Vulnerability management specialist Qualys has branched out into the Web application firewall (WAF) market. The company recently released a beta version of a cloud-based WAF as an Amazon Machine Image (AMI) for applications on Amazon EC2.
According to the company, the service is offered through the QualysGuard Cloud Platform, and is designed to provide centralized management and distributed protection. In September, the Qualys WAF will also be released as a VMware virtual image for on-premise Web applications.
Eric Ogren, founder of analyst firm The Ogren Group, said the move by Qualys makes sense on a number of fronts. For one, it dovetails nicely with the company's core competency in vulnerability management, including its cloud-based vulnerability scanner, he said. In addition, cloud-based WAFs should be attractive to small and midsized businesses (SMBs) dealing with issues surrounding Payment Card Industry DSS compliance.
"Qualys knows how to identify vulnerabilities and craft antidotes, so this fits their people and organizational skill set really well," Ogren said.
"Having said all of that, I'm not sure too many people will get rich on WAFs," he added. "But still, it is a nice fit and while it may not be low hanging fruit for other vendors, it probably is for Qualys."
While other vendors use a pure public cloud model, Qualys' distributed approach means that all the customer's policies and event management are handled through the central Qualys software-as-a-service (SaaS) user interface and application programming interface (API), Matthieu Estrade, Qualys product director for WAF, said in an interview.
Today, the company allows customers to move sliders in the user interface to determine the aggressiveness of their response, he said. Customer-specific variables can also be added into the mix to further tune the rules.
[Security is often a difficult balancing act. Read how in "Email Encryption And The Goldilocks Principle."]
Jon Oltsik, senior principal analyst with Enterprise Strategy Group, said in an email that many organizations look at a Web application firewall as a compliance requirement rather than a true layer of protection, which he believes is a mistake.
"I’ve heard that the Qualys WAF is rather lightweight, which is fine for basic websites but not adequate for more complex Web application programming," he said. "As long as Qualys targets this market segment, it is a good move, but I can’t see it moving up to compete with the likes of Imperva anytime soon."
Imperva offers a cloud-based WAF service called Encapsula that also includes DDoS protection.