Upload
imperva
View
1.055
Download
2
Embed Size (px)
Citation preview
© 2016 Imperva, Inc. All rights reserved.
Protect Your Data and Apps in the Public CloudLior Lukov, Sr. Product Manager, Application Security, ImpervaNarayan Makaram, Dir. Product Marketing, Application Security, Imperva
© 2016 Imperva, Inc. All rights reserved.
AGENDA
• Cloud Security Challenges• Imperva Cloud Security Solutions• Reference Architecture• Customer Case Study
2
© 2016 Imperva, Inc. All rights reserved.
Speakers
3
Narayan MakaramDir., Product Marketing, Imperva
Lior Lukov Sr. Product Manager, Imperva
© 2016 Imperva, Inc. All rights reserved.
Web Application Attacks
Cloud Security Challenges1
4
© 2016 Imperva, Inc. All rights reserved.5
Cloud Brings New Advantages to ApplicationsIaaS ProvidersOn-premise Data Centers
Applications in Data Center Applications in CloudFixed capacity Elastic capacityScale-up Scale-outManual build and deploy Automated build and deployAllocated costs Metered cost
Limited HA and DR HA and DR across data-centers/regionsDefense in depth Perimeter Security
© 2016 Imperva, Inc. All rights reserved.
Business Challenges
Business Impact:• Lost revenue associated with website downtime• Brand damage with bad publicity• Lost competitive advantage with sensitive data theft• Fines and regulatory actions with data breach
Attack vectors remain the same as applications and data migrate from on-premises data centers to the cloud
Cloud Infrastructure (IaaS) DDoS attacks
Data Center
Mobile attacks
Technical attacks
Business logic attacks
6
© 2016 Imperva, Inc. All rights reserved.
Security – a Shared Responsibility in Cloud Infrastructure
7
AWS Article: Introduction to AWS Security, July 2015Azure Blog Post: Cloud Security is a Shared Responsibility, June 2015
Customers are responsible for securing the customer applications and content hosted in any cloud infrastructure – AWS, Azure, and others
© 2016 Imperva, Inc. All rights reserved.
Imperva Application Security
Cloud Security Solutions2
8
© 2016 Imperva, Inc. All rights reserved.
Imperva Solutions for AWS and Azure
9
Imperva is laser focused on protecting business-critical applications and data, wherever they reside – in the cloud and on-premises
Protects applications and data hosted in AWS and
Azure
Mitigates DDoS attacks through cloud-based
Content Delivery Network
Protects administrative access to AWS/Azure management
console
© 2016 Imperva, Inc. All rights reserved.
Imperva SecureSphere - On AWS and Azure Cloud Infrastructure
10
Comprehensive application and database protection with enterprise-class on-premises solution that customers trust
In-depth Web Application ProtectionSecureSphere WAF blocks technical attacks that exploit vulnerabilities in your applicationsand automated attacks that abuse business functionality
Dynamic Application Profiling Automatically discovers application interfaces and adapts security controls to changes in applications to simplify on-going maintenance
Crowd-sourced Threat IntelligenceThreatRadar services: Reputation, Bot Mitigation, Community Defense, Account Takeover.Arms the WAF with the latest security policies, signatures, and compliance reports crowd-sourced from Imperva customers and 3rd party providers
Protects Databases Hosted in the CloudDiscovers and monitors all user activity in databases hosted in AWS (using SecureSphere gateways) and on Azure (using SecureSphere Agents)
AppServers
DBServers
© 2016 Imperva, Inc. All rights reserved.
Imperva Incapsula – Cloud Based WAF
11
DDoSMitigation
CDN
LoadBalancing
WAF
All-in-one Website Security, DDoS and Bot Protection, and Load Balancing on a Global Content Delivery Network
Load BalancingCloud-based Layer 7 Load Balancing service optimizes traffic distributions based on its actual flow to each server.
Global Content Delivery NetworkApplication-aware Content Delivery Network delivers full site acceleration, boosts website performance using advanced networking, dynamic caching, and content optimization techniques.
Enterprise-Grade Website Security and WAFIncapsula’s PCI-certified web application firewall, advanced bot detection, and access control technologies secure any website against known and emerging threats.
Volumetric DDoS Attack and Bot ProtectionCombining a robust network backbone of advanced traffic inspection solutions, Incapsula protections your cloud-based site against all types of DDoS attacks.
© 2016 Imperva, Inc. All rights reserved.
Imperva Skyfence - Protect Management Console
Monitors high-risk activities executed thru the AWS/Azure Management Console
12
Management Console
Audits all administrator activity. Identifies security and compliance gaps
Enforces separation of duties between privileged users and security and compliance teams
© 2015 Imperva, Inc. All rights reserved.
Gartner “Magic Quadrant for Web Application Firewalls” by Jeremy D'Hoinne, Adam Hils, Greg Young, Nicole Papadopoulos, 15 June 2015.
