Protect Your Data and Apps in the Public Cloud

© 2016 Imperva, Inc. All rights reserved.

Protect Your Data and Apps in the Public CloudLior Lukov, Sr. Product Manager, Application Security, ImpervaNarayan Makaram, Dir. Product Marketing, Application Security, Imperva


AGENDA

• Cloud Security Challenges• Imperva Cloud Security Solutions• Reference Architecture• Customer Case Study

2


Speakers

3

Narayan MakaramDir., Product Marketing, Imperva

Lior Lukov Sr. Product Manager, Imperva


Web Application Attacks

Cloud Security Challenges1

4

© 2016 Imperva, Inc. All rights reserved.5

Cloud Brings New Advantages to ApplicationsIaaS ProvidersOn-premise Data Centers

Applications in Data Center Applications in CloudFixed capacity Elastic capacityScale-up Scale-outManual build and deploy Automated build and deployAllocated costs Metered cost

Limited HA and DR HA and DR across data-centers/regionsDefense in depth Perimeter Security


Business Challenges

Business Impact:• Lost revenue associated with website downtime• Brand damage with bad publicity• Lost competitive advantage with sensitive data theft• Fines and regulatory actions with data breach

Attack vectors remain the same as applications and data migrate from on-premises data centers to the cloud

Cloud Infrastructure (IaaS) DDoS attacks

Data Center

Mobile attacks

Technical attacks

Business logic attacks

6


Security – a Shared Responsibility in Cloud Infrastructure

7

AWS Article: Introduction to AWS Security, July 2015Azure Blog Post: Cloud Security is a Shared Responsibility, June 2015

Customers are responsible for securing the customer applications and content hosted in any cloud infrastructure – AWS, Azure, and others


Imperva Application Security

Cloud Security Solutions2

8


Imperva Solutions for AWS and Azure

9

Imperva is laser focused on protecting business-critical applications and data, wherever they reside – in the cloud and on-premises

Protects applications and data hosted in AWS and

Azure

Mitigates DDoS attacks through cloud-based

Content Delivery Network

Protects administrative access to AWS/Azure management

console


Imperva SecureSphere - On AWS and Azure Cloud Infrastructure

10

Comprehensive application and database protection with enterprise-class on-premises solution that customers trust

In-depth Web Application ProtectionSecureSphere WAF blocks technical attacks that exploit vulnerabilities in your applicationsand automated attacks that abuse business functionality

Dynamic Application Profiling Automatically discovers application interfaces and adapts security controls to changes in applications to simplify on-going maintenance

Crowd-sourced Threat IntelligenceThreatRadar services: Reputation, Bot Mitigation, Community Defense, Account Takeover.Arms the WAF with the latest security policies, signatures, and compliance reports crowd-sourced from Imperva customers and 3rd party providers

Protects Databases Hosted in the CloudDiscovers and monitors all user activity in databases hosted in AWS (using SecureSphere gateways) and on Azure (using SecureSphere Agents)

AppServers

DBServers


Imperva Incapsula – Cloud Based WAF

11

DDoSMitigation

CDN

LoadBalancing

WAF

All-in-one Website Security, DDoS and Bot Protection, and Load Balancing on a Global Content Delivery Network

Load BalancingCloud-based Layer 7 Load Balancing service optimizes traffic distributions based on its actual flow to each server.

Global Content Delivery NetworkApplication-aware Content Delivery Network delivers full site acceleration, boosts website performance using advanced networking, dynamic caching, and content optimization techniques.

Enterprise-Grade Website Security and WAFIncapsula’s PCI-certified web application firewall, advanced bot detection, and access control technologies secure any website against known and emerging threats.

Volumetric DDoS Attack and Bot ProtectionCombining a robust network backbone of advanced traffic inspection solutions, Incapsula protections your cloud-based site against all types of DDoS attacks.


Imperva Skyfence - Protect Management Console

Monitors high-risk activities executed thru the AWS/Azure Management Console

12

Management Console

Audits all administrator activity. Identifies security and compliance gaps

Enforces separation of duties between privileged users and security and compliance teams


Gartner “Magic Quadrant for Web Application Firewalls” by Jeremy D'Hoinne, Adam Hils, Greg Young, Nicole Papadopoulos, 15 June 2015.

