hyperguard Defining a dwaf to secure cloud applications By Alexander Meisel, CTO and Co-Founder



Similar documents
Securing Cloud Applications with a Distributed Web Application Firewall

How To Protect A Cloud Application Firewall In Defense Department (Dodin)

I D C T E C H N O L O G Y S P O T L I G H T. S e r ve r S e c u rity: N o t W h a t It U s e d t o Be!

Protecting Applications on Microsoft Azure against an Evolving Threat Landscape

Scalability in Log Management

Cloud-Based dwaf A Real World Deployment Case Study. OWASP 5. April The OWASP Foundation

From Rivals to BFF: WAF & VA Unite OWASP The OWASP Foundation

Adobe Systems Incorporated

The Advantages of Security as a Service versus On-Premise Security

Addressing Security for Hybrid Cloud

Availability of Services in the Era of Cloud Computing

Trend Micro. Advanced Security Built for the Cloud

How to Grow and Transform your Security Program into the Cloud

How To Protect Your Cloud From Attack

Cloud Security:Threats & Mitgations

How to Turn the Promise of the Cloud into an Operational Reality

PROTECTED CLOUDS: Symantec solutions for consuming, building, or extending into the cloud

From the Bottom to the Top: The Evolution of Application Monitoring

CLOUD COMPUTING SECURITY ISSUES

The Evolving Threat Landscape and New Best Practices for SSL

Securing the Cloud with IBM Security Systems. IBM Security Systems IBM Corporation IBM IBM Corporation Corporation

Implementing Software- Defined Security with CloudPassage Halo

Cloud Security. Peter Jopling IBM UK Ltd Software Group Hursley Labs. peterjopling IBM Corporation

Mingyu Web Application Firewall (DAS- WAF) All transparent deployment for Web application gateway

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

VMware vcloud Networking and Security Overview

Zeus Extensible Traffic Manager in Virtualized Hosting Environments.

Table of Contents. Page 2/13

RE Think. IT & Business. Invent. IBM SmartCloud Security. Dr. Khaled Negm, SMIEEE, ACM Fellow IBM SW Global Competency Center Leader GCC

Becoming a Cloud Services Broker. Neelam Chakrabarty Sr. Product Marketing Manager, HP SW Cloud Products, HP April 17, 2013

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

WEB APPLICATION FIREWALLS: DO WE NEED THEM?

Secure Clouds - Secure Services Trend Micro best-in-class solutions enable data center to deliver trusted and secure infrastructures and services

NSFOCUS Web Vulnerability Scanning System

SANS Top 20 Critical Controls for Effective Cyber Defense

Vulnerability Management

Building Private & Hybrid Cloud Solutions

CLOUD COMPUTING SECURITY CONCERNS

NEXPOSE ENTERPRISE METASPLOIT PRO. Effective Vulnerability Management and validation. March 2015

Secure Web Gateways Buyer s Guide >

VMware vcloud Networking and Security

White Paper on CLOUD COMPUTING

Capturing the New Frontier:

How To Protect A Web Application From Attack From A Trusted Environment

Architectural Implications of Cloud Computing

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

INTRODUCTION TO CLOUD COMPUTING CEN483 PARALLEL AND DISTRIBUTED SYSTEMS

Where every interaction matters.

Safeguarding the cloud with IBM Dynamic Cloud Security

Meeting the Challenges of Virtualization Security

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

When your users take devices outside the corporate environment, these web security policies and defenses within your network no longer work.

Web Application Security. Radovan Gibala Senior Field Systems Engineer F5 Networks

The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency

Bitdefender GravityZone Sales Presentation

Double-Take Cloud Migration Center (CMC) Tech Brief

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

PCI DSS 3.0 Compliance

Swordfish

UNIFIED THREAT MANAGEMENT SOLUTIONS AND NEXT-GENERATION FIREWALLS ADMINISTRATION TOOLS NETWORK SECURITY I ENDPOINT SECURITY I DATA SECURITY

How To Manage Cloud Management

Top 10 Reasons Enterprises are Moving Security to the Cloud

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

IBM EXAM QUESTIONS & ANSWERS

White Paper. Architecting the security of the next-generation data center. why security needs to be a key component early in the design phase

NEXT-GENERATION, CLOUD-BASED SERVER MONITORING AND SYSTEMS MANAGEMENT

Cloud and Data Center Security

Web Application Hosting Cloud Architecture

PLATFORM-AS-A-SERVICE: ADOPTION, STRATEGY, PLANNING AND IMPLEMENTATION

Attacks from the Inside

Cloud Computing - Overview of Information Assurance Concerns and Opportunities

The Benefits of an Integrated Approach to Security in the Cloud

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Outline. What is cloud computing? History Cloud service models Cloud deployment forms Advantages/disadvantages

Cloud Computing. Figure 1

Building Blocks of the Private Cloud

The Cyber Threat Profiler

What Do You Mean My Cloud Data Isn t Secure?

