Better security is driving Financial Services edge cloud strategies

Our industry reports often spend a lot of time focusing on speed and performance optimization as one of the key motivators for an industry’s cloud strategy. This time is different. The Financial Services (finserv) industry is focused on security, and while performance is still a factor, it has historically been relegated to a secondary or maybe even tertiary concern. By contrast, in our recent industry report for Digital Publishing you can see that the top publishers all shared a motivation to optimize their site and application performance with page load times that eclipsed what you find across many other industries. Publisher revenue is often driven by web traffic, and faster load times mean better search rankings, better user experience, and more engagement. Other industries are under less pressure, with their revenue and profitability less directly tied to every millisecond of improved site performance. 

Finserv vs. Fintech

While fintech focuses on technological advancements and often introduces disruptive solutions, finserv represents the established sector providing conventional financial operations and services. Fintech is often laser-focused on site performance and shaving off a fraction of a second anywhere they can because this group concentrates on payment processing and transactions. It’s easy to imagine why an organization like Stripe or PayPal cares about site security and availability, but they are always chasing speed and efficiency. By contrast, a lot of finserv’s information and data needs to be delivered out to their employees and customers, but the actual business is not happening on the public internet, at least not with the same scale of transactions as someone like Stripe needs to handle. 

If it ain’t broke, don’t fix it (even if it’s really slow)

The risk of data breaches and insecurity far outweighs the risk of performing slightly slower. Finserv organizations have historically opted to avoid change and risk in their delivery infrastructure in favor of stability and security. Heavily regulated finserv institutions deal with highly sensitive, highly valuable data and data breaches can be disastrous. Lost revenue due to downtime and mitigation efforts is a direct consequence, as well as having a massive risk of negative brand impact that affects reputation and future earnings. Beyond that, there’s also the associated liability that can turn into financial penalties and even more expensive legal and compliance actions, which leads to an even more negative brand impact and lower company performance.

Finserv organs often deal with high-net-worth individuals or large revenue accounts, and while there’s a switching cost for those accounts to move to a new finserv institution, an event with negative brand consequences can be the motivating factor and lead to huge losses. It’s easy to understand why these institutions are so risk-averse and prioritize securing their applications. 

Security improvements are starting to outweigh switching costs

Many finserv institutions have been in business for a long time, and some of the biggest ones are far older than the Internet. They may be sitting on decades of entrenchment with legacy vendors whose complicated architectures and implementations make switching to a better solution feel daunting. The performance benefits alone are not enough to convince DevOps or senior engineering leadership to eat the one-time cost of replacing an old CDN, even if the benefits of the switch are plain to see because being a little slow and fairly stable wasn’t hurting them. 

Industries that have avoided rip-and-replace for deeply entrenched vendors in the past are waking up as the security landscape changes and as better solutions arrive in the market, especially with tools for Web Application and API Protection (WAAP) or Web Application Firewalls (WAF) and bot management. CISOs and senior security engineers have started to realize that the switching cost that was too much for performance improvements alone is easily justified for highly integrated and improved security tools that can deliver more accurate blocking, significantly reduced tuning and maintenance effort, and much faster time to incident resolution. It’s a cherry on top that they’re also making their DevOps teams much happier and getting more origin offload, reduced egress charges, and faster site and application delivery at the same time.

10 security advantages that drive big migrations 

The best security tools have made huge leaps beyond the rest of the pack in ease of use, accuracy, reduced effort, increased team productivity, and advanced threat intelligence. 

At Fastly, we consistently see customers who don’t understand what they’re missing. When they start using our Next-Gen WAF and bot management solutions, they expect them to be like the legacy WAFs they are familiar with (i.e have multiple false positives, be difficult to use, have limited visibility, and also be a giant pain in the neck to maintain and update RegEx rules). When customers like Duolingo have realized – over and over again – that an option exists that works well and makes their lives significantly easier, they never turn back. These 10 capabilities represent the expectations you should have, and capabilities like these are why more teams are finally willing to tackle these migrations. 

1. Easy to use

The tool should be easy to use. This does not mean easy relative to legacy WAFs and security tools, where the bar is incredibly low. It means a paradigm shift that makes it easy to keep false positives low while maintaining a strong security posture without sacrificing performance. This should be easy as you respond in real-time to new threats. 

Time-to-protection should be extremely fast, both at the time of deployment and in response to new threats. It should take minutes rather than days or weeks to respond with effective solutions. Answers and insights should be easy to find around basic questions like “Why are we experiencing this traffic peak?” and “Is this traffic legitimate or not?” 

2. More control and less dependence on professional services

The tool should give your team more control, and the ease of use should help you feel confident about exerting that control. You should be able to confidently and safely make configuration and rule changes, review the impact of those changes in a live test environment, and implement them immediately. Many organizations experience bottlenecks because so much has to be done through professional services teams, which is incredibly expensive but also incredibly slow and is a disaster for time-to-protection every time there’s a new attack to adapt to. 

