云应用服务的进阶安全防御技术与实践 · 2016-09-19 · SecureSphere WAF. 于 Amazon AWS • Protects web applications hosted in AWS cloud with industry leading WAF

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

周达伟 Imperva 大中华区技术总监

September 2016

云应用服务的进阶安全防御技术与实践

© 2015 Imperva, Inc. All rights reserved.

议题

• 云应用服务的信息安全及管理需求 • 信息安全事件和云应用服务架构的关系 • 云应用服务的安全管控部署实践 • 全方位覆盖的安全解决方案


Imperva 云服务安全解决方案

云应用服务的信息安全及管理需求

1


云计算的关键特征

超大规模虚拟化高可靠性通用性高可扩展性

数据在云端：不怕丢失、不必备份、可以任意点的恢复。

软件在云端：不必下载自动升级。

无所不在的计算：在任何时间、任意地点、任何设备登录后就可以进行计算服务。

无限强大的计算：具有无限空间、无限速度。

云的规模可以动态伸缩，但是它的边界是模糊的；云在空中飘忽不定，无法也无需确定它的具体位置，但它确实存在于某处。



云应用服务的安全事件

• Cloud services have fallen victim to security vulnerabilities – Gmail and contact lists, Yahoo mail – XSS and JavaScript

hijacking

– Apple – iCloud data breach

– Google Apps – Application signature vulnerability

– Twitter - A hacker obtained and distributed more than 300 confidential documents pertaining to Twitter's business affairs that were stored on Google Apps.

• Virtualization is its strength and weakness – Makes pro-active security difficult

http://en.wikipedia.org/wiki/File:Googleapps.png


站上云端的安全考虑


差异的重点是?

云 = 带外服务 ? • Key difference: data and processing of one organization's data is shared

with another organization's data.

• Impact: Cloud providers ensure that the cloud application separates them properly at the application level

• Example: Network solutions breach events


五项安全考虑重点

云管理数据存放位置隐私数据安全措施合规性


云上的应用服务内容 – 依然是数据

Apps SQL Data

File Access

Browser

DBA Thick Client

2 Tier App

Thin Client 3 Tier App

Application

Interface

MS Office Knowledge

workers

Portals


如何保护重要的数据内容

Users

Business Applications

Structured Application

Data

结构化数据非结构化

文件服务器包含业务文档、源代码软件等知识产权、金融电子表格

Data Center



信息安全事件和云应用服务架构的关系

2


Customer-facing Applications Moving to IaaS or PaaS providers

Employee-facing Applications are SaaS and Cloud Apps

从传统的数据中心迁移到云

Traditional Data Center


数据服务迁移到了云上 – IaaS

Enterprise

Data WAF App

Server DAM

AWS Cloud

Data WAF App

Server DAM



Enterprise

AWS Cloud

Data WAF App

Server DAM WAF

App Server WAF

App Server



Enterprise

AWS Cloud

Data WAF App

Server DAM

WAF


数据服务迁移到了云上 – SaaS

Enterprise

Data WAF App

Server DAM SalesForce / Office365 / ServiceNow

Multi Tenant App

Data

CASB


未来的发展 – 当数据走向云端的安全管理

Enterprise

Data WAF App

Server DAM

AWS Cloud

Data WAF App

Server DAM

SalesForce / Office365 / ServiceNow

Multi Tenant App

Data

WAF

CASB

Security Mgmt



云应用服务的安全管控布署实践

3


Customer-facing Applications Moving to IaaS or PaaS providers

Employee-facing Applications are SaaS and Cloud Apps

云应用服务的进阶安全解决方案

Traditional Data Center


核心敏感数据的外泄监控与防范

LEARN AND DETECT BLOCK / QUARANTINE

MONITOR

Analysis Machine Learnin

g

Visibility

Contain and Investigate

Verification Deception


Gartner WAF市场2016年魔力象限

• 行业中第一款WAF产品 • Imperva在WAF领域是唯一的行业领导者 • 连续三年2014年、2015年、2016年


保护Web应用的各种技术

Cor

rela

ted

Atta

ck V

alid

atio

n

Virt

ual P

atch

ing

DD

oS P

rote

ctio

n

Dynamic Profiling

Attack Signatures

Protocol Validation

Cookie Protection

Fraud Connectors

IP Geolocation

IP Reputation

Anti-Scraping Policies

Bot Mitigation Policies

Account Takeover Protection

技术攻击漏洞利用

业务逻辑攻击及其他


WAF 各类型的部署场景 On-Premises WAF

WAF

Web Servers

WAF for AWS

WAF

Web Servers

Web Servers

Cloud WAF


云应用服务的管控与可视化 - CASB

Corporate Employees, Mobile Workers and

Hackers

Detect anomalies & prevent account takeover attacks

Discover “Shadow IT” apps & assess risk

Identify admins and inactive, external, & orphaned users

Cloud Audit & Protection (Proxy-based) Cloud Discovery & Governance (API-based)

