F5 Blog

 
Archive Search Articles

Are you defending apps, or protecting them?

Technology tends to use a lot of words interchangeably, as if even subtle differences in meaning aren’t relevant. But in some cases, the difference between using one word or another is actually pretty profound. Like the difference between defending and protecting.

While essentially these two are synonyms, consider that defense is usually more reactive; it implies that you’re being attacked and defending yourself (or others). On the other hand, protecting invokes a more proactive system; one that’s “out there, somewhere.”

defense: the action of defending from or resisting attack

Defense implies that something is already happening. Our action is reactive rather than proactive. In too many instances this means the attacker is inside our perimeter.  

protection: the state of being kept from harm, loss, etc. : the state of being protected

Protection implies a more proactive approach, that we’ve taken steps to provide for protection already. We aren’t actively being attacked, we’re just preparing for it.

Now perhaps I’m being pedantic (it wouldn’t be the first time) but such subtle differences are important when you start applying them to your applications (and thus the data they have access to). The reality is that because of the way attackers are ramping up multi-vector attacks, you need to both protect and defend applications. Volumetric attacks are designed to saturate resources. Your network, your routers, your firewalls. App specific attacks go after your app resources, overloading servers (because they only have so much memory and I/O and disk capacity) in order to bring the business to a screeching halt. Productivity suffers when corporate users are unable to access the increasingly cloudified business apps they need to do their jobs, and profits suffer when consumer customers can’t browse and buy and generally do business with you because of unresponsive or unavailable applications.

That’s why it’s called a denial of service attack. It denies service to internal and external users by saturating networks and overwhelming servers. Really, they should be called a denial of business attack because that’s ultimately what these increasingly large attacks are doing.

top 5 app services soad 2016And you’ve got defenses in place; you’ve got an on-premise firewall along with several other security-related services. I know you do, our State of Application Delivery reports tell us security services dominate the 10 or more app services most organizations deploy to deliver apps. But those are defensive; the attack is already at the gates, as it were, where bandwidth is limited and the business’ digital resources are going to be quickly consumed. On-premise protections in the face of a massive, multi-vector attack is the equivalent of fixing bayonets when the attackers breach your lines.

Cloud-based protection, on the other hand, has far more bandwidth and resources in general available with which to fend off attackers. It keeps them out there, away from all the apps and data tucked neatly on-premise and unable to saturate your network connection faster than a rain storm in the Mohave desert.

There’s a reason we call it DDoS protection and not DDoS defense. Because cloud-based DDoS protection is about preventing business disruption by keeping the vandals off the lawn in the first place. It’s about intercepting the bad guys at the end of the street and holding them off, well away from the business’ crown jewels: its apps and data.

Given the state of the Internet and security these days, no one would seriously suggest abandoning defense in favor of protection. Neither should they suggest conversely. Given the serious consequences of a breach, or disruption of service, on the business (and the brand, by the way), it’s better to both protect and defend those assets and resources critical to modern business continuity. Because it’s not just disasters that interrupt business anymore.