3. Easy, fast deployment

Your new solutions should be capable of deploying and starting to protect you in minutes, not weeks or months. End of story. This is an early indicator to how flexible they will be as you continue using them over the long term. A good sign is if there are a large number of existing customers who can attest to this experience. For example, ease of deployment is core to Fastly, and our Next-Gen WAF can be up and running in less than ten minutes - read more. 

After initial deployment, the solution should also be easy for developers to deploy in their existing workflows. Terraform and general CI/CD compatibility can make deployment a snap with every update or patch that goes out and enable a better DevSecOps workflow for your development process. 

4. Deploy on any environment (Vendor consolidation bonus!)

Part of being “easy to use” is having a unified experience. For example, if you have to work across multiple WAF instances to tune and maintain your security rules, then it doesn’t matter much if only one is easy to use because you’re only as secure as your weakest link. Suppose you can only protect a portion of your footprint immediately. In that case, you’re still not secure as you wait on a professional services engagement to protect the rest of your infrastructure. 

Easy means flexibility for deployment in any infrastructure and observability across all environments in a single pane of glass. Operate across cloud, container, on-premises data centers, hybrid environments, or at the edge, and know that you always have the option to make an architecture decision without creating a new security headache. 

BONUS: Vendor consolidation! The other bonus of this is that you can often consolidate security vendors by getting rid of point solutions that are only partially solving problems for you. This often delivers cost savings over the other security and usability benefits. 

5. Accuracy without false positives

False positives should not be a concern. If you continue struggling with false positives, it’s a sign that you’re using an outdated WAF. There are newer, better solutions that have innovated to make it easier to block accurately without false positives. Read more about the evolution of blocking. 

The ability to threshold attacks out of the box (in addition to blocking them outright) also allows for a fast time-to-value to get into blocking mode while not worrying about false positives. WAFs with premiere visibility also allow for you to adjust the thresholds over time with extreme accuracy, further mitigating false positives

6. Easy rule-building and maintenance

Rule building should be easy, simple, and transparent. Building and deploying an effective new rule with confidence that it isn’t creating new false positives should take minutes. These tools should be flexible to build rules that address whatever you discover. Regex rules can be useful, and you may continue to use them as part of your protection, but you need simpler ways to quickly block new threats as soon as you’ve identified them.

7. Preemptive blocking and threat intelligence

Most WAF users think of it as a purely reactive tool, but more advanced threat intelligence capabilities can help even more by blocking threats before they even make a request or reach your WAF. This has the added benefit of blocking large chunks of illegitimate traffic that were not easily identifiable before, and can contribute to a measurable amount of traffic reduction at your origin. For example, you can read more in this report generated from Fastly’s Network Learning Exchange, which enables just this kind of preemptive blocking based on IP address.

8. Bot management

The impact of bots in the security landscape is huge and will continue to grow. Your bot management solution should satisfy all the above points, including ease of use and deployment, more control, accuracy without false positives, and threat intelligence. But you will get even more value by fully integrating it with your WAF under the same single pane of glass and deployed across your entire footprint. Your bot management solution should contribute to an opportunity for vendor consolidation rather than adding more complexity to your security posture.

9. Observability with real insights

You should have access to real-time dashboards of your data that provide insights from the moment you turn your solution on, and it should make it easy to determine what is happening, why it’s happening, and how to resolve it quickly. This may sound too good to be true, but this is exactly the kind of new capability that is finally getting organizations to invest in change. Here’s an example of Stripe’s experience when they finally got real-time visibility into their traffic on Fastly.

Your access shouldn’t be limited to dashboards, nor through professional services requests, delivered in batch reports, or incomplete in any other way. You should have access to real-time logs and all of your data and the ability to stream it to wherever you want. It’s your data, and you should have access to all of it. 

10. Support

Customer satisfaction should be exceedingly high with the support that a vendor offers. Security issues must be resolved quickly and with solutions that keep the customer secure. Customer support can’t be another bottleneck contributing to long resolution times or leaving your organization at risk for long stretches of time after a vulnerability is identified.

Platform security advantages

The ten security advantages listed above are often the ones that help organizations justify their rationale to start the migration process, but more cross-platform benefits improve security postures with a move to a better edge cloud platform. You can start to think of your cache hit ratio and origin offload as a kind of security metric because of how it allows you to shrink your attack surface at the origin. When edge computing is highly secure like Fastly’s due to per-request isolation and sandboxing, it also means that any workloads performed at the edge are improving your security posture. Better CI/CD integrations also ensure more complete coverage and easier DevSecOps. To learn more, check out the AppSec Guide to Multi-Layer Security. 

Security-driven origin offload and egress savings

Security may be driving these migrations, but if you’ve done the due diligence to select a better edge cloud platform with a superior security offering, it should also come with other huge benefits.  

Here are four big reasons why organizations care about origin offload. If you want to know more reasons, just reach out and say hello. We’d love to tell you more.

1. Reduce the amount of traffic that reaches your origin

When you don’t have good visibility into the malicious and illegitimate requests hitting your sites and applications you can be blind to how much of your traffic is generated by bots or other attacks and not from real requests. Improved visibility and better blocking (without false positives) can have a measurable impact on reducing traffic load to your origin. 