Enforce risk-based MFA

Basic view of cloud activity logs

Control sensitive data with DLP policies

Prevent data proliferation to unmanaged devices

Centrally assess data and security configuration settings

SIEM enablement

Real-time, comprehensive activity monitoring

Cloud Applications (5000+ apps)


Skyfence 解决方案的布署与实践

Cloud APIs

SSO Integration (agentless)

Endpoint agents & Profiles

ADFS, Ping, Okta, Centrify …

OFF

LIN

E

INLI

NE

/PR

OX

Y

Identity Provider (SSO)

Cloud App

Cloud App

Cloud App Cloud API



Imperva 完整的信息应用安全解决方案 4


Imperva 各种云应用服务安全解决方案

Imperva is laser focused on protecting business-critical applications and data, wherever they reside – in the cloud and on-premises

保护在AWS的应用和数据安全

通过基于云的内容分发，缓解网络和应用层DDoS攻击

保护AWS管理控制台的安全


AWS: Imperva 部署架构 SecureSphere, Incapsula, Skyfence

Administrators

Users

AWS Management Console

Availability Zone 1

Availability Zone 2 Scaling Group

CDN, DDoS, LB, WAF

WAF

Cloud Access Service Broker

(CASB)


SecureSphere WAF 于 Amazon AWS

• Protects web applications hosted in AWS cloud with industry leading WAF • CloudFormation templates streamlines WAF deployments on AWS • CloudWatch monitors WAF instances • Automates re-routing traffic to different availability zones

Availability Zone 1

Availability Zone 2 Scaling Group


AWS: SecureSphere WAF 部署架构 AZ1

MX Management

AZ2

Users

ELB ELB

Scaling Group Scaling Group

Scaling Group Web

Servers

Web Servers

WAF gateway

WAF gateway

MX Management


AWS: SecureSphere WAF + DAM 部署架构 AZ1 MX Management

MX Management

AZ2

WAF gateway

WAF gateway

Users

ELB

DAM gateway

DAM gateway

MX Management

MX Management

Scaling Group

ELB

DB Server

DB Server

Web Server

Web Server


云与数据中心的集中安全控管

VPC VPN

Customer Data Center

Use single MX deployment for both AWS and on-premises WAF management WAF only (at this time)

Either physical or virtual MX

Gateways Gateways

MX Management


用户实例 : 在线游戏服务迁移游戏应用服务到AWS云

Requirements: • Protect Gaming application from technical (SQLi) and business logic attacks • Protect Registration page from malicious bots and other automated attacks • Be able to scale up quickly and handle peaks in traffic per request

Solution: • Originally sized @ 20 instances, eventually scaled to 120 during holidays • SecureSphere WAF deployed in front of all application instances in AWS • Additional redundancy provided by geographically distributed instances using AWS availability zones

Benefits: • Seamless Deployment – took just hours instead of weeks on physical data center • Operational Efficiency - AWS environment managed by 2 FTE, instead of 4+ in physical data center • No upfront costs – shift from Capital-Expenditure to Operational-Expenditure


Imperva products

Products that cover both Protect and Comply

Partners

User Rights Management for File

Data Loss Prevention

SecureSphere File Firewall

File Activity Monitor

SecureSphere Database Assessment Server

SecureSphere Database Firewall

SecureSphere for Big Data

SecureSphere Database Activity Monitor

User Rights Management

Data Masking

Vulnerability Assessment

Incapsula Back Door Detection

Incapsula Website Security

SecureSphere WAF ThreatRadar

Skyfence Cloud Discovery

Skyfence Cloud Analytics

Skyfence Cloud Protection

Skyfence Cloud Governance

Incapsula Infrastructure Protection

Incapsula Website Protection

Incapsula Name Server Protection

SecureSphere WAF


Questions?

Documents

云应用服务的进阶安全防御技术与实践 · 2016-09-19 · SecureSphere WAF. 于 Amazon AWS • Protects web applications hosted in AWS cloud with industry leading WAF