G-Cloud Service Definition Atos KONA Site Defender for Cloud IaaS
Atos Kona Site Defender for Cloud IaaS Atos Kona Site Defender for Cloud IaaS delivers web security without compromise, leveraging the power of Akamai's Intelligent Platform to provide detection, identification, and mitigation of Distributed Denial of Service (DDoS) and Application Layer attacks while preserving site performance and availability. Manages Risk Reduces risk of downtime, extortion and data theft to protect revenue, customer loyalty and brand equity Protects Web Applications Identifies and mitigates the effects of Distributed Denial of Service (DDoS) attacks to preserve web site availability and performance Provides protection for web applications Reduces costs Reduces costs associated with DDoS mitigation Reduces capital expenditure on the hardware and software that provides DDoS protection What is it? Atos Kona Site Defender defends against all types of DDoS, web applications and directto-origin attacks. It is deployed across the Akamai Intelligent Platform, which consists of tens of thousands of servers deployed across over 1,100 networks in more than 75 countries. It is designed to thwart DDoS attacks by absorbing DDoS traffic targeted at the application layer, deflecting all DDoS traffic targeted at the network layer such as SYN Floods or UDP Floods, and authenticating valid traffic at the network edge. Features of the service include: Simple integration with existing IT infrastructure Maximize uptime and availability during DDoS attacks Defend Web application infrastructure Protect against direct-to-origin attacks Improve availability of DNS infrastructure Scale on demand Access best-in-class application security expertise ii
The UK based Atos service team will be ready to assist with any queries relating to the service. Quality and resilience are a critical element to meeting the 24x7 demands of today s information needs. Our approach to service delivery ensures high performance, availability and a commitment to service continuity through fully redundant infrastructure and systems. Partnering with Akamai, Atos brings the Akamai Intelligent Platform to the public sector, providing extensive reach, coupled with unmatched reliability, security, visibility and expertise. Atos and Akamai allow customers to securely and reliably leverage the cloud in an increasingly connected and mobile world. DDoS Mitigation: absorbs DDoS traffic targeted at the application layer, deflects all DDoS traffic targeted at the network layer such as SYN Floods or UDP Floods, and authenticates valid traffic at the network edge. Application Layer Protection: incorporating a full featured Web Application Firewall (WAF) based upon proprietary technology that provides customers with a highly-scalable layer of protection against application layer attacks. Application Layer Controls include a collection of pre-defined yet configurable Web application firewall rules for different types of attack categories. Network Layer Controls give the ability to enforce customer-defined IP whitelists and blacklists. Rate Controls provide protection against application layer DDoS attacks by monitoring and controlling the rate of requests within the network and at the customer origin. Site Shield: Atos Kona Site Defender also includes the ability to cloak (hide) a customer origin from the public Internet. This adds an additional layer of security protection without impeding the quick and reliable delivery of content. Advanced Security Monitor: Kona Site Defender provides security professionals with real time visibility into security events iii
iv
Contents 1. Introduction... 1 1.1 Service summary... 1 2. Service overview... 2 3. Information assurance... 5 4. Backup/restore and disaster recovery... 6 5. On-boarding and off-boarding... 7 6. Pricing... 8 6.1 Clarification of Terms... 9 6.2 Discount... 9 7. Service management... 10 8. Service constraints... 11 9. Service levels... 12 10. Financial recompense... 13 11. Training... 14 12. Ordering and invoicing process... 15 13. Termination terms... 16 13.1 By consumers (i.e. consumption)... 16 13.2 By the Supplier (removal of the G-Cloud Service)... 16 14. Data restoration / service migration... 17 16. Technical requirements... 19 17. Trial service... 20 18. Glossary... 21 v
