Upload
others
View
14
Download
0
Embed Size (px)
Citation preview
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
周达伟 Imperva 大中华区技术总监
September 2016
云应用服务的进阶安全防御技术与实践
© 2015 Imperva, Inc. All rights reserved.
议题
• 云应用服务的信息安全及管理需求 • 信息安全事件和云应用服务架构的关系 • 云应用服务的安全管控部署实践 • 全方位覆盖的安全解决方案
© 2015 Imperva, Inc. All rights reserved.
云计算的关键特征
超大规模 虚拟化 高可靠性 通用性 高可扩展性
数据在云端:不怕丢失、不必备份、可以任意点的恢复。
软件在云端:不必下载自动升级。
无所不在的计算:在任何时间、任意地点、任何设备登录后就可以进行计算服务。
无限强大的计算:具有无限空间、无限速度。
云的规模可以动态伸缩,但是它的边界是模糊的; 云在空中飘忽不定,无法也无需确定它的具体位置,但它确实存在于某处。
© 2015 Imperva, Inc. All rights reserved.
云应用服务的安全事件
• Cloud services have fallen victim to security vulnerabilities – Gmail and contact lists, Yahoo mail – XSS and JavaScript
hijacking
– Apple – iCloud data breach
– Google Apps – Application signature vulnerability
– Twitter - A hacker obtained and distributed more than 300 confidential documents pertaining to Twitter's business affairs that were stored on Google Apps.
• Virtualization is its strength and weakness – Makes pro-active security difficult
© 2015 Imperva, Inc. All rights reserved.
差异的重点是?
云 = 带外服务 ? • Key difference: data and processing of one organization's data is shared
with another organization's data.
• Impact: Cloud providers ensure that the cloud application separates them properly at the application level
• Example: Network solutions breach events
© 2015 Imperva, Inc. All rights reserved.
云上的应用服务内容 – 依然是数据
Apps SQL Data
File Access
Browser
DBA Thick Client
2 Tier App
Thin Client 3 Tier App
Application
Interface
MS Office Knowledge
workers
Portals
© 2015 Imperva, Inc. All rights reserved.
如何保护重要的数据内容
Users
Business Applications
Structured Application
Data
结构化数据 非结构化
文件服务器包含业务文档、源代码软件等知识产权、金融电子表格
Data Center
© 2015 Imperva, Inc. All rights reserved.
Customer-facing Applications Moving to IaaS or PaaS providers
Employee-facing Applications are SaaS and Cloud Apps
从传统的数据中心迁移到云
Traditional Data Center
© 2015 Imperva, Inc. All rights reserved.
数据服务迁移到了云上 – IaaS
Enterprise
Data WAF App
Server DAM
AWS Cloud
Data WAF App
Server DAM
© 2015 Imperva, Inc. All rights reserved.
数据服务迁移到了云上 – IaaS
Enterprise
AWS Cloud
Data WAF App
Server DAM WAF
App Server WAF
App Server
© 2015 Imperva, Inc. All rights reserved.
数据服务迁移到了云上 – IaaS
Enterprise
AWS Cloud
Data WAF App
Server DAM
WAF
© 2015 Imperva, Inc. All rights reserved.
数据服务迁移到了云上 – SaaS
Enterprise
Data WAF App
Server DAM SalesForce / Office365 / ServiceNow
Multi Tenant App
Data
CASB
© 2015 Imperva, Inc. All rights reserved.
未来的发展 – 当数据走向云端的安全管理
Enterprise
Data WAF App
Server DAM
AWS Cloud
Data WAF App
Server DAM
SalesForce / Office365 / ServiceNow
Multi Tenant App
Data
WAF
CASB
Security Mgmt
© 2015 Imperva, Inc. All rights reserved.
Customer-facing Applications Moving to IaaS or PaaS providers
Employee-facing Applications are SaaS and Cloud Apps
云应用服务的进阶安全解决方案
Traditional Data Center
© 2015 Imperva, Inc. All rights reserved.
核心敏感数据的外泄监控与防范
LEARN AND DETECT BLOCK / QUARANTINE
MONITOR
Analysis Machine Learnin
g
Visibility
Contain and Investigate
Verification Deception
© 2015 Imperva, Inc. All rights reserved.
Gartner WAF市场2016年魔力象限
• 行业中第一款WAF产品 • Imperva在WAF领域是唯一的行业领导者 • 连续三年2014年、2015年、2016年
© 2015 Imperva, Inc. All rights reserved.
保护Web应用的各种技术
Cor
rela
ted
Atta
ck V
alid
atio
n
Virt
ual P
atch
ing
DD
oS P
rote
ctio
n
Dynamic Profiling
Attack Signatures
Protocol Validation
Cookie Protection
Fraud Connectors
IP Geolocation
IP Reputation
Anti-Scraping Policies
Bot Mitigation Policies
Account Takeover Protection
技术攻击 漏洞利用
业务逻辑攻击 及其他
© 2015 Imperva, Inc. All rights reserved.