This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Imperva. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
THE ONLY LEADER
TWO CONSECUTIVE YEARS
Gartner Magic Quadrant for Web Application Firewalls
13
© 2016 Imperva, Inc. All rights reserved.
Imperva Security Solutions
Reference Architectures for AWS and Azure3
14
© 2016 Imperva, Inc. All rights reserved.
AWS: Imperva Deployment ArchitectureSecureSphere, Incapsula, Skyfence
15
Administrators
Users
AWSManagementConsole
Availability Zone 1
Availability Zone 2Scaling Group
CDN, DDoS, LB, WAF
WAF
Cloud AccessService Broker
(CASB)
© 2016 Imperva, Inc. All rights reserved.
SecureSphere WAF for Amazon AWS
16
• Protects web applications hosted in AWS cloud with industry leading WAF• CloudFormation templates streamlines WAF deployments on AWS• CloudWatch monitors WAF instances• Automates re-routing traffic to different availability zones
Availability Zone 1
Availability Zone 2Scaling Group
© 2016 Imperva, Inc. All rights reserved.
AWS: SecureSphere Deployment Architecture – WAF Only
17
AZ1
MX Management
AZ2
Users
ELBELB
Scaling Group Scaling Group
Scaling GroupWeb
Servers
WebServers
WAF gateway
WAF gateway
MX Management
© 2016 Imperva, Inc. All rights reserved.
AWS: SecureSphere Deployment Architecture - WAF + DAM
18
AZ1 MX Management
MX Management
AZ2
WAF gateway
WAF gateway
Users
ELB
DAM gateway
DAM gateway
MX Management
MX Management
Scaling Group
ELB
DBServer
DBServer
WebServer
WebServer
© 2016 Imperva, Inc. All rights reserved.
AWS: Hybrid Management for SecureSphere WAF
19
VPC VPN
Customer Data Center
Use single MX deployment for both AWS and on-premises WAF managementWAF only (at this time)
Either physical or virtual MX
Gateways Gateways
MX Management
© 2016 Imperva, Inc. All rights reserved.
SecureSphere for AWS Options (BYOL, On-Demand)
20
Performance AV2500 AV1000 AVM150Supported SecureSphereProducts
Web Application FirewallDatabase Activity MonitorDatabase Firewall
Web Application Firewall MX Management Server
HTTP Throughput Up to 500 Mbps Up to 100 Mbps Not ApplicableMinimum Requirements for Each SecureSphere for AWS InstanceMinimum AWS Instance Type
M3 Extra Large M3 Large M3 Extra Large
© 2016 Imperva, Inc. All rights reserved.
SecureSphere WAF for Microsoft Azure
21
• Protects web applications hosted in Azure cloud with industry leading WAF• Azure Resource Manager streamlines WAF deployments on Azure• Azure Application Insights monitors WAF instances• Automates re-routing traffic to different Azure Regions
Web Servers
LB
LB
Azure Region 1
Azure Region 2
Availability Set
LB
Availability Set
Web Servers
© 2016 Imperva, Inc. All rights reserved.
Azure: SecureSphere Deployment Architecture
22
SecureSphere WAFs
Virtual Network
Azure Region
ExternalLB
Management Subnet
Gateway Subnet
LB
Apps Subnet
Availability Set Availability Set
WebServerswww.company.com
Public IP
© 2016 Imperva, Inc. All rights reserved.
SecureSphere for Azure Options (BYOL only)
23
Performance MV2500 MV1000 MVM150Supported SecureSphereProducts
Web Application Firewall Web Application Firewall MX Management Server
HTTP Throughput Up to 500 Mbps Up to 100 Mbps Not ApplicableMinimum Requirements for Each SecureSphere for AWS InstanceMinimum Azure Instance Types
A3/D3 for HTTP onlyD3v2/D4 for HTTPS
A2 for HTTP onlyA3 for HTTPS
A3 Standard
© 2016 Imperva, Inc. All rights reserved.
SecureSphere on Microsoft Azure Security Center
24
© 2016 Imperva, Inc. All rights reserved.
Case Study: Online Gaming CompanyMoved all Gaming Apps to AWS
25
Requirements:• Protect Gaming application from technical (SQLi) and business logic attacks• Protect Registration page from malicious bots and other automated attacks• Be able to scale up quickly and handle peaks in traffic per request
Solution:• Originally sized @ 20 instances, eventually scaled to 120 during holidays• SecureSphere WAF deployed in front of all application instances in AWS• Additional redundancy provided by geographically distributed instances using AWS availability zones
Benefits:• Seamless Deployment – took just hours instead of weeks on physical data center• Operational Efficiency - AWS environment managed by 2 FTE, instead of 4+ in physical data center• No upfront costs – shift from Capital-Expenditure to Operational-Expenditure
© 2016 Imperva, Inc. All rights reserved.26
Questions?