1. Introduction In recent years, there has been a dramatic rise in the scale and severity of attacks launched on Web sites and Web applications. According to Arbor Networks, 2011 Worldwide Infrastructure Security Report*, among the wide range of attack methods, SQL Injection attacks have emerged as the most popular attack method making up 27% of all attack methods with Denial of Service (DoS) attacks close behind. These attacks are occurring more frequently than ever, and the DoS attacks are happening on a much larger scale. Further according to Arbor Networks, the largest reported attack size doubled year-on-year reaching up to more than 60Gbps in 2011 - an astonishing 600% increase compared to 2005. Attacks of this magnitude can cripple any centralized origin-based infrastructure. The effects of these attacks extend long past the assault itself not just in terms of loss of revenue, resources, and productivity, but also in terms of damage to brand reputation and customer trust. 1.1 Service summary Provided by Atos in partnership with Akamai, Site Defender is a security solution that combines a range of security product capabilities and optional services to provide a simplified, flexible and robust defence against Distributed Denial of Service (DDoS), Web application, and Direct-to-Origin attacks. The service leverages a multi-layered tool-set designed to defend against sophisticated attacks employing multiple methodologies. Once deployed, the solution has Akamai DDoS defence capabilities that are designed to always be on. This allows the solution to adapt to the unique nature of each attack method by providing the flexibility to apply the appropriate product capability in real-time. Moreover, since Akamai constantly evolves its security product offerings, customers benefit from continually strengthening their defence posture against DDoS without having to make changes to their infrastructure. Important characteristics: Mitigation of Distributed Denial of Service (DDoS) attacks at the network and application layer Full-featured Web Application Firewall Origin Cloaking (protection against direct-to-origin attacks) Adaptive caching Site failover Access control Net Storage Log Delivery Service ISO 27002 compliance management module Security Monitor. 1
2. Service overview DDoS Mitigation Kona Site Defender leverages the Akamai Intelligent Platform to detect and block malicious traffic at the edge of the Internet, enabling Akamai to stop DDoS attacks at both the application and network layers. The Akamai Intelligent Platform is architected as a reverse proxy and only accepts traffic via ports 80 (HTTP) & 443 (HTTPS). All network layer (Layers 3&4) DDoS attacks are automatically dropped by the Akamai Intelligent Platform. This includes traffic such as UDP Fragments; ICMP Floods; SYN Floods; ACK Floods; RESET Floods; and UDP Floods. The Akamai Intelligent Platform also absorbs DDoS traffic targeted at the application layer such as GET Floods and authenticates valid traffic at the network edge. Protection is also provided for HTTP slow client ( drip feed ) DDoS attacks, such as a Slowloris (sending partial HTTP requests that proliferate endlessly, update slowly, and never close) DDoS and other application layer attacks such as RUDY (r u dead yet). HTTP/S traffic is routed natively in path with minimal to no added latency and no single point of failure. Real Time Reporting Kona Site Defender supports a logging protocol called Real-Time Reporting. This is a HTTP POST mechanism for sending security events in real-time into a log management or SIEM (Security Information & Event Management) solution at the customer Origin. Prevent Direct-to-Origin attacks Kona Site Defender includes the ability to cloak (hide) a customer origin from the public Internet. This adds an additional layer of security protection without impeding the quick and reliable delivery of content, regardless of end user location. It is designed to prevent Direct-to-Origin attacks. Kona Site Defender is designed to prevent Direct-to-Origin attacks using Akamai SiteShield a form of cache-hierarchy, which is implemented as a map of Akamai servers. In standard configuration, the access controls create an environment by which the Origin site can only be accessed by IP traffic Originating from a small subset of off Akamai servers referred to as a SiteShield region. Access Control Lists (ACLs) at the customer s firewall will only allow traffic from the SiteShield s server IPs to contact the Origin. This design results in no other machine on the Internet having the ability to directly communicate with the customer Origin At the same time, all of Akamai s distributed Edge servers will continue to have complete access to the current content. This is because Akamai s SiteShield servers are configured to serve as the parent for all Akamai Edge Servers for a specific customer s content. If an Akamai Edge Server needs content that it cannot find from a peer it requests the content from the SiteShield servers. In the event that dynamic uncatchable content is requested, the SiteShield server leverages Akamai s advanced routing and protocol acceleration technologies available. As a result, legitimate end-users should always be able to retrieve content quickly and reliably while the Origin remains protected. 2