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Imperva. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

THE ONLY LEADER

TWO CONSECUTIVE YEARS

Gartner Magic Quadrant for Web Application Firewalls

13


Imperva Security Solutions

Reference Architectures for AWS and Azure3

14


AWS: Imperva Deployment ArchitectureSecureSphere, Incapsula, Skyfence

15

Administrators

Users

AWSManagementConsole

Availability Zone 1

Availability Zone 2Scaling Group

CDN, DDoS, LB, WAF

WAF

Cloud AccessService Broker

(CASB)


SecureSphere WAF for Amazon AWS

16

• Protects web applications hosted in AWS cloud with industry leading WAF• CloudFormation templates streamlines WAF deployments on AWS• CloudWatch monitors WAF instances• Automates re-routing traffic to different availability zones

Availability Zone 1

Availability Zone 2Scaling Group


AWS: SecureSphere Deployment Architecture – WAF Only

17

AZ1

MX Management

AZ2

Users

ELBELB

Scaling Group Scaling Group

Scaling GroupWeb

Servers

WebServers

WAF gateway

WAF gateway

MX Management


AWS: SecureSphere Deployment Architecture - WAF + DAM

18

AZ1 MX Management

MX Management

AZ2

WAF gateway

WAF gateway

Users

ELB

DAM gateway

DAM gateway

MX Management

MX Management

Scaling Group

ELB

DBServer

DBServer

WebServer

WebServer


AWS: Hybrid Management for SecureSphere WAF

19

VPC VPN

Customer Data Center

Use single MX deployment for both AWS and on-premises WAF managementWAF only (at this time)

Either physical or virtual MX

Gateways Gateways

MX Management


SecureSphere for AWS Options (BYOL, On-Demand)

20

Performance AV2500 AV1000 AVM150Supported SecureSphereProducts

Web Application FirewallDatabase Activity MonitorDatabase Firewall

Web Application Firewall MX Management Server

HTTP Throughput Up to 500 Mbps Up to 100 Mbps Not ApplicableMinimum Requirements for Each SecureSphere for AWS InstanceMinimum AWS Instance Type

M3 Extra Large M3 Large M3 Extra Large


SecureSphere WAF for Microsoft Azure

21

• Protects web applications hosted in Azure cloud with industry leading WAF• Azure Resource Manager streamlines WAF deployments on Azure• Azure Application Insights monitors WAF instances• Automates re-routing traffic to different Azure Regions

Web Servers

LB

LB

Azure Region 1

Azure Region 2

Availability Set

LB

Availability Set

Web Servers


Azure: SecureSphere Deployment Architecture

22

SecureSphere WAFs

Virtual Network

Azure Region

ExternalLB

Management Subnet

Gateway Subnet

LB

Apps Subnet

Availability Set Availability Set

WebServerswww.company.com

Public IP


SecureSphere for Azure Options (BYOL only)

23

Performance MV2500 MV1000 MVM150Supported SecureSphereProducts

Web Application Firewall Web Application Firewall MX Management Server

HTTP Throughput Up to 500 Mbps Up to 100 Mbps Not ApplicableMinimum Requirements for Each SecureSphere for AWS InstanceMinimum Azure Instance Types

A3/D3 for HTTP onlyD3v2/D4 for HTTPS

A2 for HTTP onlyA3 for HTTPS

A3 Standard


SecureSphere on Microsoft Azure Security Center

24


Case Study: Online Gaming CompanyMoved all Gaming Apps to AWS

25

Requirements:• Protect Gaming application from technical (SQLi) and business logic attacks• Protect Registration page from malicious bots and other automated attacks• Be able to scale up quickly and handle peaks in traffic per request

Solution:• Originally sized @ 20 instances, eventually scaled to 120 during holidays• SecureSphere WAF deployed in front of all application instances in AWS• Additional redundancy provided by geographically distributed instances using AWS availability zones

Benefits:• Seamless Deployment – took just hours instead of weeks on physical data center• Operational Efficiency - AWS environment managed by 2 FTE, instead of 4+ in physical data center• No upfront costs – shift from Capital-Expenditure to Operational-Expenditure

© 2016 Imperva, Inc. All rights reserved.26

Questions?

Technology

Protect Your Data and Apps in the Public Cloud