As DDoS attacks grow more frequent, more powerful, and more sophisticated, many organizations turn to DDoS mitigation providers to protect themselves against attack.
Before evaluating DDoS protection solutions, it is important to assess the needs, objectives, and constraints of the organization, network and applications. These factors will define the criteria for selecting the optimal solution.
Below are eight questions to ask when considering DDoS protection:
• What are my data center plans? Many organizations are migrating their data center workloads to cloud-based deployments. The decision of whether to invest in new equipment or to use to a cloud service depends heavily on this consideration. Organizations that are planning to downscale (or completely eliminate) their data centers might consider a cloud service. However, if you know for sure that you are planning to maintain your physical data center for the foreseeable future, then investing in a DDoS mitigation appliance could be worthwhile.
• What is my threat profile? Which protection model is best for you also depends heavily on the company’s threat profile. If a company is constantly attacked with a stream of non-volumetric DDoS attacks, then a premise-based solution might be an effective solution. However, if they face large-scale volumetric attacks, then a cloud-based or a hybrid solution would be better.
• Are my applications mission-critical? Some DDoS protection models offer faster response (and protection) time than others. Most applications can absorb short periods of interruption without causing major harm. However, if your service cannot afford even a moment of downtime, that should factor heavily into the decision-making process.
• How sensitive are my applications to latency? Another key consideration is the sensitivity of the organization and its applications to latency. Cloud-based services tend to add latency to application traffic, so if latency is a big issue, then an on-premise solution – either deployed inline or out-of-path – might be relevant.
• Am I in a regulated industry? Some organizations are within regulated industries that handle sensitive user data. As a result, they’re prevented from – or prefer not to – migrate services/data to the cloud.
• How important is control for me? Some organizations place a big emphasis on control, while others prefer that others handle the burden. A physical device will provide you with more control but will also require additional overhead. Others, however, might prefer the lower overhead usually offered by cloud services.
• OPEX vs. CAPEX? Solutions which include hardware devices (such as a premise-based DDoS appliance) are usually accounted for as a capital expenditure (CAPEX), whereas ongoing subscription services (such as cloud DDoS protection services) are considered operating expenses (OPEX). Depending on accounting and procurement processes, some organizations may have a preference for one type over the other.
• What is my budget? Finally, when selecting a DDoS protection solution, many times the decision comes down to costs and available funds. That’s why it is important to be cognizant of the total cost of ownership (TCO), including added overhead, infrastructure, support, staff and training.
Depending on the answers to those questions, organizations can define the criteria for what’s important for them in a DDoS solution, and base their choice based on that.
Typically, for organizations seeking data center protection, or have mission critical and latency-sensitive applications they need to protect, a hybrid solution will provide optimal protection.
Hybrid DDoS protection combines both premise-based and cloud-based components. It provides both low latency and uninterrupted protection, as well as the high capacity required to mitigate large-scale volumetric DDoS attacks.
• For organizations looking to protect applications hosted on public cloud providers (such as AWS or Azure), or customers who frequently come under attack, an cloud-based always-on solution will usually be best.
Always-On cloud service provides constant, uninterrupted cloud-based DDoS protection. However, since all traffic is routed through the provider’s scrubbing network, it may add latency to requests.
• Finally, for customers who are infrequently attacked, or otherwise have a limited budget, a cloud-based on-demand solution will usually suffice.
On-Demand cloud service is activated only when organizations come under DDoS attack. However, detection and diversion usually take longer than in other models, meaning that the customer may be exposed for longer periods.
The parameters of the optimal DDoS solution will inevitably vary from organization to organization.