F5 integrates application, cloud security in a unified SaaS platform

Aiming at enterprises that are managing increasingly complex IT infrastructure, F5 is releasing a new SaaS-based security, multicloud networking, and edge computing platform, F5 Distributed Cloud Services, as an expansion to its application delivery and security product portfolio.

As part of the announcement, made at its annual Agility conference Tuesday, the company also unveiled the first new service on the platform, F5 Distributed Cloud WAAP (Web application and API protection), which integrates the existing security capabilities from across F5 applications into a unified SaaS (software-as-a-service) based offering.

The new SaaS platform is designed to help enterprises manage complex computing environments comprising both legacy technologies and newer modern infrastructure, as they struggle with inconsistent security controls over large threat surfaces across different environments. 

“The launch of F5 Distributed Cloud Services is significant because it provides a simpler way for customers to manage the complex challenge of modern application security,” says François Locoh-Donou, president and CEO of F5. “We have made it our mission at F5 to help organizations protect these applications from the now constant barrage of cyberattacks.”

WAAP service consolidates multiple security apps

F5 Distributed Cloud WAAP is a SaaS-based consolidation of web application firewall, bot mitigation, DDoS, and API protection capabilities under a single solution, designed to enable SecOps (security operations) and DevOps (development operations) teams to enforce consistent security policy across multiple applications deployment. 

The integration features key application security technologies, including:

•  Application protection from F5 Advanced WAF (Web application firewall): Designed to protect against the most prevalent application attacks with fewer false positives and lower TCO.
• Volterra’s ML based API security: Automates the process of finding, securing, and monitoring APIs.
• Bot defense based on F5 Shape’s AI: Shields apps from malicious and unwanted automation.
• Global distributed denial of service (DDoS) protection: Protection at both the network (Layer 3/4) and application (Layer 7) level.

“F5’s new platform, WAAP, should be a big hit with the existing customers as it will integrate multiple security capabilities into a unified SaaS solution,” says Gary McAlum, an analyst at TAG Cyber. “The announcement plays into the company’s latest push into software and services, moving beyond its traditional business model that was based on hardware sales.” 

Within WAAP, F5 combines capabilities derived from acquired partners Volterra and Shape Security. Volterra, an edge-as-a-service platform was acquired in January 2021, and Shape, a web fraud and abuse prevention company, was acquired a year earlier in January 2020. 

Volterra will provide the base platform for delivering and operating distributed cloud services, by bringing in API protection and DDoS protection for additional layers of app security, as well as multicloud networking and edge computing capabilities, according to Mark Weiner, VP of product marketing, security and distributed cloud at F5. “This will be combined with Shape’s bot mitigation and fraud prevention capabilities.”

F5 security services allow for role-based access

The services on the F5 Distributed Cloud Services Platform can be accessed via a SaaS-enabled console. Whenever a new user logs on for the first time, their profile is customized based on their specific role (NetOps, SecOps, DevOps, etc) and expertise level. The console view will then only display services and configuration objects that are relevant to their role and proficiency.

“Our persona-based approach to application delivery and security means you can delegate responsibility for cloud management the way your team works,” says Weiner. “For instance, on the HTTP load-balancer dashboard page, the SecOps Practitioner can get a sense of what kind of attack or attacker they are dealing with — a known CVE exploit, a reconnaissance, or malicious automation.” 

Similarly, the API Endpoints page can be used by the DevOps personnel to access and evaluate the APIs used by their apps. The page presents a breakdown of composite APIs and application endpoints and tracks performance statistics for each of them, allowing troubleshooting and verification of the performance of individual microservices. 

The overall platform and each of the services it features are cloud-native and can be deployed anywhere (public or private cloud, data center, edge site), according to F5. Buyers and users will be able to use a consistent set of tools and security wherever they distribute their applications and workloads, through a “single-pane-of-glass” console.

Additionally, a number of previously released applications are also available via F5 Distributed Cloud Services. These include F5 Distributed Cloud Transit, designed to  enable multicloud networking (MCN) functionality with secure connectivity between clouds and a network firewall; and F5 Distributed Cloud Secure Kubernetes Gateway, which provides an integrated load balancer, Kubernetes (open-source software deployment system), and API gateways to deploy workloads and microservices across distributed clusters, locations, and cloud providers. 

The platform also features cloud-native computing capabilities at the edge of the network, known as an ADN (app delivery network), that distributes applications to the edge of F5’s global private network. 

“This announcement highlights F5’s three areas of commitment —delivering new capabilities driven by customer and market demand, rationalizing their existing product portfolio, and more integration,” says McAlum.