Fastly’s Acquisition of Signal Sciences Is All About Applying Application Level Security to Edge Computing Deployments
With Fastly’s announcement of their intent to acquire web application security company Signal Sciences [see my post on the details here], it’s created some confusion in the market of what the acquisition will mean for competitors and who exactly Fastly will be competing with. I see this recent activity impacting the CDN market in three very distinct ways; increasing the criticality of and focus on security versus just bit delivery; balancing scalability and management with developer tooling; understanding the importance of the relationship between the cloud and edge compute.
As I recently wrote in another blog post, a comprehensive security solution requires DDoS mitigation, web application and API protection, protection from form jacking and Magecart style attacks, bot management capabilities, malware and ransomware protection, and the ability to manage all of these based on risk profiles versus static rules. It is only this broad-based investment over a multi-year horizon that enabled Akamai to achieve the milestone of a $1 billion annual run rate in security revenue.
With Signal Sciences, Fastly is banking on the impact that security can have on the growth of their edge compute business, given the similar approach that both they and Signal Sciences have taken in targeting developers. Fastly and Signal Sciences have each invested to ensure their solutions can be implemented effectively in a developer-centric model, with fast on-boarding of under 30 days. Tech-savvy teams appreciate how Signal Sciences supports multiple deployment models and have made their solution available on AWS, Azure and Google Cloud marketplaces, and can be deployed as a virtual image on other IaaS platforms as well. This bodes well for helping to drive awareness with developers and to facilitate integrating Fastly’s solutions into their cloud architectures.
One challenge that Fastly will need to overcome is that they are still a new entrant in the crowded cloud security industry and as of today, they get a very small percentage of their overall revenue from their cloud security portfolio. The Signal Sciences acquisition will do little to help change that as Signal Sciences only brings 60 enterprise companies with the acquisition and had annual recurring revenue of $28 million as of June of this year. Signal Sciences will definitely help Fastly build out their cloud security product portfolio, but it will take time to do the integration once the deal is completed.
The entire deal between the two companies comes down to the idea of how important it is to apply application level security to edge computing deployments. And this idea doesn’t just relate to Fastly, but also to Cloudflare, Akamai and Amazon. To explain the idea in more detail, if you’re just running application logic like VCL or Akamai’s config language at the edge, your IP is still is still stored in centralized resources – the cloud, or the core. But if you move the entire application out to the edge, you then have to secure it at the edge. So if Fastly’s Compute@Edge product is going to be successful, it needs to have all the same security features a business would typically deploy at the core, at the edge. CDN security vendors like Fastly, Akamai, Cloudflare and others want to secure every one of their customer’s apps with a cloud WAF, but to date, these companies haven’t had an on-prem install. Getting that functionality is the main reason why Fastly is acquiring Signal Sciences, since the agent that was typically installed on-prem, now gets to run on Fastly’s Compute@Edge.
When it comes to competitors, unlike Fastly which is a cloud platform that offers a subscription-based service, Signal Sciences is an on-prem solution that monetizes via a licensing model. So from this perspective, Signal Sciences was much more of an F5 competitor versus other cloud providers in the market. Beyond licensing models, Akamai and F5 focus on enterprise customers while Cloudflare focuses on the SMB market. So Akamai, F5 and Fastly rarely see Cloudflare competing for the same deals in the market. While relatively new, the Signal Sciences web application firewall (WAF) should improve Fastly’s WAF capabilities, but it will have to be integrated into the platform to benefit from its CDN to compete with offerings from other providers. Compared to Akamai, Signal Sciences has a very small threat research team, which means that the security signals intelligence that other security providers use to differentiate their WAF rules will still take time to develop at Fastly.
Prior to the acquisition, Fastly offered security capabilities including DDoS mitigation and WAF, but relied on partnerships with Shape, DataDome and PerimeterX for bot management. From a product perspective, Signal Sciences’ bot management capabilities are very basic and do not compare to the more sophisticated offerings from Akamai, Imperva or F5. After the acquisition, Fastly still has some work to do to execute across both the sales and product fronts of the new combined offering. A key challenge to customers is that their security teams often aren’t able to keep up with the increasing number of complex applications they need to protect. This could present a challenge as the Signal Sciences solution requires developers to code rules to account for their business logic themselves. While the solution is easy to manage via self-service tuning, manually coding rules across potentially 100s of applications will prove challenging to scale and maintain. Also, unlike other security companies, Fastly does not currently offer a managed security service or managed SOC for businesses under frequent attack, so this is a gap they may have to close.
In the coming years, every cloud and CDN vendor will increasingly align themselves to the edge and edge computing, which is already confusing today as businesses struggle to understand how cloud, CDN and edge relate to one another and how security requirements fit into the equation. Not helping the process is the fact that vendors all use the terms “edge”, “edge compute”, and “programmable edge network” interchangeably, without much in the way of definitions, use cases, or verticals they are targeting. “Edge” is a location in a network; “edge compute” is a service. They are not the same thing. This will all become more complicated before it gets simpler and I plan to do a lot of blog posts over the next 12-months explaining how edge compute services work, what type of applications are taking advantage of them, and what benefits customers are seeing. But make no mistake, there is a lot hype around “edge compute” services and the market is still in the very, very early stages, with the overall industry still figuring it out.
Fastly’s intent to acquire Signal Sciences is a very logical and positive step for Fastly to take in order to improve their security offering and show that they are investing in more robust security technology. As with all cloud security acquisitions, the multiples are very high on these deals and Fastly valued Signal Sciences at $775 million, not far off from the $1 billion F5 paid for Shape. With their intent to spend that much money, Fastly has a lot of pressure now to grow their security revenue quickly in a market dominated by Akamai. How fast they can grow and whether or not they plan to break out their security revenue for Wall Street come next year, are unknown. One thing is certain; security will continue to be a major focus as attack events make headlines and businesses push additional infrastructure into the cloud. There is enough room for multiple vendors for varying cloud security solutions, but based on revenue, everyone is playing catchup to Akamai.