Next-Generation Web Application Firewall
Signal Sciences (Fastly) makes it easy to protect the web layer assets that drive your business without dedicating headcount or additional resources. We provide the industry leading NGWAF that solves the 5 key problems of legacy WAFs:
Accuracy.
False Positives
Coverage
Performance
Deploy Anywhere
Deploy Time
Cost
See more: https://info.signalsciences.com/hubfs/resources/signal-sciences-cloud-waf-datasheet.pdf
Features
- Default attack signals
- Default anomaly signals
- Default dashboards
- Custom response codes
- Custom signals
- Standard API & ATO signals
- Advanced Rate Limiting
- Edge Rate Limiting
- Deployment Types
Benefits
- Hosted Dashboard
- Threat intelligence
- API
- Control over data sharing
- DDoS mitigation
Pricing
£0 to £0 a unit a second
- Free trial available
Service documents
Request an accessible format
Framework
G-Cloud 13
Service ID
3 4 0 6 4 5 6 2 7 0 4 1 4 6 4
Contact
Fastly, Inc
Kate Stephens
Telephone: 07525 131016
Email: kstephens@fastly.com
Service scope
- Service constraints
- We employ continuous integration and deployment, and therefore, does not require scheduled maintenance windows or downtime. As a SaaS based solution, there aren't limitations around specific hardware configs.
- System requirements
-
- Edge Deployment
- Cloud WAF
- Module-Agent Installation Process
User support
- Email or online ticketing support
- Email or online ticketing
- Support response times
-
Please note: Support availability and response times for the Fastly Next-Gen WAF (powered by Signal Sciences) vary depending on the type of account you have and the platform you have purchased.
For more reference, please visit: https://docs.fastly.com/products/fastly-next-gen-waf-support-description-and-sla - User can manage status and priority of support tickets
- Yes
- Online ticketing support accessibility
- None or don’t know
- Phone support
- No
- Web chat support
- Yes, at an extra cost
- Web chat support availability
- 24 hours, 7 days a week
- Web chat support accessibility standard
- None or don’t know
- How the web chat support is accessible
- We use Slack to communicate with and support customers
- Web chat accessibility testing
- N/A
- Onsite support
- No
- Support levels
- Please see the following link for NGWAF Support: https://docs.fastly.com/products/fastly-next-gen-waf-support-description-and-sla
- Support available to third parties
- No
Onboarding and offboarding
- Getting started
-
We support customers with Implementation and set up. We offer a Signal Sciences 101 and 201 Training Class.
Each class can be purchased individually. Duration for each class is 4 hours in length and it is composed of a lecture and lab. The classes can be delivered remotely.
101 Class Content:
1) Product architecture and components
2) Deployment options
3) How we analyze incoming requests and block attacks
4) Product nomenclature
5) Administration/Monitoring via the UI and integration with 3rd party products
6) Review of our documentation and opening support tickets.
201 Class Content (Advanced):
1) Administering the product via the API
2) Advanced troubleshooting.
These items can be purchased as-hoc, or are included in a services package. We have an PS offering which includes only 101 class and assistance from a PS consultant to guide them through initial deployment and configuration. - Service documentation
- Yes
- Documentation formats
- HTML
- End-of-contract data extraction
-
Data is purged after 30 days. Customer data will be purged 30 days after the event of contract termination.
Please note: Signal Sciences does not utilize physical media. - End-of-contract process
-
Prior to renewal (90 days +), Fastly will contact you to discuss your current security provisions and whether there are any revisions/additions/cancellations that need to take place for the coming contract period. Pricing, term of contract and solution components can be reviewed, negotiated and agreed during this pre-renewal period.
Pricing depends on what is selected and what is mutually agreed is required by the customer and by Fastly.
Using the service
- Web browser interface
- Yes
- Using the web interface
-
Fastly’s Next Gen WAF is powered by the Signal Sciences console. It requires very little in way of management. Signal Sciences presentation layer is a web browser interface. The service can be accessed through any browser as well as robust REST APIs.
It is primarily designed to be as self-service as possible enabling gov.uk full control over all configurations. Fastly can ensure that gov.uk’s services/domains are configured and customised rules are built. This should be a case of configuration and requires very little ongoing maintenance.
Customers can self-manage the WAF via API or through the easy to use UI console. Self-service customization options include, but not limited to the following:
Redaction Policy
Workspace and Corp (global) rule settings
Lists
Alerts
Integrations
For more information visit https://docs.signalsciences.net/using-signal-sciences/ - Web interface accessibility standard
- None or don’t know
- How the web interface is accessible
- Our Design teams use dedicated accessibility assessment vendors (Accessibility Insights and Pa11y) to do automated checking of our interfaces' accessibility based on proper coding practices.