NSFOCUS Web Application Firewall White Paper

How to Provide Secure Single Sign-On and Identity-Based Access Control for Cloud Applications

Tufts University. Department of Computer Science. COMP 116 Introduction to Computer Security Fall 2014 Final Project. Guocui Gao

Security Issues in Cloud Computing

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Trend Micro. Secure virtual, cloud, physical, and hybrid environments easily and effectively INTRODUCTION

SECURITY POLICY MANAGEMENT ACROSS THE NEXT GENERATION DATA CENTER

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

Cloud Security Who do you trust?

STOPPING LAYER 7 ATTACKS with F5 ASM. Sven Müller Security Solution Architect

ABS Information Systems Inc. 307 Lesmill Rd, Toronto, Ontario, Canada, M3B 2V1 Phone:

Oracle Database Cloud Service Rick Greenwald, Director, Product Management, Database Cloud

Cloud Computing for SCADA

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

Transcription:

1 Whitepaper hyperguard Defining a dwaf to secure cloud applications By Alexander Meisel, CTO and Co-Founder

Whitepaper Safety in the Cloud(s): Vaporizing the Web Application Firewall to Secure Cloud Computing Cloud computing was not designed for security, although organizations such as Cloud Security Alliance (CSA) and Open Web Application Security Project (OWASP) are making great strides in helping the industry solve the myriad security problems confronting cloud computing. The benchmark guidelines established by the CSA in the document, Guidance for Critical Areas of Focus in Cloud Computing, is a great first step. This white paper is intended to pick up where the CSA guide left off in terms of defining what a distributed web application firewall (dwaf) should look like in order to meet the standards set within the CSA document. It includes recommendations and practical use-cases based on Art of Defence s own patent-pending dwaf technology. In order to accurately outline how a dwaf is possible while maintaining all the benefits of a completely virtualized environment reduced IT overhead, flexible footprint management, virtually unlimited scalability a brief overview of cloud technology is needed. Far more than simply maximizing current hardware resources to benefit from unused CPU power, today there are three main technologies available in a cloud that provide the backbone for real productivity gains and compelling business services for companies that don t want to invest in the hardware scaling burdens common today. Software as a service (SaaS) offers users virtualized software through a thin-client, usually any standard web browser. The benefit for users is access to software without any of the headaches of owning the programs scaling and resources are taking care of, and patching and upgrades are managed. Platform as a service (PaaS) provides users with virtual databases, storage and programming languages with which custom applications can be built. This service provides nearly unlimited resources behind the platform and allows customers to scale throughout the lifetime of the application. It is an effective solution for companies ranging from the very small to those serving millions of customers. The customer does not worry about the infrastructure needed to run the services and is billed in per usage model. Infrastructure as a service (IaaS) allows users access to virtually unlimited resources to build and manage their own virtual network. Customers can commission and decommission virtual resources depending on their need. The most obvious benefit is that there is no end-of-life for hardware anymore for the customers. The providers move them according to their service level from hardware to hardware without any downtime. The common user benefit of services available through a cloud is access to key resources via the Internet, which provides an incredible degree of scaling without the need to invest in expensive hardware infrastructure. Cloud Applications are Highly Exposed to Threats Accessing cloud technologies requires a thin-client, and the world s most commonly used thin-client for this purpose is a web browser. This means the vast majority of all applications on the Internet have some kind of web and / or application server on which the business logic is implemented. Currently, most of the money spent on security goes into firewalls and antivirus solutions, but in the last 10 years the typical target for attacks has shifted from the network layer to the application layer because the operating systems and services available to the general public were cut down. As a result, it is now easier to target the application logic or framework of an application than the actual server behind the hardened network perimeter. Applications are mostly developed by the businesses themselves and not every developer considers security the highest priority, which leads to a wide variety of problems. hyperguard Defining a dwaf to secure cloud applications 2

Whitepaper The IBM X-Force 2008 Annual Report highlights that web application vulnerabilities are the Achilles Heel for corporate IT security. The impact of not being able to secure these vulnerabilities is far reaching. Further, attack vectors increase exponentially in correlation with the mainstream adoption of cloud computing. Their increase is dictated by hosting and delivering infrastructure, platform and software. Establishing a comprehensive patch management system is the common solution offered by most in the industry, however, in practice this approach has proved very difficult and costly. Typical web applications are built on open source components, by third-parties, who rely on web frameworks. This approach has the obvious benefits of interoperability and shortened development time, however, patching becomes exponentially more difficult. A flaw in one piece of open source code must be patched for each instance it is used throughout each application in which it is used. In a cloud setting, this becomes a very large issue. hyperguard Defining a dwaf to secure cloud applications 3

