Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Protect Your Data and Apps in the Public Cloud

1,752 views

Published on

Organizations continue to move their data and apps to the cloud and cybercriminals see this move as a huge opportunity. Both Amazon Web Services and Microsoft Azure provide basic security measures to protect infrastructure resources. But, did you know it’s the customer’s responsibility to secure their assets hosted in both environments? View this presentation and learn what security measures you should take to protect your data and apps hosted in AWS and Azure.

Published in: Technology
  • Be the first to comment

Protect Your Data and Apps in the Public Cloud

  1. 1. © 2016 Imperva, Inc. All rights reserved. Protect Your Data and Apps in the Public Cloud Lior Lukov, Sr. Product Manager, Application Security, Imperva Narayan Makaram, Dir. Product Marketing, Application Security, Imperva
  2. 2. © 2016 Imperva, Inc. All rights reserved. AGENDA • Cloud Security Challenges • Imperva Cloud Security Solutions • Reference Architecture • Customer Case Study 2
  3. 3. © 2016 Imperva, Inc. All rights reserved. Speakers 3 Narayan Makaram Dir., Product Marketing, Imperva Lior Lukov Sr. Product Manager, Imperva
  4. 4. © 2016 Imperva, Inc. All rights reserved. Web Application Attacks Cloud Security Challenges 1 4
  5. 5. © 2016 Imperva, Inc. All rights reserved.5 Cloud Brings New Advantages toApplications IaaS ProvidersOn-premise Data Centers Applications in Data Center Applications in Cloud Fixed capacity Elastic capacity Scale-up Scale-out Manual build and deploy Automated build and deploy Allocated costs Metered cost Limited HA and DR HA and DR across data-centers/regions Defense in depth Perimeter Security
  6. 6. © 2016 Imperva, Inc. All rights reserved. Business Challenges Business Impact: • Lost revenue associated with website downtime • Brand damage with bad publicity • Lost competitive advantage with sensitive data theft • Fines and regulatory actions with data breach Attack vectors remain the same as applications and data migrate from on-premises data centers to the cloud Cloud Infrastructure (IaaS) DDoS attacks Data Center Mobile attacks Technical attacks Business logic attacks 6
  7. 7. © 2016 Imperva, Inc. All rights reserved. Security – a Shared Responsibility in Cloud Infrastructure 7 AWS Article: Introduction to AWS Security, July 2015 Azure Blog Post: Cloud Security is a Shared Responsibility, June 2015 Customers are responsible for securing the customer applications and content hosted in any cloud infrastructure – AWS, Azure, and others
  8. 8. © 2016 Imperva, Inc. All rights reserved. Imperva Application Security Cloud Security Solutions 2 8
  9. 9. © 2016 Imperva, Inc. All rights reserved. Imperva Solutions for AWS and Azure 9 Imperva is laser focused on protecting business-critical applications and data, wherever they reside – in the cloud and on-premises Protects applications and data hosted in AWS and Azure Mitigates DDoS attacks through cloud-based Content Delivery Network Protects administrative access to AWS/Azure management console
  10. 10. © 2016 Imperva, Inc. All rights reserved. Imperva SecureSphere - On AWS and Azure Cloud Infrastructure 10 Comprehensive application and database protection with enterprise-class on-premises solution that customers trust In-depth Web Application Protection SecureSphere WAF blocks technical attacks that exploit vulnerabilities in your applications and automated attacks that abuse business functionality Dynamic Application Profiling Automatically discovers application interfaces and adapts security controls to changes in applications to simplify on-going maintenance Crowd-sourced Threat Intelligence ThreatRadar services: Reputation, Bot Mitigation, Community Defense, Account Takeover. Arms the WAF with the latest security policies, signatures, and compliance reports crowd- sourced from Imperva customers and 3rd party providers Protects Databases Hosted in the Cloud Discovers and monitors all user activity in databases hosted in AWS (using SecureSphere gateways) and on Azure (using SecureSphere Agents) App Servers DB Servers
  11. 11. © 2016 Imperva, Inc. All rights reserved. Imperva Incapsula – Cloud Based WAF 11 DDoS Mitigation CDN Load Balancing WAF All-in-one Website Security, DDoS and Bot Protection, and Load Balancing on a Global Content Delivery Network Load Balancing Cloud-based Layer 7 Load Balancing service optimizes traffic distributions based on its actual flow to each server. Global Content Delivery Network Application-aware Content Delivery Network delivers full site acceleration, boosts website performance using advanced networking, dynamic caching, and content optimization techniques. Enterprise-Grade Website Security and WAF Incapsula’s PCI-certified web application firewall, advanced bot detection, and access control technologies secure any website against known and emerging threats. Volumetric DDoS Attack and Bot Protection Combining a robust network backbone of advanced traffic inspection solutions, Incapsula protections your cloud-based site against all types of DDoS attacks.