- Web interface accessibility testing
- Our Design teams use dedicated accessibility assessment vendors (Accessibility Insights and Pa11y) to do automated checking of our interfaces' accessibility based on proper coding practices.
- API
- Yes
- What users can and can't do using the API
- For more information, please visit: https://docs.fastly.com/signalsciences/developer/using-our-api/
- API automation tools
- Other
- Other API automation tools
-
- Fully API driven
- Tool agnostic
- Terraform
- Ansible
- Puppet
- Chef
- Jenkins
- API documentation
- Yes
- API documentation formats
- Other
- Command line interface
- No
Scaling
- Scaling available
- Yes
- Scaling type
-
- Automatic
- Manual
- Independence of resources
- Redundancy is achieved through duplication of core infrastructure across multiple AWS availability zones and daily encrypted backups to a third site. See: https://aws.amazon.com/security/
- Usage notifications
- Yes
- Usage reporting
-
- SMS
- Other
Analytics
- Infrastructure or application metrics
- Yes
- Metrics types
- Network
- Reporting types
-
- API access
- Real-time dashboards
- Regular reports
- Reports on request
Resellers
- Supplier type
- Not a reseller
Staff security
- Staff security clearance
- Other security clearance
- Government security clearance
- None
Asset protection
- Knowledge of data storage and processing locations
- Yes
- Data storage and processing locations
-
- United Kingdom
- European Economic Area (EEA)
- Other locations
- User control over data storage and processing locations
- No
- Datacentre security standards
- Complies with a recognised standard (for example CSA CCM version 3.0)
- Penetration testing frequency
- At least once a year
- Penetration testing approach
- Another external penetration testing organisation
- Protecting data at rest
-
- Physical access control, complying with another standard
- Encryption of all physical media
- Data sanitisation process
- Yes
- Data sanitisation type
-
- Explicit overwriting of storage before reallocation
- Deleted data can’t be directly accessed
- Equipment disposal approach
- Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001
Backup and recovery
- Backup and recovery
- Yes
- What’s backed up
-
- All critical systems
- Logs for Scoped systems
- Backup controls
-
NGWAF collect and stores request metadata. We store and retain customer data that is sent to us and that is processed via the security components of NGWAF for up to thirty days.
The configuration of NGWAF is managed through Dashboard GUI or API, which is enabled by the resilient infrastructure upon which the service is hosted. Additionally, infrastructure as code software tools such as Terraform can be used. If you deploy the NGWAF directly onto your hosting environment via traditional Module-Agent process, the backup of the hosting environment should be revised to include the Module and Agent components being used. - Datacentre setup
- Multiple datacentres with disaster recovery
- Scheduling backups
- Supplier controls the whole backup schedule
- Backup recovery
- Users contact the support team
Data-in-transit protection
- Data protection between buyer and supplier networks
- TLS (version 1.2 or above)
- Data protection within supplier network
- Other
- Other protection within supplier network
- Data at rest is protected using AES 256 symmetric key encryption.
Availability and resilience
- Guaranteed availability
- Please see the following link for NGWAF Support: https://docs.fastly.com/products/fastly-next-gen-waf-support-description-and-sla
- Approach to resilience
-
Redundancy is achieved through duplication of core infrastructure across multiple AWS availability zones and daily encrypted backups to a third site. See: https://aws.amazon.com/security/
Fastly performs disaster recovery testing over the recovery procedures for systems deemed critical on an annual basis. - Outage reporting
- Fastly communicates status for the Next-Gen WAF at: https://status.signalsciences.net/
Identity and authentication
- User authentication
-
- 2-factor authentication
- Public key authentication (including by TLS client certificate)
- Access restrictions in management interfaces and support channels
-
Access to systems and data will be granted in accordance with approved requests and appropriateness to perform these functions. Privileged access is limited to a small group of appropriate individuals via role based security privileges through access controls. Privileged access is monitored and logged.
Signal Sciences employs Zero Trust authentication technologies and policies. Zero Trust authentication requires username and password, machine certificate, and two-factor authentication. - Access restriction testing frequency
- At least once a year
- Management access authentication
-
- 2-factor authentication
- Public key authentication (including by TLS client certificate)
- Devices users manage the service through
- Directly from any device which may also be used for normal business (for example web browsing or viewing external email)
Audit information for users
- Access to user activity audit information
- Users have access to real-time audit information
- How long user audit data is stored for
- Between 6 months and 12 months
- Access to supplier activity audit information
- Users contact the support team to get audit information
- How long supplier audit data is stored for
- At least 12 months
- How long system logs are stored for
- At least 12 months
Standards and certifications
- ISO/IEC 27001 certification
- No
- ISO 28000:2007 certification
- No
- CSA STAR certification
- No
- PCI certification
- No
- Cyber essentials
- No
- Cyber essentials plus
- No
- Other security certifications
- Yes
- Any other security certifications
-
- SOC 2 Type 2 report
- HIPAA Type 1 report
Security governance
- Named board-level person responsible for service security
- Yes
- Security governance certified
- Yes
- Security governance standards
- Other
- Other security governance standards
- Fastly maintains annual third-party assessments against SOC 2 criteria, HIPAA, and TrustArc's privacy program requirements for the NGWAF product.
