Organizations face new challenges associated with protecting distributed assets against cyberattack in the hybrid IT model that most companies will deploy for the foreseeable future.
Threats are emerging at a speed that makes it difficult for internal security practitioners to keep pace. There are zero-day attacks that exploit vulnerabilities before security teams are even aware of them. DDoS attacks that target networks, applications, and APIs can seemingly come out of nowhere. The complex process of applying the latest patches leaves a significant gap between discovery of the vulnerability and buttoning up of that security hole. In addition, pushing out the right policies to the right systems and services can take time.
In order to address emerging threats more quickly, organizations are increasingly adopting Security-as-a-Service (SECaaS). In fact, 42% of SECaaS adopters in F5’s 2023 State of Application Strategy survey cited speed as the main driver. That far exceeds other factors, such as lack of internal talent/skills at 18%, the location of users (18%), location of applications (17%) and business preferences for OpEx (6%).
Organizations are using SECaaS for specific security functions such as web application firewall (WAF), web application and API protection (WAAP), distributed denial of service protection (DDoS) and API protection.
SECaaS vendors have real-time visibility into the global threat landscape, which enables them to identify and block attacks, including zero-day attacks, for all of their customers.
Lori MacVittie, F5 Distinguished Engineer, explains. “The service provider has visibility into a large number of different traffic streams, not just yours. So, if they see somebody else is starting to get attacked, they can immediately identify it and remediate, not just for that customer, but across every customer, so they may be stopping attacks before you even know they are attacks.”
MacVittie adds, “You want the ability to stop those threats as soon as possible and in a more strategic location, like out on the internet, instead of in the data center. And SECaaS gives you that.”
The Zero Trust/platform security connection
More than 80% of survey respondents say they are adopting Zero Trust or planning to do so. The “trust nothing, verify everything” approach can be applied throughout the software development lifecycle and extended to areas like IT/OT convergence. In fact, 75% of survey respondents say they are adopting or planning to adopt a secure software development lifecycle (SDLC).
And nearly nine in 10 respondents say their organizations are taking a platform approach to security, which is intended to limit the sprawl of multiple tools and vendors, while providing consistent security across the hybrid IT stack. The platform approach is being applied to a variety of security areas: 65% of respondents are taking the platform approach to network security, identity and access management, 50% for application and API security, and 40% for anti-fraud protection. Adoption of Zero Trust and platform security go hand in hand, reflecting the complexity of securing applications and APIs in a hybrid IT environment.
If you want to learn more about how organizations are securing their business in today’s hybrid world, check out the 2023 State of Application Strategy Report.