Australia has strict data sovereignty laws in place to ensure that personal customer data remains within the country’s borders. However, we often hear about cloud-based WAF vendors being unable to guarantee that data will not be moved across borders for inspection and data logging purposes. This may prevent some organizations from moving to the cloud. To address this issue, Imperva has come up with an advanced architectural topology for ensuring that traffic inspection and request logs are guaranteed to be maintained within Australia’s borders.
Data Sovereignty Needs
For organizations, in particular large enterprises such as financial institutions and government bodies that store large amounts of sensitive customer data, data sovereignty requirements add an extra level of complexity to securing assets in the cloud. For this type of firm, critical questions in regards to a vendor’s cloud-based WAF architecture typically include:
- Can the solution ensure that the web traffic terminates and is inspected within Australia only?
- Can it guarantee that no traffic or security logs will move outside Australian borders?
Traffic Termination and Inspection
Anti-DDoS technology conducts deep packet inspection by passing the traffic through a high-velocity traffic inspection protocol to clean (scrub) the traffic before sending the traffic back to the source. While this process might only take a matter of seconds, it usually entails data being moved offshore – since the Australian Point(s) of Presence cannot absorb the largest DDoS attacks of 1 Tbps or above – and therefore leaves organizations vulnerable to data violations while their data is outside the country of origin.
The challenge for cloud-based WAF solutions today is that in the case of a very large DDoS attack, those vendors cannot guarantee that the traffic will not be diverted outside Australia and terminated in a foreign country, especially if the DDoS attack is relying on affected proxies within Australia.
Previously, traffic was always inspected within the closest Point of Presence
Log Management and Storage
When it comes to log management and storage, Imperva’s Cloud WAF solution also has a number of stringent measures in place that keep customer data safe. For example:
- Imperva Cloud WAF only stores logs of security events, not of regular visits;
- Data logs are anonymized, and over 120 sensitive parameters (such as names, date of birth, and other 120 PCI data) are automatically and irreversibly anonymized when stored;
- All logs are deleted within 90 days, and can be deleted earlier on demand.
However, Australian data sovereignty rules mandate that this type of log request data is also stored within the country’s borders.
To help organizations meet both these requirements, Imperva has designed a ground-breaking new network topology for its Cloud WAF architecture and DDoS mitigation solutions that enables unlimited DDoS protection while traffic inspection and request logs are guaranteed to be maintained within Australia’s borders.
Cloud WAF Data Sovereignty
The Imperva Cloud WAF solution for Australian data sovereignty requirements relies on two key pillars:
- Support of storage of all logs within Australia: All logs generated are anonymised in the mechanisms described earlier, and stored within Australian borders. For customers selecting the Australian data storage option, no traffic logs or security logs are stored by Imperva outside Australian borders.
- Mesh network for international scrubbing and Australian-only traffic decryption and termination: Imperva has a large scrubbing capacity within Australia in two Points of Presence already. In addition, thanks to new mesh topology, the traffic may be scrubbed in international POPs for layer 3 and layer 4 traffic inspection and scrubbing, while the layer 7 traffic will transit within our network to be decrypted and inspected within Australia only.
In the new topology, even if the traffic is scrubbed outside of Australia in order to benefit from our large network capacity, the layer 7 traffic, still encrypted, will transit within the Imperva network and the decryption and traffic termination will always happen within our Australian Points of Presence.
This new innovative architecture provides an additional layer of security as desired by organizations in Australia wanting to securely manage their operations in the cloud without the worry of breaching data sovereignty regulations.
Imperva DDoS protection mitigates the largest attacks immediately without incurring latency or interfering with legitimate users. Find out more here.