- Information security policies and processes
-
Fastly's Information Security Policy is tied to our obligations to understand and protect information important to our organization and our customers, and covers the people, processes, and technology associated with meeting those obligations.
The policy includes but not limited to the following themes: network design, production systems, access management, corporate data, endpoint protections, encryption, data protection and security incident response.
All security policies are available on the company wiki to all employees. Fastly personnel receive security and privacy awareness training as part of new hire training and then annually thereafter.
Security leadership reviews the information security policy at least annually. Please see our attached Information Security Policy.
Operational security
- Configuration and change management standard
- Supplier-defined controls
- Configuration and change management approach
- Fastly performs continuous integration, a philosophy central to DevOps. Fastly maintains documented policies for the change management process which includes authorizing, testing and documenting. All production changes are logged, deployed and communicated via the internal communication tool. Deployment tools are utilized to implement the approved changes into production.
- Vulnerability management type
- Supplier-defined controls
- Vulnerability management approach
-
Fastly has a vulnerability management program, which includes conducting a penetration test by a third party on an annual basis. All findings are resolved based on the severity of the finding in a timely manner. Vulnerability scanning happens at least once per quarter.
To maintain awareness of potential security vulnerabilities, Fastly monitors emerging security news, as well as reports submitted through our responsible disclosure process.
Priority of patch deployment shall be based on vulnerabilities that the update resolves and the risks it poses to the environment. Critical updates bearing significant security risks shall be tested and applied immediately. - Protective monitoring type
- Supplier-defined controls
- Protective monitoring approach
- Systems are configured to log security events. Security logs are sent to a centralized log management system to monitor, detect and automatically alert appropriate personnel of security incidents. Data is analyzed in real-time and ad-hoc querying capabilities are available for investigative purposes.This process is tested as part of our annual external assessments.
- Incident management type
- Supplier-defined controls
- Incident management approach
- Fastly has an Incident Response Plan that includes Detection, Response, Mitigation, Recovery, Reporting, etc. Identified incidents are analyzed, classified and prioritized based on system impact to determine the appropriate containment strategy, including a determination of the appropriate response time frame and the determination and execution of the containment approach. Incidents are logged within a ticketing system, assigned severity rating and tracked to resolution.This process is tested as part of our annual external assessments.
Secure development
- Approach to secure software development best practice
- Supplier-defined process
Separation between users
- Virtualisation technology used to keep applications and users sharing the same infrastructure apart
- Yes
- Who implements virtualisation
- Supplier
- Virtualisation technologies used
- Other
- Other virtualisation technology used
- Agent
- How shared infrastructure is kept separate
- Fastly maintains a multi-tenant environment and logically separates customer data through unique identifiers associated with customer accounts, users, and services. Customers are not able to access or modify other customers' services or data.
Energy efficiency
- Energy-efficient datacentres
- No
Social Value
- Fighting climate change
-
Fighting climate change
Fastly is committed to being a good custodian to our planet and people. We're currently evaluating our efforts in this area, and we'll be sharing more information on that in the future. In the meantime, we would love to hear any feedback around what's most important to you and your company regarding the vendors you work with and their sustainability programs. Let us know if you have any thoughts, and we'll be sure to share that with the appropriate teams and factor it into our ongoing work and analysis.
However, from an environmental perspective, Fastly is committed to cost-effective methods to improve energy efficiency and to minimize energy consumption. Fastly reviews Power Usage Effectiveness (PUE) with colocation providers during data center site negotiations to understand the overall efficiency of the location. We are considerate of energy usage through our points of presence (“POP”) designs; for instance, our POP designs do not require the use of big iron routers, chassis switches, or load balancers, thereby eliminating an entire tier of equipment. Large cache servers, rather than many cache servers, reduce inefficiency through reduction in shared components (fans, power supplies, etc). We over provision POPs to handle growth and load spikes, but in no cases are we excessive or wasteful. Further, Fastly complies with all applicable environmental laws and regulations in the jurisdictions in which we operate. Fastly also promotes energy-efficient conduct in its offices around the globe and supports recycling and composting of food waste in its offices.