  12. 12. © 2016 Imperva, Inc. All rights reserved. Imperva Skyfence - Protect Management Console Monitors high-risk activities executed thru the AWS/Azure Management Console 12 Management Console Audits all administrator activity. Identifies security and compliance gaps Enforces separation of duties between privileged users and security and compliance teams
  13. 13. © 2015 Imperva, Inc. All rights reserved. Gartner “Magic Quadrant for Web Application Firewalls” by Jeremy D'Hoinne, Adam Hils, Greg Young, Nicole Papadopoulos, 15 June 2015. This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Imperva. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. THE ONLY LEADER TWO CONSECUTIVE YEARS Gartner Magic Quadrant for Web Application Firewalls 13
  14. 14. © 2016 Imperva, Inc. All rights reserved. Imperva Security Solutions Reference Architectures for AWS and Azure 3 14
  15. 15. © 2016 Imperva, Inc. All rights reserved. AWS: Imperva Deployment Architecture SecureSphere, Incapsula, Skyfence 15 Administrators Users AWS Management Console Availability Zone 1 Availability Zone 2Scaling Group CDN, DDoS, LB, WAF WAF Cloud Access Service Broker (CASB)
  16. 16. © 2016 Imperva, Inc. All rights reserved. SecureSphere WAF forAmazon AWS 16 • Protects web applications hosted in AWS cloud with industry leading WAF • CloudFormation templates streamlines WAF deployments on AWS • CloudWatch monitors WAF instances • Automates re-routing traffic to different availability zones Availability Zone 1 Availability Zone 2Scaling Group
  17. 17. © 2016 Imperva, Inc. All rights reserved. AWS: SecureSphere DeploymentArchitecture – WAF Only 17 AZ1 MX Management AZ2 Users ELBELB Scaling Group Scaling Group Scaling Group Web Servers Web Servers WAF gateway WAF gateway MX Management
  18. 18. © 2016 Imperva, Inc. All rights reserved. AWS: SecureSphere DeploymentArchitecture - WAF + DAM 18 AZ1 MX Management MX Management AZ2 WAF gateway WAF gateway Users ELB DAM gateway DAM gateway MX Management MX Management Scaling Group ELB DB Server DB Server Web Server Web Server
  19. 19. © 2016 Imperva, Inc. All rights reserved. AWS: Hybrid Management for SecureSphere WAF 19 V P C VPN Customer Data Center Use single MX deployment for both AWS and on-premises WAF management WAF only (at this time) Either physical or virtual MX Gateways Gateways MX Management
  20. 20. © 2016 Imperva, Inc. All rights reserved. SecureSphere forAWS Options (BYOL, On-Demand) 20 Performance AV2500 AV1000 AVM150 Supported SecureSphere Products Web Application Firewall Database Activity Monitor Database Firewall Web Application Firewall MX Management Server HTTP Throughput Up to 500 Mbps Up to 100 Mbps Not Applicable Minimum Requirements for Each SecureSphere for AWS Instance Minimum AWS Instance Type M3 Extra Large M3 Large M3 Extra Large
  21. 21. © 2016 Imperva, Inc. All rights reserved. SecureSphere WAF for Microsoft Azure 21 • Protects web applications hosted in Azure cloud with industry leading WAF • Azure Resource Manager streamlines WAF deployments on Azure • Azure Application Insights monitors WAF instances • Automates re-routing traffic to different Azure Regions Web Servers LB LB Azure Region 1 Azure Region 2 Availability Set LB Availability Set Web Servers
  22. 22. © 2016 Imperva, Inc. All rights reserved. Azure: SecureSphere DeploymentArchitecture 22 SecureSphere WAFs Virtual Network Azure Region External LB Management Subnet Gateway Subnet LB Apps Subnet Availability Set Availability Set Web Serverswww.company.com Public IP
  23. 23. © 2016 Imperva, Inc. All rights reserved. SecureSphere forAzure Options (BYOL only) 23 Performance MV2500 MV1000 MVM150 Supported SecureSphere Products Web Application Firewall Web Application Firewall MX Management Server HTTP Throughput Up to 500 Mbps Up to 100 Mbps Not Applicable Minimum Requirements for Each SecureSphere for AWS Instance Minimum Azure Instance Types A3/D3 for HTTP only D3v2/D4 for HTTPS A2 for HTTP only A3 for HTTPS A3 Standard
  24. 24. © 2016 Imperva, Inc. All rights reserved. SecureSphere on Microsoft Azure Security Center 24
  25. 25. © 2016 Imperva, Inc. All rights reserved. Case Study: Online Gaming Company Moved all Gaming Apps to AWS 25 Requirements: • Protect Gaming application from technical (SQLi) and business logic attacks • Protect Registration page from malicious bots and other automated attacks • Be able to scale up quickly and handle peaks in traffic per request Solution: • Originally sized @ 20 instances, eventually scaled to 120 during holidays • SecureSphere WAF deployed in front of all application instances in AWS • Additional redundancy provided by geographically distributed instances using AWS availability zones Benefits: • Seamless Deployment – took just hours instead of weeks on physical data center • Operational Efficiency - AWS environment managed by 2 FTE, instead of 4+ in physical data center • No upfront costs – shift from Capital-Expenditure to Operational-Expenditure
  26. 26. © 2016 Imperva, Inc. All rights reserved.26 Questions?

×