This document discusses protecting applications and data in public clouds using Imperva security solutions. It begins with an overview of cloud security challenges due to the shared responsibility model. It then describes Imperva's SecureSphere, Incapsula, and Skyfence solutions for securing applications in AWS and Azure. Reference architectures are provided for deploying the solutions on AWS and Azure. A case study describes how an online gaming company used Imperva SecureSphere WAF to protect their applications after moving them to AWS.

1. © 2016 Imperva, Inc. All rights reserved.
Protect Your Data and Apps in
the Public Cloud
Lior Lukov, Sr. Product Manager, Application Security, Imperva
Narayan Makaram, Dir. Product Marketing, Application Security, Imperva

2. © 2016 Imperva, Inc. All rights reserved.
AGENDA
• Cloud Security Challenges
• Imperva Cloud Security Solutions
• Reference Architecture
• Customer Case Study
2

3. © 2016 Imperva, Inc. All rights reserved.
Speakers
3
Narayan Makaram
Dir., Product Marketing, Imperva
Lior Lukov
Sr. Product Manager, Imperva

4. © 2016 Imperva, Inc. All rights reserved.
Web Application Attacks
Cloud Security Challenges
1
4

5. © 2016 Imperva, Inc. All rights reserved.5
Cloud Brings New Advantages toApplications
IaaS ProvidersOn-premise Data Centers
Applications in Data Center Applications in Cloud
Fixed capacity Elastic capacity
Scale-up Scale-out
Manual build and deploy Automated build and deploy
Allocated costs Metered cost
Limited HA and DR HA and DR across data-centers/regions
Defense in depth Perimeter Security

6. © 2016 Imperva, Inc. All rights reserved.
Business Challenges
Business Impact:
• Lost revenue associated with website downtime
• Brand damage with bad publicity
• Lost competitive advantage with sensitive data theft
• Fines and regulatory actions with data breach
Attack vectors remain the same as applications and data migrate from
on-premises data centers to the cloud
Cloud Infrastructure (IaaS)
DDoS attacks
Data Center
Mobile attacks
Technical attacks
Business logic attacks
6

7. © 2016 Imperva, Inc. All rights reserved.
Security – a Shared Responsibility in Cloud Infrastructure
7
AWS Article: Introduction to AWS Security, July 2015
Azure Blog Post: Cloud Security is a Shared Responsibility, June 2015
Customers are responsible for securing the customer applications and content
hosted in any cloud infrastructure – AWS, Azure, and others

8. © 2016 Imperva, Inc. All rights reserved.
Imperva Application Security
Cloud Security Solutions
2
8

9. © 2016 Imperva, Inc. All rights reserved.
Imperva Solutions for AWS and Azure
9
Imperva is laser focused on protecting business-critical applications
and data, wherever they reside – in the cloud and on-premises
Protects applications and
data hosted in AWS and
Azure
Mitigates DDoS attacks
through cloud-based
Content Delivery Network
Protects administrative access
to AWS/Azure management
console

10. © 2016 Imperva, Inc. All rights reserved.
Imperva SecureSphere - On AWS and Azure Cloud Infrastructure
10
Comprehensive application and database protection with
enterprise-class on-premises solution that customers trust
In-depth Web Application Protection
SecureSphere WAF blocks technical attacks that exploit vulnerabilities in your applications
and automated attacks that abuse business functionality
Dynamic Application Profiling
Automatically discovers application interfaces and adapts security controls to changes in
applications to simplify on-going maintenance
Crowd-sourced Threat Intelligence
ThreatRadar services: Reputation, Bot Mitigation, Community Defense, Account Takeover.
Arms the WAF with the latest security policies, signatures, and compliance reports crowd-
sourced from Imperva customers and 3rd party providers
Protects Databases Hosted in the Cloud
Discovers and monitors all user activity in databases hosted in AWS (using SecureSphere
gateways) and on Azure (using SecureSphere Agents)
App
Servers
DB
Servers

11. © 2016 Imperva, Inc. All rights reserved.
Imperva Incapsula – Cloud Based WAF
11
DDoS
Mitigation
CDN
Load
Balancing
WAF
All-in-one Website Security, DDoS and Bot Protection, and Load
Balancing on a Global Content Delivery Network
Load Balancing
Cloud-based Layer 7 Load Balancing service optimizes traffic distributions based on its actual
flow to each server.
Global Content Delivery Network
Application-aware Content Delivery Network delivers full site acceleration, boosts website
performance using advanced networking, dynamic caching, and content optimization techniques.
Enterprise-Grade Website Security and WAF
Incapsula’s PCI-certified web application firewall, advanced bot detection, and access control
technologies secure any website against known and emerging threats.
Volumetric DDoS Attack and Bot Protection
Combining a robust network backbone of advanced traffic inspection solutions, Incapsula
protections your cloud-based site against all types of DDoS attacks.