Adaptive Caching Kona Site Defender will cache static objects in a similar way to which transparent proxies honour cache control headers sent by the customer Origin. This provides Origin defence for attacks that target URLs representing static content. Site Failover Web sites that rely on centralized infrastructure often find that ensuring uptime is a continuous challenge. A typical solution involves mirroring a Web site at an alternate location; however, this approach creates additional capital and management costs. Site Failover frees companies from these limitations by storing and delivering Web site content from a global network of thousands of servers on the Akamai Intelligent Platform. With Site Failover, content remains available to requesting users. Access Controls Provides the ability to protect content and control access based on user details. The access is controlled using access control system, which authenticates users and enforces authorization policies. NetStorage Kona Site Defender includes NetStorage as a standard part of the service for the purpose of log retention. It is enabled by default and must be explicitly disabled if not wanted. Customers are limited to 10 GB of usage. Under normal usage, NetStorage traffic will not be billed. Additional usage will be subject to overage charges. Logs are retained for 30 days by default. Customers have the option of retaining logs for longer periods, but subject to overage charges should utilization exceed 10GB. Log Delivery Service The Log Delivery Service (LDS) provides customers with logs generated from Kona Site Defender and Kona services. Customers can configure how to receive their log deliveries in the Luna control portal. LDS delivers customer logs based on a predetermined schedule and most of the log files will be delivered within a 24- hour period. Due to the distributed nature of Akamai s network, some number of log lines can be delayed and be part of a later delivery. Note that customers must configure the service to begin receiving logs from that point forward. Logs are not available retroactively. Security Monitor The Security Monitor provides a dynamic interface enabling users to visually investigate rule activities. Data is displayed in real-time, providing situational awareness. The Security Monitor provides an important tool for tuning WAF rules. The Security Monitor is a security data visualization solution that incorporates WAF and rate control data in real-time. This significantly improves the ability of a user to investigate WAF activities by supporting advanced filtering, search and eventually notification functions. It also provides the capability to drill down into attack alerts to retrieve detailed information on who is attacking, what they are attacking, what defence capabilities triggered the attack declaration and what specifically was seen in the requests that triggered site defences. 3
Compliance Management Kona Site Defender includes the ISO 27002 compliance management component. This component is designed to help customers understand and validate how their relationship with Akamai impacts their own compliance initiatives. It includes a core base to address generic requirements coupled with the ISO 27002 module. 4
3. Information assurance Kona Site Defender is appropriate for processing IL0 data. 5
4. Backup/restore and disaster recovery The Akamai platform offers 100% availability and is designed to withstand multiple points of failure. The platform is fully resilient and allows for multiple versions of a customer configuration to be kept. Customers are able to create a new configuration and push it out to testing and then production, or revert to a previous configuration all through the customer portal. 6
5. On-boarding and off-boarding The Atos KONA Site Defender service requires professional services to scope and integrate the applications and services to be protected. As such, the on boarding process is customised and defined through an initial professional services engagement. A typical on-boarding process will involve the following stages: Scoping and gating to gather the necessary details for the site. Identify any potential issues with site integration or additional features that may need to be enabled Resourcing to identify and allocate resources to best fit the integration requirements and timescales. Additional discovery of the environment to a more detailed level. This is carried out by professional services in conjunction with the customer and builds on this initial gating Internal testing or pre-configuration to ensure any unusual requirements or environments are tested before an initial customer configuration Initial Configuration Creation of a suitable configuration for the site delivery service and perform internal testing Staging, once tested, the configuration is pushed to a staging environment to allow the customer access to start initial testing Staged Testing, working with the customer to address any issues in the configuration identified during the testing. 7