WAF 各类型的部署场景 On-Premises WAF
WAF
Web Servers
WAF for AWS
WAF
Web Servers
Web Servers
Cloud WAF
© 2015 Imperva, Inc. All rights reserved.
云应用服务的管控与可视化 - CASB
Corporate Employees, Mobile Workers and
Hackers
Detect anomalies & prevent account takeover attacks
Discover “Shadow IT” apps & assess risk
Identify admins and inactive, external, & orphaned users
Cloud Audit & Protection (Proxy-based) Cloud Discovery & Governance (API-based)
Enforce risk-based MFA
Basic view of cloud activity logs
Control sensitive data with DLP policies
Prevent data proliferation to unmanaged devices
Centrally assess data and security configuration settings
SIEM enablement
Real-time, comprehensive activity monitoring
Cloud Applications (5000+ apps)
© 2015 Imperva, Inc. All rights reserved.
Skyfence 解决方案的布署与实践
Cloud APIs
SSO Integration (agentless)
Endpoint agents & Profiles
ADFS, Ping, Okta, Centrify …
OFF
LIN
E
INLI
NE
/PR
OX
Y
Identity Provider (SSO)
Cloud App
Cloud App
Cloud App Cloud API
© 2015 Imperva, Inc. All rights reserved.
Imperva 各种云应用服务安全解决方案
Imperva is laser focused on protecting business-critical applications and data, wherever they reside – in the cloud and on-premises
保护在AWS的应用和数据安全
通过基于云的内容分发,缓解网络和应用层DDoS攻击
保护AWS管理控制台的安全
© 2015 Imperva, Inc. All rights reserved.
AWS: Imperva 部署架构 SecureSphere, Incapsula, Skyfence
Administrators
Users
AWS Management Console
Availability Zone 1
Availability Zone 2 Scaling Group
CDN, DDoS, LB, WAF
WAF
Cloud Access Service Broker
(CASB)
© 2015 Imperva, Inc. All rights reserved.
SecureSphere WAF 于 Amazon AWS
• Protects web applications hosted in AWS cloud with industry leading WAF • CloudFormation templates streamlines WAF deployments on AWS • CloudWatch monitors WAF instances • Automates re-routing traffic to different availability zones
Availability Zone 1
Availability Zone 2 Scaling Group
© 2015 Imperva, Inc. All rights reserved.
AWS: SecureSphere WAF 部署架构 AZ1
MX Management
AZ2
Users
ELB ELB
Scaling Group Scaling Group
Scaling Group Web
Servers
Web Servers
WAF gateway
WAF gateway
MX Management
© 2015 Imperva, Inc. All rights reserved.
AWS: SecureSphere WAF + DAM 部署架构 AZ1 MX Management
MX Management
AZ2
WAF gateway
WAF gateway
Users
ELB
DAM gateway
DAM gateway
MX Management
MX Management
Scaling Group
ELB
DB Server
DB Server
Web Server
Web Server
© 2015 Imperva, Inc. All rights reserved.
云与数据中心的集中安全控管
VPC VPN
Customer Data Center
Use single MX deployment for both AWS and on-premises WAF management WAF only (at this time)
Either physical or virtual MX
Gateways Gateways
MX Management
© 2015 Imperva, Inc. All rights reserved.
用户实例 : 在线游戏服务 迁移游戏应用服务到AWS云
Requirements: • Protect Gaming application from technical (SQLi) and business logic attacks • Protect Registration page from malicious bots and other automated attacks • Be able to scale up quickly and handle peaks in traffic per request
Solution: • Originally sized @ 20 instances, eventually scaled to 120 during holidays • SecureSphere WAF deployed in front of all application instances in AWS • Additional redundancy provided by geographically distributed instances using AWS availability zones
Benefits: • Seamless Deployment – took just hours instead of weeks on physical data center • Operational Efficiency - AWS environment managed by 2 FTE, instead of 4+ in physical data center • No upfront costs – shift from Capital-Expenditure to Operational-Expenditure
Imperva products
Products that cover both Protect and Comply
Partners
User Rights Management for File
Data Loss Prevention
SecureSphere File Firewall
File Activity Monitor
SecureSphere Database Assessment Server
SecureSphere Database Firewall
SecureSphere for Big Data
SecureSphere Database Activity Monitor
User Rights Management
Data Masking
Vulnerability Assessment
Incapsula Back Door Detection
Incapsula Website Security
SecureSphere WAF ThreatRadar
Skyfence Cloud Discovery
Skyfence Cloud Analytics
Skyfence Cloud Protection
Skyfence Cloud Governance
Incapsula Infrastructure Protection
Incapsula Website Protection
Incapsula Name Server Protection
SecureSphere WAF