AQ'S Corner

What is a WAF?

A Well-Architected Framework (WAF) is designed to help you build secure, high-performing, resilient, and efficient infrastructure in the cloud. My knowledge of the WAF is based on my experience with Amazon Web Services (AWS) and Microsoft Azure, so those will be the examples I use in this article.

What Is a “Pillar” in the Context of a Well-Architected Framework?

In cloud architecture, a pillar refers to a core focus area that supports the overall stability, efficiency, and effectiveness of a cloud workload. Each pillar represents a set of best practices and design principles that guide the development of secure, high-performing, resilient, and cost-effective solutions.

AWS WAF Pillars:

• Operational Excellence – Monitor, manage, and improve continuously.
• Security – Protect data, systems, and assets.
• Reliability – Design for resiliency and recoverability.
• Performance Efficiency – Ensure your workloads scale and perform well.
• Cost Optimization – Maximize value and control spending.
• Sustainability – Minimizing environmental cloud impact. 

Azure WAF Pillars:

• Cost Optimization – Maximize value and control spending.
• Operational Excellence – Monitor, manage, and improve continuously.
• Performance Efficiency – Ensure your workloads scale and perform well.
• Reliability – Design for resiliency and recoverability.
• Security – Protect data, systems, and assets.

Now that we’ve explored what a Well-Architected Framework (WAF) is and broken down the Security Pillar across both AWS and Azure, let’s return to the key question: “What security requirements are missing from your WAF?” This isn’t a question you can answer off the cuff, it demands a thoughtful, layered approach. To get started, here are my two essential recommended steps that will guide you toward identifying what may be missing:

1) Start With the Industry You Serve

Security is never one-size-fits-all. The industry your application supports directly influences the specific security controls and compliance frameworks you need to implement. Here are two example industries:

Healthcare Application

If you’re building or managing a healthcare app, you’re likely dealing with Protected Health Information (PHI). That brings the Health Insurance Portability and Accountability Act (HIPAA) into the spotlight. HIPAA mandates strict controls around:

• Access control (who can view what)
• Audit logging and monitoring
• Encryption at rest and in transit
• Breach notification procedures
• Data retention and secure disposal

You may also need Business Associate Agreements (BAAs) with your cloud provider and third parties. This ensures that any third-party company handling PHI on behalf of the customer is accountable for protecting it.

Educational Application

Educational apps, on the other hand, may handle Personally Identifiable Information (PII) of students, educators, and guardians. Compliance might include:

• FERPA (Family Educational Rights and Privacy Act) in the U.S.
• COPPA (Children’s Online Privacy Protection Act) if minors are involved
• Role-based access for teachers, admins, and students
• Parental consent mechanisms
• Audit trails for student activity

While these apps may not handle medical data, they still require strict privacy controls and careful user data management.

2) Revisit the Definition of the Security Pillar

Regardless of industry, the Security Pillar in both AWS and Azure focuses on the same foundational principles: Protect your data, systems, and assets. Let’s break that down: 

Baseline Security Requirements (Common to All Apps)

• Identity & Access Management (IAM): Strong policies, least privilege access, and multi-factor authentication (MFA)
• Encryption: Secure data in transit and at rest
• Threat Detection: Implement tools like AWS GuardDuty or Microsoft Defender for Cloud
• Vulnerability Management: Regular scans, patching, and secure development practices
• Logging & Monitoring: Centralized, tamper-resistant logs with alerts for anomalies
• Incident Response: A tested plan for detection, containment, and recovery
• Secure Configuration: Hardened operating systems, container images, and cloud environments
  

These are your baseline defenses, no matter if you’re in healthcare, education, or any other sector. Think of them as your universal “security hygiene.”

When evaluating what’s missing in your WAF implementation, context is everything. You can’t protect what you haven’t defined. Start with your industry’s specific requirements, then align those needs with the Security Pillar’s core principles. Only then can you ensure your architecture isn’t just well-structured but also well-defended.