Fastly's Code of Business Conduct and Ethics: https://www.fastly.com/code-of-business-conduct-and-ethics - Covid-19 recovery
-
Covid-19 recovery
Fastly's business and technical operations are spread throughout globe and every Fastly employee has the tools and access required to do their work remotely, which many already do during normal operations. Therefore, the unavailability of any Fastly office location for any reason would have minimal, if any, impact to our critical business operations. - Tackling economic inequality
-
Tackling economic inequality
At Fastly, we operate honestly, ethically and transparently. We are committed to operating our business in compliance with all applicable laws, and we neither do business where it is prohibited nor with prohibited persons. These principles are memorialized in our Code of Business Conduct and Ethics (the "Code of Conduct"). We have included a link below. In keeping with these principles, Fastly is opposed to, and will not tolerate in our supply chain, any and all forms of slavery, human trafficking, child labor, forced servitude, or indentured labor. We select and engage suppliers after thoughtful consideration of our and our stakeholders’ best interests, conduct diligence and pursuant to contracts that meet all legal requirements. We maintain documented policies for our engagement of vendors and provide training for members of our business involved with selecting and engaging suppliers. We recently published our Transparency Statement in connection with the U.K. Modern Slavery Act of 2015. We have provided a link below.
In addition, Fastly is an equal opportunity employer and we make our employment decisions based on performance, merit, qualifications, abilities, and the needs of our business. We have a zero tolerance policy for discrimination or harassment, and are committed to providing a safe work environment for all. This means no discrimination against applicants or employees based on race, color, religion, national origin, gender identity or expression, gender, sex, sexual orientation, age, pregnancy, disability, veteran status, marital or family status, or any other classification protected by applicable law. - Equal opportunity
-
Equal opportunity
At Fastly, we operate honestly, ethically and transparently. We are committed to operating our business in compliance with all applicable laws, and we neither do business where it is prohibited nor with prohibited persons. These principles are memorialized in our Code of Business Conduct and Ethics (the "Code of Conduct"). We have included a link below. In keeping with these principles, Fastly is opposed to, and will not tolerate in our supply chain, any and all forms of slavery, human trafficking, child labor, forced servitude, or indentured labor. We select and engage suppliers after thoughtful consideration of our and our stakeholders’ best interests, conduct diligence and pursuant to contracts that meet all legal requirements. We maintain documented policies for our engagement of vendors and provide training for members of our business involved with selecting and engaging suppliers. We recently published our Transparency Statement in connection with the U.K. Modern Slavery Act of 2015. We have provided a link below.
In addition, Fastly is an equal opportunity employer and we make our employment decisions based on performance, merit, qualifications, abilities, and the needs of our business. We have a zero tolerance policy for discrimination or harassment, and are committed to providing a safe work environment for all. This means no discrimination against applicants or employees based on race, color, religion, national origin, gender identity or expression, gender, sex, sexual orientation, age, pregnancy, disability, veteran status, marital or family status, or any other classification protected by applicable law. - Wellbeing
-
Wellbeing
At Fastly, we operate honestly, ethically and transparently. We are committed to operating our business in compliance with all applicable laws, and we neither do business where it is prohibited nor with prohibited persons. These principles are memorialized in our Code of Business Conduct and Ethics (the "Code of Conduct"). We have included a link below. In keeping with these principles, Fastly is opposed to, and will not tolerate in our supply chain, any and all forms of slavery, human trafficking, child labor, forced servitude, or indentured labor. We select and engage suppliers after thoughtful consideration of our and our stakeholders’ best interests, conduct diligence and pursuant to contracts that meet all legal requirements. We maintain documented policies for our engagement of vendors and provide training for members of our business involved with selecting and engaging suppliers. We recently published our Transparency Statement in connection with the U.K. Modern Slavery Act of 2015. We have provided a link below.
In addition, Fastly is an equal opportunity employer and we make our employment decisions based on performance, merit, qualifications, abilities, and the needs of our business. We have a zero tolerance policy for discrimination or harassment, and are committed to providing a safe work environment for all. This means no discrimination against applicants or employees based on race, color, religion, national origin, gender identity or expression, gender, sex, sexual orientation, age, pregnancy, disability, veteran status, marital or family status, or any other classification protected by applicable law.
Pricing
- Price
- £0 to £0 a unit a second
- Discount for educational organisations
- No
- Free trial available
- Yes
- Description of free trial
- In some circumstances, we may offer a trial period or POC for us to partner with you to test the solution and to understand the level of security threats you may have. This is typically 2-3 week time period.