an ever more vital part of the infrastructure, and not “just a load-balancer”.
Beyond encryption, most respondents listed application access control, single sign-on (SSO), and identity federation as projects planned for the coming year. An overwhelming 87% of respondents planned to deploy WAF next year, which narrowly edged out IDS/IPS at 86%. Anti-DDoS projects were on the 2015 calendar for 79% of respondents.
The ADC stakeholders clearly have visibility into the increasing demands of infrastructure security, and a part to play in the successful deployment of many security solutions. Even though security is the #2 concern when it comes to application delivery, it couldn’t be more vital to the practice of application delivery. Coming in second place in this report is still a big win for security.
As a Senior Security Solutions Architect at F5 Networks, Brian McHenry focuses on web application and network security. McHenry acts as a liaison between customers and F5 product teams, providing a hands-on, real-world perspective. He is a regular contributor on InformationSecurityBuzz.com, a co-founder of BSidesNYC, and a speaker at AppSecUSA, BC Aware Day, GoSec Montreal, and the Central Ohio Infosec Summit, among others. Prior to joining F5 in 2008, McHenry, a self-described IT generalist, held leadership positions within a variety of technology organizations, ranging from startups to major financial services firms.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.