Imperva, our parent company, has just launched its Cloud Reference Architect (CRA)”a framework for protecting web applications in infrastructure-as-a-service (IaaS) environments.
Using Imperva SecureSphere web application firewall (WAF) and complementary products from Incapsula and Skyfence, the new reference architecture provides blueprints (read: templates) for implementing web application security and DDoS protection layers within a public cloud.
Imperva chose Amazon Web Services (AWS)—the overwhelming IaaS market leader—for the debut of its reference architecture.
You can download Imperva IaaS Reference Architectures: For AWS whitepaper here.
Comprehensive Application Security for Your AWS Environments
Enterprises are moving applications to the cloud in ever-increasing numbers. Within five years, 30% of all workloads will be run within the cloud, according to a recent survey by Piper Jaffray.
As a result, the infrastructure supporting these applications”from load balancers to storage devices and security appliances/services” must also adapt to address this trend.
Imperva Cloud Reference Architecture is exactly what data center architects and IT teams need for migration planning of web applications to AWS environments.
Based on its proven global experience deployment of such architectures, Imperva CRA enables enterprises to minimize risk while enjoying best-of-breed security and DDoS protection for AWS-based applications.
Specifically, Cloud Reference Architecture includes the following components:
- AWS: Amazon’s cloud computing infrastructure, comprised of EC2 server instances, Elastic Load Balancing (ELB), AWS Management Console, availability zones, and storage.
- Imperva SecureSphere WAF: The world’s undisputed leading WAF offering, SecureSphere blocks web attacks and prevents costly data breaches”without incurring downtime or blocking legitimate users.
- Incapsula Cloud-Based Application Delivery: Incapsula provides enterprise-grade protection against all types of network and application layer DDoS attacks. Optionally, Imperva offers Incapsula’s PCI-certified WAF for customers not wanting to manage the service by themselves.
- Skyfence Cloud Gateway: Privileged user monitoring delivers real-time controls and policy enforcement to protect administrative accounts. Additionally, it provides alerts for high-risk tasks or critical operations.
Above are several blueprints showing how deploying Incapsula, Imperva and Skyfence together makes it easy to achieve enterprise-grade web application security on AWS.
Managed WAF, DDoS, and CDN With Cloud Access Security
Leveraging the collective strengths of Imperva, Incapsula, and Skyfence, this combo platter provides a comprehensive, layered security deployment for web applications that is seamlessly integrated with AWS. It monitors privileged user access while offering enterprise-grade WAF capabilities alongside advanced, always on DDoS protection to protect your application and data assets in real-time.
WAF-as-a-Service (WaaS) With Cloud Access Security
In this architecture (above), Incapsula’s WAF is offered as a cloud-based service, fully-managed and updated against new threats by our security experts.
In addition, this WAF-as-a-Service offering is complemented by our DDoS protection, CDN, and load balancing capabilities, as required. Skyfence is used here as well for privileged user access monitoring.
In its reference architecture, Imperva provides a number of case studies illustrating typical scenarios for securing web applications on AWS.
One example describes a large social investment network that suffered a massive DDoS attack against an entire subnet bringing its online trading systems completely down. Looking for an immediate solution, the company contacted Incapsula.
Within half an hour of deploying Incapsula’s infrastructure protection service, all incoming traffic to the company’s IP ranges was being routed through Incapsula for inspection, prior to being forwarded to the company’s network.
Using Incapsula, the trading network was able to quickly restore operations, while transparently mitigating all types of DDoS attacks against any network service.