12. © 2016 Imperva, Inc. All rights reserved.
Imperva Skyfence - Protect Management Console
Monitors high-risk activities executed thru the
AWS/Azure Management Console
12
Management Console
Audits all administrator activity. Identifies security
and compliance gaps
Enforces separation of duties between privileged
users and security and compliance teams

13. © 2015 Imperva, Inc. All rights reserved.
Gartner “Magic Quadrant for Web Application Firewalls” by Jeremy D'Hoinne, Adam Hils, Greg Young, Nicole Papadopoulos, 15 June 2015.
This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon
request from Imperva. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with
the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner
disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
THE ONLY LEADER
TWO CONSECUTIVE YEARS
Gartner Magic
Quadrant for
Web Application
Firewalls
13

14. © 2016 Imperva, Inc. All rights reserved.
Imperva Security Solutions
Reference Architectures for AWS and Azure
3
14

15. © 2016 Imperva, Inc. All rights reserved.
AWS: Imperva Deployment Architecture
SecureSphere, Incapsula, Skyfence
15
Administrators
Users
AWS
Management
Console
Availability Zone 1
Availability Zone 2Scaling Group
CDN, DDoS, LB, WAF
WAF
Cloud Access
Service Broker
(CASB)

16. © 2016 Imperva, Inc. All rights reserved.
SecureSphere WAF forAmazon AWS
16
• Protects web applications hosted in AWS cloud with industry leading WAF
• CloudFormation templates streamlines WAF deployments on AWS
• CloudWatch monitors WAF instances
• Automates re-routing traffic to different availability zones
Availability Zone 1
Availability Zone 2Scaling Group

17. © 2016 Imperva, Inc. All rights reserved.
AWS: SecureSphere DeploymentArchitecture – WAF Only
17
AZ1
MX Management
AZ2
Users
ELBELB
Scaling Group Scaling Group
Scaling Group
Web
Servers
Web
Servers
WAF gateway
WAF gateway
MX Management

18. © 2016 Imperva, Inc. All rights reserved.
AWS: SecureSphere DeploymentArchitecture - WAF + DAM
18
AZ1 MX Management
MX Management
AZ2
WAF gateway
WAF gateway
Users
ELB
DAM gateway
DAM gateway
MX Management
MX Management
Scaling Group
ELB
DB
Server
DB
Server
Web
Server
Web
Server

19. © 2016 Imperva, Inc. All rights reserved.
AWS: Hybrid Management for SecureSphere WAF
19
V
P
C
VPN
Customer Data Center
Use single MX deployment for both AWS and on-premises WAF management
WAF only (at this time)
Either physical or virtual MX
Gateways Gateways
MX Management

20. © 2016 Imperva, Inc. All rights reserved.
SecureSphere forAWS Options (BYOL, On-Demand)
20
Performance AV2500 AV1000 AVM150
Supported SecureSphere
Products
Web Application Firewall
Database Activity Monitor
Database Firewall
Web Application Firewall MX Management Server
HTTP Throughput Up to 500 Mbps Up to 100 Mbps Not Applicable
Minimum Requirements for Each SecureSphere for AWS Instance
Minimum AWS Instance
Type
M3 Extra Large M3 Large M3 Extra Large

21. © 2016 Imperva, Inc. All rights reserved.
SecureSphere WAF for Microsoft Azure
21
• Protects web applications hosted in Azure cloud with industry leading WAF
• Azure Resource Manager streamlines WAF deployments on Azure
• Azure Application Insights monitors WAF instances
• Automates re-routing traffic to different Azure Regions
Web
Servers
LB
LB
Azure Region 1
Azure Region 2
Availability Set
LB
Availability Set
Web
Servers

22. © 2016 Imperva, Inc. All rights reserved.
Azure: SecureSphere DeploymentArchitecture
22
SecureSphere WAFs
Virtual Network
Azure Region
External
LB
Management Subnet
Gateway Subnet
LB
Apps Subnet
Availability Set Availability Set
Web
Serverswww.company.com
Public IP

23. © 2016 Imperva, Inc. All rights reserved.
SecureSphere forAzure Options (BYOL only)
23
Performance MV2500 MV1000 MVM150
Supported SecureSphere
Products
Web Application Firewall Web Application Firewall MX Management Server
HTTP Throughput Up to 500 Mbps Up to 100 Mbps Not Applicable
Minimum Requirements for Each SecureSphere for AWS Instance
Minimum Azure Instance
Types
A3/D3 for HTTP only
D3v2/D4 for HTTPS
A2 for HTTP only
A3 for HTTPS
A3 Standard

24. © 2016 Imperva, Inc. All rights reserved.
SecureSphere on Microsoft Azure Security Center
24

25. © 2016 Imperva, Inc. All rights reserved.
Case Study: Online Gaming Company
Moved all Gaming Apps to AWS
25
Requirements:
• Protect Gaming application from technical (SQLi) and business logic attacks
• Protect Registration page from malicious bots and other automated attacks
• Be able to scale up quickly and handle peaks in traffic per request
Solution:
• Originally sized @ 20 instances, eventually scaled to 120 during holidays
• SecureSphere WAF deployed in front of all application instances in AWS
• Additional redundancy provided by geographically distributed instances using AWS availability zones
Benefits:
• Seamless Deployment – took just hours instead of weeks on physical data center
• Operational Efficiency - AWS environment managed by 2 FTE, instead of 4+ in physical data center
• No upfront costs – shift from Capital-Expenditure to Operational-Expenditure

26. © 2016 Imperva, Inc. All rights reserved.26
Questions?