2. Significantly reduced egress costs

A measurable reduction in traffic due to more accurate blocking will also reduce your egress costs since you no longer have to serve content to that illegitimate traffic, but don’t forget that while the impetus for this migration was for better security, you finally have the opportunity to select the edge platform with better content delivery performance and origin offload as well. You’ll have several different avenues for a significant reduction in egress charges. Keep reading below to learn more about the impact of advanced caching capabilities. See next section for more information on this.

3. Reduced infrastructure and capital expenditure (CapEx) costs 

With reduced illegitimate traffic, better caching, and origin offload with a better content delivery platform, you may also find that you can downsize your infrastructure at origin to match your new, lower baseline of traffic, knowing that big legitimate traffic spikes can be handled at the edge with limited impact to your origin, and illegitimate traffic spikes from attacks can be blocked at the edge before they reach you. This protects you from unexpected overage charges and gives you better cost predictability. 

4. Smaller infrastructure means reduced maintenance

It’s not just about reducing your CapEx, you can also reduce your operating expenditures (OpEx) when better blocking and origin offload allow you to reduce your infrastructure investments. With a smaller footprint, your teams can spend less time on maintenance, upgrades, upkeep, and security and shift more of their effort to solving other problems for your organization. 

A better platform with better caching means big savings

It’s easy to fall into the trap of thinking that all CDNs are relatively equal, especially when your priority and decision-making criteria is largely focused on security. Many finserv decisions regarding CDN and edge cloud strategy have been made with the idea that their speed and offload only need to be “good enough,” that’s exactly what they’ve had for the last 20 years. Offload metrics are confusing because big differences can seem small if you don’t look at them correctly. For example, in the charts below, we can see that a “great CDN” might be able to get you to 95% offload (or better!), while a “good CDN” might be closer to 90%. You might say, “No big deal, it’s only a 5% difference, and it’s not my priority.” However, if you look at chart 2 (Traffic to origin), you can see a 50% reduction in traffic to origin! 

If you start with a total traffic of 100 GB, a great CDN will offload 95%, leaving 5 GB to hit your origin. A good CDN will only offload 90%, leaving 10 GB – twice as much – to hit your origin.

A 5% improvement in CDN offload performance can mean a 50% load reduction at origin

Cache the uncacheable

There are many reasons why a top-tier edge cloud platform and CDN will always outperform a legacy CDN by a mile, even a pretty good CDN. (If you want to know all of them, get in touch!) One of the easiest ways to improve performance metrics and origin offload is by caching dynamic content. API trafficis a great example of content that industries like finserv don’t typically view as being cacheable, mistakenly thinking it’s too dynamic and updated too often to benefit from being served by their CDN. This is a huge missed opportunity, not just for finserv but for other industries like SaaS, Healthcare, and anyone who has underestimated the benefits of serving more from cache.

Fastly’s Instant Purge, for example, can purge content globally in 150 ms (as of December 31, 2022). This means that anything that updates from its origin less frequently than every 150 ms can be served from cache, and it takes a surprisingly low rate of requests per second (RPS) occurring against that data to achieve huge amounts of traffic offload from your origin. 

This chart shows % offload for a given API or other data requesting endpoint in your infrastructure based on how often it might be refreshed with new data (from 200 ms to once per day) versus the number of requests per second against that endpoint. You can see that even data that updates every 200ms can achieve a whopping 50% offload at only 10 RPS. And most of this chart is green, showing > 90% offload! With this kind of benefit, every API should be served through cache. When we share stats like Fastly customers getting a 189% return on their investment with us, this kind of egress savings is a big component of what makes that possible.

Translated into dollars through some rough back-of-the-envelope calculations, here’s what it translates to. At a 90% offload rate and egress cost of $0.05 per GB, it only takes an average request size of 1 mb at 5 RPS to save $120,000 per year. Think about that spread across every API and other part of your infrastructure responding to requests and it’s easy to understand how an extra 10-15% of origin offload may not always sound like a huge leap, but can be a huge source of savings and infrastructure simplification.

Modern platforms also deliver huge productivity gains

It’s not all about dollars – productivity gains yield a ton of benefits as well. There are clear cost benefits and time-to-resolution improvements when you don’t have to wait for professional services teams to do everything. Combining that with better insights and observability, faster time to mitigation, and huge reductions in tuning and maintenance efforts, you also solve other problems. Scaling security teams and SecOps and DevSecOps experts is difficult – these experts are in high demand and are expensive relative to other positions. A platform that helps reduce the issues they have to resolve and resolve the remaining issues quickly is a huge productivity multiplier, relieving pressure to scale those teams, reducing burnout, and improving retention. 

At Fastly, our world-class customer support helps resolve issues quickly, but we also offer the option to engage with our Managed Security Service for another cost-effective way to scale your security team without breaking your operating budget. 

For more information about Fastly and our solutions for the financial industry, visit our dedicated solutions page.