Back to blog

Follow and Subscribe

Stay ahead of attackers by pushing your security perimeter to the edge

Blake Dournaee

Manager, Security Product Management, Fastly

Today, data breaches and cyber threats are found everywhere making it critical for organizations of all sizes to protect themselves. However, as organizations rely more and more on cloud computing, IoT devices, and interconnected networks, it becomes increasingly apparent that their current cybersecurity strategies could benefit from an additional layer of defense for internet-facing applications and APIs. This is where having an effective edge security strategy can provide significant benefits and can further protect organizations from the continually evolving threat landscape.

Enforcing security at the edge

As attacks continue to grow and change, the edge is a natural place to enforce security policies in a single place, ultimately blocking attackers from getting to origin(s). This is especially important for organizations using multiple cloud providers that all have security configured differently. In addition, with security centralized in a single place (the edge), it’s easier for security teams to check and see which security controls are currently being enforced versus having to embark on a time-consuming audit of all the code written and deployed. Here are a few areas where Fastly is helping customers add greater protection at the edge:

  • Preventing high volume, automated attacks: Edge Rate Limiting is a feature designed to mitigate bursts of traffic. It gives Fastly customers a way to protect their websites from abusive web requests by stopping the requests from negatively impacting application and API performance. For example, if you operate an e-commerce site that uses a check-out API, you cannot afford for that API to go down if it gets a flood of a million requests in a 24-hour period. 

    With Edge Rate Limiting, logic can be written directly into applications to clamp down on high-rate application layer attacks that threaten origin availability. Check out our documentation to learn more. Complementing this functionality, Fastly further protects customers by automatically mitigating massive-scale attacks like the novel Rapid Reset attack. 

  • Malware verification: Malware verification is the process of confirming whether a particular file, program, or piece of code is malicious or not. At the application level, this involves verifying the reputation of a file, image, or other content against an API.

    Scanning and verifying malware at the edge can take your security strategy to the next level and Fastly can help with checking file upload content against the reputation-based API of our customer’s choosing. For example, this Fastly Fiddle demonstrates the hashing of the POST Body, then verifying the hash against the VirusTotal API. In addition, with the Compute JavaScript SDK, you can develop custom security conditions and manage the actions taken on a Request before forwarding it to your backend applications. Data enrichment at the edge allows you to make more informed actions on what content can reach your applications.

    Securing your Enterprise against malware is often done with multiple layers of protection and instituting application security controls can help. Fastly’s Next-Gen WAF (NGWAF) allows our customers to detect code injection attacks which can be a vector for malware if they allow an attacker to get a foothold on a vulnerable server.

  • Authentication: By moving authentication of users and devices to the edge, potential threats can be identified and mitigated before they make their way back to origins. This helps safeguard your business against unauthorized access, data breaches, and other malicious activities. Fastly can help support a number of authentication use cases.  Here are some examples:

  • Apply CAPTCHA to high-risk requests. Fastly has partnered with Google Cloud to integrate reCAPTCHA Enterprise for WAF with Fastly Compute. Intercept suspicious traffic and display a CAPTCHA challenge. If the user passes, allow the request to go to the origin server. Watch the webinar and check out our documentation to learn more.

  • Detect leaked passwords: Detect requests that contain submitted passwords and use a service to determine whether the password has leaked before allowing the request to proceed to origin. Also, check out our live stream to learn about a future without passwords using Passkeys.

Conclusion

Extending your security perimeter to the edge adds an additional layer of defense to further protect your organization and your infrastructure from creative attackers and new threats. Edge Rate Limiting helps to protect you against brute force attacks that quickly overwhelm your infrastructure. Malware verification helps to quickly identify and neutralize threats at the edge, and authentication deployed at the edge helps to protect sensitive data and applications from unauthorized access. These edge computing use cases improve resiliency, performance, and scalability, helping organizations of all sizes kickstart their edge security strategy and respond to new security challenges.