Whitepaper Applications developed specifically for a cloud are often very complex, designed for access speed, scalability and flexibility for third-party development through an open API. For example, Salesforce.com, Google Docs, MySpace, Facebook and Twitter, are all prime examples. These as a Service applications are developed two ways today: by moving on-premise applications to a cloud, and by developing and operating applications directly in a cloud. Applications that are forced out of the internal company network and into a cloud carry the risks of exposing protected software to web threats is was not designed to combat. Common security threats include injection attacks, cross site scripting or cross site request forgery. There are a variety of services available for developing in a cloud, such as MS Azure Services, Google App Engine or Amazon EC2. There are many security challenges involved in developing web applications in a cloud. For example parameter validation, session management and access control are 'hotspots' for attackers. Developers not trained in those three fields of application development will most definitely create / develop applications which have security problems. problems. curity hyperguard Defining a dwaf to secure cloud applications 4

Whitepaper Why a Traditional Web Application Firewall Will not Work In a cloud, the infrastructure and the services are shared between customers, meaning one set of hardware is used by many business, organizations and even individuals. Each of these cloud operator customers adds a unique layer of policy settings, use-cases and administrative enforcement requirements. For the cloud or service provider, security quickly becomes very complex. The average provider may have 10,000 customers subscribing to its service, each with varied policy settings for individual divisions within the company. The service provider now has to manage an n th degree of application filter settings. Currently, web application firewalls (WAF) and other security solutions are restricted to hardware appliances, which creates a serious bottleneck for cloud service providers. Dedicated hardware boxes simply don't allow for reasonably scalable levels of multiple administrators duties within a box s singular security policy mechanism. Ironically, in addition to the traditional network hardware, cloud service providers are forced to have a rack full of dedicated WAF machines one per customer that take up space and eat up resources. Security becomes counter to the efficiency promises of a fully virtualized environment. This cost is passed on to customers, increasing adoption barriers to mainstream cloud computing. In an ideal world, applications would be designed from the ground up to meet the rigors of a virtualized world, integrating security measures directly into the applications and thus solving a core problem with current cloud computing. Until the industry reaches this ideal), traditional web application firewall boxes are preventing the industry from reaching the full potential of a cloud computing. Defining the Distributed Web Application Firewall (dwaf) for Cloud Protection Web application security in a cloud has to be scalable, flexible, virtual and easy to manage. A WAF must escape hardware limitations and be able to dynamically scale across CPU, computer, server rack and datacenter boundaries, customized to the demands of individual customers. Resource consumption of this new distributed WAF must be minimal and remain tied to detection / prevention use instances rather than consuming increasingly high levels of CPU resources. Clouds come in all sizes and shapes, so WAFs must as well. The dwaf must be able to live in a wide variety of components to be effective without adding undue complexity for cloud service providers. Today s providers are using a variety of traditional and virtual technologies to operate their clouds, so the ideal dwaf should accommodate this mixed environment and be available as a virtual software appliance, a plug-in, SaaS or be able to integrate with existing hardware. Flexibility with minimal disruption to the existing network is central. A web-based user interface must allow customers to easily administrate their applications. Configuration should be based on the applications under protection, not defined by a singular host, allowing far more granular settings for each application. Ruleset configuration must be supported by setup wizards. Statistics, logging and reporting has to be intuitive and easy to use and must also integrate seamlessly into other systems. Most importantly for a dwaf, multi-administrator privileges must be made available and flexible enough to effectively manage widely divergent policy enforcement schemes. Cloud providers should look for a set of core protections. Detection and Protection Foundational security using black, white and grey listings for application requests and responses must be possible. To make sure pre-set policy enforcements are not activated or deactivated without approval from an administrator, deployment and policy refinement through establishing rulesets must be possible in a shadow monitoring or detection only mode. Once the shadow monitoring ruleset is stable, only then should it be allowed to deploy in an enforcement mode on the dwaf. This allows complete transparency for the administrator into the real-world effect of this ruleset, while at the same time allowing layered rulesets to be tested without compromising existing policy enforcement. Avoiding false positives and relaxed established defenses are essential for a real-world, usable dwaf in a cloud. hyperguard Defining a dwaf to secure cloud applications 5