6. Pricing The pricing provided in the table below is based upon a minimum commitment of 12 months and is exclusive of VAT. Kona Site Defender for Web Sites Service and Modules Service Description Pricing Unit Tier Bottom Tier Top Price Kona Site Defender for Web Application Properties Notes: Estimated monthly usage in Mbps, MPV or GB is summed for all Web Site properites protected is used to select a price tier below.. Tier 3 - up to and including 75 Mbps, or 40 MPV, or 11,000 GB per month; up to 5 sites per contract Tier-2 - up to and including 500 Mbps, or 250 MPV, per or 75,000 GB per month; up to 10 sites contract Tier 1 - up to and including 2,000 Mbps, or 1,000 per MPV, or 300,000 GB per month; up to 50 sites contract Tier 0 - up to and including 5,000 Mbps, or 2,500 per MPV, or 750,000 GB per month; up to 100 sites contract Monthly Monthly Monthly Monthly 14,594.00 21,885.00 34,040.00 48,622.00 Kona Site Defender Additional Sites Monthly Service Per Site Tier 3 - Additional Sites Tier 2 - Additional Sites Tier 1 - Additional Sites Tier 0 - Additional Sites per site per site per site per site Monthly Monthly Monthly Monthly 702.00 495.00 357.00 253.00 Kona Site Defender Entitlement Overage in Mbps As Incurred for Standalone Only Tier 3 - Standalone Entitlement Overage Tier 2 - Standalone Entitlement Overage Tier 1 - Standalone Entitlement Overage Tier 0 - Standalone Entitlement Overage per Mbps per Mbps per Mbps per Mbps As Incurred As Incurred As Incurred As Incurred 28.00 19.00 12.00 6.33 Kona Site Defender Entitlement Overage in GB As Incurred for Standalone Tier 3 - Standalone Entitlement Overage Tier 2 - Standalone Entitlement Overage Tier 1 - Standalone Entitlement Overage Tier 0 - Standalone Entitlement Overage per GB per GB per GB per GB As Incurred As Incurred As Incurred As Incurred 0.42 0.29 0.16 0.09 All Tiers - Monthly Capped Burst As Incurred 3,821.00 Kona Site Defender Professional Services All Tiers Standard Integration - Per Configuration - up to 2 WAF Policies Managed Integration - Per Configuration - up to 2 WAF Policies PS Enterprise Custom SOW per hour 1 Professional services security per hour 1 1 1 One Time One Time One Time One Time 14,900.00 22,500.00 216.00 253.00 Rule Update Service Tier 3 prescribed coverage for 5 sites, includes: --up to 3 Threat Update Reviews per year --up to 8 hours Security Configuration Assistance per month Each 1 One Time 3,226.00 Rule Update Service Tier 2 prescribed coverage for 10 sites, includes: --up to 6 Threat Update Reviews per year --up to 12 hours Security Configuration Assistance per month Each 1 One Time 5,377.00 Rule Update Service Tier 1 prescribed coverage for 50 sites, includes: --up to 8 Threat Update Reviews per year --up to 20 hours Security Configuration Assistance per month Each 1 One Time 8,248.00 Rule Update Service Tier 0 coverage for 100 sites Subject to scoping, additional time at Professional Services Security rate Each 1 One Time 41,900.00 8
6.1 Clarification of Terms A Site is a Customers Web Site. 6.2 Discount A forty per cent (40%) discount to the Monthly recurring charges will be applied to customers who procure the service for a full twenty-four (24) month term. For the avoidance of doubt the discount shall not apply to any consumption charges or set-up charges payable by the customer. Should the customer terminate the service before the end of the full twenty-four (24) month term, then the discounts that have been applied to the Monthly recurring charges up to the date of termination shall become payable by the customer to the Supplier as a Termination. 9
