.jpg&w=480&c=0&s=1)
Despite the fact that people have been happily banking their money online for nearly a decade, they are still wary of trusting other information in the cloud.
Security, or the perceived lack of it, remains a hurdle for companies wanting to convince customers to move to the cloud. The truth is that security online is a moveable target. It has improved enormously and yet researchers and hackers are always finding new areas to protect and exploit.
We have long had firewalls, hardened servers and the like but the newest attacks sidestep the infrastructure to focus on the jewels – the application and the information it holds. Database hacks regularly hit the headlines with tens of thousands of customer details compromised at a time.
So how to guard against these threats? CRN asked Kane Lightowler, regional sales manager for security company Imperva, what was required to lock down vulnerable applications.
“Organisations are very scared about moving their sensitive data into the cloud. A lot of people still have the perception that if it’s in my reach it’s in my control,” Lightowler says. Imperva has been working on comforting them by monitoring how their data is being accessed.
Imperva was founded in 2002 by Shlomo Kramer, one of the original founders of Check Point, to solve this problem. Kramer saw that companies were putting too much faith in standard defences, and he wanted to find out how Check Point customers were still getting hacked.
Kramer realised that while firewalls protected the network and who could pass over it, they left the applications themselves unguarded. It was the same story with anti-virus defences, which only stopped the server getting infected. It had nothing to do with the data sitting on the server.
Imperva has grown to 1700 customers. It sells three services to cloud providers that address these issues. The first is a web application firewall which protects websites from application layer attacks.
“A normal firewall has a rule that allows anyone from the web to access the website. If someone was malicious in that webstream it wouldn’t be detected. This is why so many sites are getting hacked,” Lightowler says.
Sorting good from bad
A web-application firewall can sort out good traffic from bad and defeat a DDoS attack by Anonymous, for example. The second two services are for protecting data: a database firewall for auditing access to structured data, and a file firewall for unstructured data. The focus is more on data security, although it includes some application layer security.
The latter services provide usability reports plus alerts, audits and monitoring into how individuals and applications are using data.
“Every organisation I speak to either audits and monitors all users’ access to sensitive or regulated data or privileged users’ activity. This is very important in the cloud where you have multi-tenanted or shared infrastructure,” Lightowler says.
Auditing access to data guarantees it’s being used appropriately, that there is no unauthorised access and there is some control against technical attacks as well as inappropriate behaviour by employees.
Lightowler says demand for Imperva’s services will increase as more services shift to becoming web-based. The trend is moving up inevitably; web-based services are easier to access and can run on any operating system or device.
“Like any web app without proper security measures they can be susceptible to application layer hacking attacks,” Lightowler says.
A common scenario is session hijacking where a user enters someone else’s credentials to gain access. Another common attack on databases is the commonly reported SQL injection. These attacks are logic based – the hacker asks the application to send a request to the database that the application wasn’t designed to give, such as “send all credit card numbers, modify table or the account balance or send usernames and passwords”.
“SQL injection is a very powerful attack if the bad guys can get it right,” Lightowler says. “The vast majority of big attacks include SQL injection. It’s also used for DoS – you can ask to shut down a database.”
Imperva claims its cloud-based web-app firewall is an industry first. It is available for channel partners and hosting providers to build a service to protect their own customers. Because the service is run by Imperva 24x7 there is little upskilling required, Lightowler claims.
Imperva onboards the customer and alerts them if their site gets hacked. The reseller needs to change the DNS records to point to Imperva which then proxies web requests and blocks malicious requests to ward off DDoS and SQL injection attacks.
The big selling point for Australian channel providers is that the service is much cheaper than hiring a guy that understands application security. These security experts are not just expensive, they’re hard to find.
“Even the big banks are struggling to find the right amount of resources,” Lightowler says.
Because of the high price of bandwidth in Australia the vast majority of Australian businesses use a hosting provider for their website rather than doing it themselves. But they can’t afford the security expert to protect it for them.Imperva counts GoDaddy as one of its biggest customers. The global hoster uses the technology to protect hundreds of thousands of sites belonging to a small subset of its customers.
Lightowler hopes that hosters’ reluctance to offer application security will change over the next two to five years as they try to differentiate themselves.
Cloud hosting providers are just as susceptible. A company like Rackspace would take responsibility for security for the server and the network around it but not the web or business application sitting on top it. This is a particular problem for membership websites which can hold more sensitive information than just financial.
“The only compliance that has teeth is PCI (DSS) and it’s about credit card data,” Lightowler says. “People’s personal, identifiable information is not looked at as important by many organisations because there isn’t that potential to be fined.”
In Lightowler’s opinion, the stronger regulations are around the wrong type of data. “I can call up the bank and revoke my credit card number but I can’t revoke my mother’s maiden name.”
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