Whitepaper Automated learning and ruleset suggestions based on intelligent algorithms or recommendations from a static source code analyzer or web vulnerability scanner are also desirable from a manageability view. Again, this only holds true if the administrator retains full control over activation / deactivation of each ruleset. Without this control, wanted traffic may become blocked and policy settings would become compromised. Application Shielding Pro-active security functions are highly recommended to reinforce any application in a cloud. Detection is simply not enough for today s web application security. Features like transparent secure session management, URL encryption and form-field virtualization will provide strong deterrence to attack, while saving application development and deployment time. These features are effective because session management, URL encryption and form-field virtualization is done at the dwaf level and not in the application itself. An authentication framework support that enables businesses to consolidate their applications under one management schema is also desirable for a dwaf. This enables users to handle the authentication in front of their applications rather than behind, which adds another perimeter of security. A consolidation of all applications with dedicated rights-management ability is also a strong usability function that will make an administrator s life easier. Integration with Existing Technology Avoiding vendor-lock-in is a common best-practice for both networking and application security. Any technology that is added to an infrastructure, platform or application itself must connect as seamlessly as possible with existing technology. Security is all about layering technologies to create the best possible protection, so a dwaf must communicate freely between a security incident and the event management system (SIEMs). Art of Defence s dwaf Solutions hyperguard is a software-only dwaf designed with these best practices in mind. Due to its modular construction, it can be deployed very easily in a cloud computing environment. The product consists of three parts: The Enforcer The Enforcer is a small plug-in which enables hyperguard to be plugged into any kind of device. A device can be a web server or proxy (Apache, MS IIS), a network firewall (like MS ISA, GenuScreen) or software load balancer (Zeus ZXTM). The Enforcer sends request and response data to a component called Decider and also modifies requests and responses if needed. The Enforcer is an adapter for hyperguard to get the data it needs to enforce the policy. The Decider The policy engine checks the data from the Enforcer module and decides what to do with the request/response. The Decider s unique architecture allows it to scale from one to many CPU cores and is also capable of running on multiple machines simultaneously. The resource intensive computing part of hyperguard is the Decider component and the workload on the Decider depends on the load of the web infrastructure behind it. The more traffic generated by the end users, the more CPU resources are used in the Decider. The Administration Interface The administration system of hyperguard can be deployed decentralized or as a single server. In a cluster installation every cluster node can be used to administrate applications and their policies. This decentralized system is very robust against failing nodes and allows a huge number of web application security administrators to work on their own application policies. In addition, it provides verbose central monitoring and alerting functions. hyperguard Defining a dwaf to secure cloud applications 6

Whitepaper In a shared cloud (PaaS and SaaS) environment for example, many Enforcer plug-ins from load balancers and web servers could communicate with a Decider service on separate virtual machines. If the first virtual machine of this Decider service reaches 80 percent of the available CPU resources, a new virtual machine on a different instance of a cloud will automatically be provisioned, started and added to the Decider cluster. If the cluster-wide CPU usage of the Decider service drops below 40 percent, the Decider instances will automatically be removed from the cluster in order to give the resources back to a cloud. hyperguard can be deployed similarly on an IaaS in a cloud. The customer would get its own private instance of all three modules of hyperguard, which are not shared between customers. The scaling can be done by clustering many hyperguard instances together. This clustering process for additional resources may also be provided automatically depending on the cloud service provider. hyperguard Defining a dwaf to secure cloud applications 7

Whitepaper About Art of Defence GmbH Founded in 2005, Art of Defence GmbH is headquartered in Regensburg, Germany, and provides the U.S., European and Asian markets with comprehensive web application security technology on any scale. As cloud computing and virtualization begin to change how companies approach security and push applications out of the traditional network, security becomes a central challenge for the market. Traditional network technology providers are seeking ways to accommodate this shifting market as well. Art of Defence s flagship solution hyperguard, is a distributed web application firewall (dwaf). The offering is the most flexible on the market toady, available as a SaaS, software plug-ins, virtual appliances, hardware appliances or as standalone software solutions. Other offerings include hypersource, a static source code analysis tool, and hyperscan, a web application vulnerability scan server. The company is the only European provider in this space that covers the entire software development lifecycle (SDLC). The company serves the financial services, ecommerce, technology, telecommunication and public sector markets exclusively through OEM/technology and reseller channel partners. The company partners with leading technology providers like Microsoft, Zeus, GeNUA, and Armorize. For more information about Art of Defence, visit: www.artofdefence.com/en hyperguard and art of defence are trademarks of art of defence GmbH. Other company, product and service names be trademarks or service marks of others. Copyright 2005-2009 art of defence GmbH hyperguard Defining a dwaf to secure cloud applications 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information