7. Service management The Atos Service Management Model (ASMM) is a set of service management processes implemented in the Atos organization by which Atos controls the delivery of continuous IT support services (services that a client buys on a longterm basis) and aligns these services to the client s business needs. As a major player in the provision of continuous IT services to the world s premier league companies, we act in a globally consistent manner, presenting a common interface to the client 24 hours a day, 7 days a week. ASMM is built on the best practices in the ICT industry, as defined in the ITIL library version 3 (2011), enriched by the Service Delivery Best Practices of the former Atos Origin and Siemens Information Services. ASMM underpins both ISO/IEC 20000 (previously BS15000), the International Service Management Standard for IT service management and ISO/IEC 27001:2005 - Information technology -- Security techniques -- Information security management systems Requirements. Special attention is given to the end-to-end governance of the services cross the delivery units within Atos (on-, near or offshore), demand supply alignment and immediate communication of major service disruptions (incidents) and major changes to the clients demand organization and involving them in priority setting and resolution progress. Figure 1 - Atos Service Management Model (ASMM) 10
8. Service constraints The Akamai Intelligent platform does not require maintenance windows due to the inherent nature of the platform design. Components can be taken out for maintenance without impacting the delivery of the customer application. Ancillary components, such as the customer portal will have maintenance windows, although these are scheduled and customers are notified in advance. 11
9. Service levels This section describes the Service Levels applicable (e.g. performance, availability, support hours, severity definitions etc.) Standard Initial Response Times Two (2) hours or less for P1 issues Four (4) hours or less for P2 issues Two (2) business days or less for P3 issues. All Support Requests reported via e-mail will be considered as P3 Live support during regular business hours for P2 and/or P3 issues Live 24x7X365 support for P1 issues Priority Le ve l Impact Priority 1 ( P1 ) Critical Priority 2 ( P2 ) Major Priority 3 ( P3 ) Low Description Service is significantly impaired and unavailable to multiple user locations. Example: Multiple Sites are affected. Repeatable inability to use the applicable Service from a single location or region. Example: Localized denial of service issue. This might be to a single Site or even a single server. Non-urgent matter or information request. Examples: Planned configuration change request, information requests, reports or usage questions, clarification of documentation, or any feature enhancement suggestions. 12
10. Financial recompense To minimise the cost to users, Atos does not provide service credits for use of the service. All Atos services are provided on a reasonable endeavours basis. Please refer to G Cloud terms and conditions. In accordance with the guidance within the GPS G-Cloud Framework Terms and Conditions, the Customer may terminate the contract at any time, without cause, by giving at least thirty (30) Working Days prior notice in writing. The Call Off Contract terms and conditions and the Atos terms will define the circumstances where a refund of any pre-paid service charges may be available. 13
11. Training Customer training offerings are available on request. 14
12. Ordering and invoicing process Ordering this product is a straightforward process. Please forward your requirements to the email address GCloud@atos.net Atos will prepare a quotation and agree that quotation with you, including any volume discounts that may be applicable. Once the quotation is agreed, Atos will issue the customer with the necessary documentation (as required by the G-Cloud Framework) and ask for the customer to provide Atos with a purchase order. Once received, the customer services will be configured to the requirements as per the original quotation. For new customers, additional new supplier forms may need to be completed. Invoices will be issued to the customer and Shared Services (quoting the purchase order number) for the services procured. On a monthly basis, Atos will also complete the mandated management information reports to Government Procurement Services detailing the spend that the customer has placed with us. Cabinet Office publish a summary of this monthly management information at: http://gcloud.civilservice.gov.uk/about/sales-information/. 15
13. Termination terms 13.1 By consumers (i.e. consumption) Termination shall be in accordance with: The G-Cloud Framework terms and conditions Any terms agreed within the Call Off Contract under section 10.2 of the Order Form (termination without cause) where the Government Procurement Service (GPS) guidance states At least thirty (30) Working Days in accordance with Clause CO-9.2 of the Call-Off Contract Atos Supplier Terms for this Service as listed on the G-Cloud CloudStore. For this specific service, by default Atos ask for at least thirty (30) Working Days prior written notice of termination as per the guidance within the GPS G-Cloud Framework Terms and Conditions. 13.2 By the Supplier (removal of the G-Cloud Service) Atos commits to continue to provide the service for the duration of the Call Off Contract subject to the terms and conditions of the G-Cloud Framework and Atos Supplier Terms. 16
14. Data restoration / service migration The platform allows for multiple versions of a customer configuration to be kept. Customers are able to create a new configuration and push it out to testing and then production, or revert to a previous configuration all through the customer portal. 17
15. Customer responsibilities This section is not applicable 18
16. Technical requirements Client applications must be internet facing Professional Services are required and this is subject to full scoping 19
17. Trial service Atos provides a free trial service so that customers may experience and experiment with the service in advance of any purchase. This is intended to allow customers an ability to assess whether the service Atos offers meets the customer s needs. Trials covering limited, non-production traffic are available free of charge - alternatively paid-for Proof of Concept exercises can be configured to support full production traffic levels. 20
18. Glossary Abbreviation / term: Adaptive Caching Denial of Service (DoS) Attack & Distributed Denial of Service (DDoS) Attack HTTP (S) HTTP POST ISO20000 ISO27001 ISO27002 Version A feature where customer identified content is served from the Edge during an attack, maintaining service where the originating servers(s) may be affected. Denial-of-Service attack (DoS attack) or Distributed Denial-of-Service attack (DDoS attack) is an attempt to make a machine or network resource unavailable to its intended users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of efforts to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet. A distributed attack includes multiple attack sources. Hyper Text Transfer Protocol (Secure):-Hypertext is structured text that uses logical links (hyperlinks) between nodes containing text and is the basis of the World Wide Web (www). HTTP is the protocol to exchange or transfer hypertext. HTTP utilises port 80, while HTTPS uses port 443 and utilises security mechanisms in the transmission of the data. A function of the HTTP protocol allowing information to be sent to a web service such as a block of data that is the result of submitting a web form to a data-handling process; or an item to add to a database. ISO/IEC 20000 is the first international standard for IT service management. It was developed in 2005, by ISO/IEC JTC1 SC7 and revised in 2011.[1] It is based on and intended to supersede the earlier BS 15000 ISO/IEC 27001:2005, part of the growing ISO/IEC 27000 family of standards, is an information security management system (ISMS) standard published in October 2005 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Its full name is ISO/IEC 27001:2005 Information technology Security techniques Information security management systems Requirements. ISO / IEC 27002 provides best practice recommendations on information security management for use by those responsible for initiating, implementing or maintaining information security management systems (ISMS). 21
Abbreviation / term: OSI Layers SQL Injection Attack UDP Fragments; ICMP Floods; SYN Floods; ACK Floods; RESET Floods; and UDP Floods. URL Web application Attack Web Application Firewall Version The Open Systems Interconnection (OSI) model (ISO/IEC 7498-1) is a conceptual model that groups similar communication functions into one of seven logical layers. A layer serves the layer above it and is served by the layer below it. For example, a layer that provides error-free communications across a network provides the path needed by applications above it, while it calls the next lower layer to send and receive packets that make up the contents of that path. SQL injection is a code injection technique, used to attack data driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). Techniques used as part of DoS or DDos attacks. A uniform resource locator, abbreviated URL, also known as web address Web Application attacks are attacks on the underlying applications and scripts supporting web services such as PHP, Java EE, Java, Python, A web application firewall is a form of firewall which controls input, output, and/or access from, to, or by a web application or service. It operates by monitoring and potentially blocking the input, output, or system service calls which do not meet the configured policy of the firewall. The application firewall is typically built to control all network traffic on any OSI layer up to the application layer. It is able to control applications or services specifically, unlike a stateful network firewall which is - without additional software - unable to control network traffic regarding a specific application. 22
23