akamai security products · ©2011 akamai powering a better internet key areas of cloud security...
Post on 22-Apr-2018
232 Views
Preview:
TRANSCRIPT
Akamai Security Products
©2011 Akamai Powering a Better Internet
Key Areas of Cloud Security for Akamai
Protect Web AvailabilityInternet Infrastructure Security
Web Application FirewallApplication Security
Remove Credit CardsPayment Tokenization
©2011 Akamai Powering a Better Internet
The Akamai EdgePlatform
• 85,000+ Servers
• 1,700+ Locations
• 900+ Networks
• 70+ Countries
• Compliance/Security:
• PCI Compliant SSL (Data)
• Distributed WAF (Apps)
• Edge Tokenization (Payments)
Daily Web traffic of over 4 Tbps
©2011 Akamai Powering a Better Internet
DDoS Attacks on the Rise
74% of surveyed companies experienced one or more DDoS
attacks in the past year, with 31% of these attacks resulting in
service disruption
• Forrester July 2009
―The Akamai network saw more DDoS attacks in the fourth
quarter of 2010 than in the first three quarters of the year
combined so as companies continue to push business-critical
data and operations into the cloud, the need to protect these
assets from the growing number and increasing sophistication of
Web attacks increases dramatically.‖
• Akamai chief scientist and co-founder, Tom Leighton
©2011 Akamai Powering a Better Internet
PROTECTED
US Customer #1
US Customer #2
US Customer #3
US Customer #4
US Customer #5
Times Above Normal
9,095x
5,803x
3,115x
2,874x
1,807x
Peak Attack Time
11/30
12/1
11/30
12/1
12/1
Holiday Season 2010 – Coordinated DDoSAttacked IR50-250 eCommerce Web Sites Protected by Akamai
Highly distributed DDoS attacks from Asia-Pac,
South America and Middle East
Customer #1
Customer #2
Customer #3
Estimated Potential Lost Revenue Impact = $15 million
©2011 Akamai Powering a Better Internet
PROTECTED
Attack #1
Attack #2
Times Above
Normal Pages
300x
35x
Time
Nov 18, 2010
Jan 14, 2011
One Customer, Different DDoS AttacksAttacked Top IR150 eCommerce Web Site Protected by Akamai
Attack#1 – Highly distributed, no recognizable pattern
Attack#2 - Highly distributed, concentration from Eastern
Europe – Russian Federation, Greece, Ukraine, Belarus,
Latvia, Kazakhstan
Peak DDoS traffic of 300 Mbps
#1 #2
Estimated Potential Lost Revenue Impact = $350,000
#2
©2011 Akamai Powering a Better Internet
PROTECTED
Gaming Site
Times Above
Normal Pages
33x
Time
Jan 3 2011
Korean Gaming CompanyMulti-Phase, Varying Signature Attack - Protected by Akamai
Phase#1 – repeated requests for non-existing object
Phase#2 – malformed HTTP requests w/o user-agents
Attack traffic directed from South Korea
#1 #2
Estimated Unique Customers Impacted = 1,500
Estimated Missed Advertising Impressions = 36,000
©2011 Akamai Powering a Better Internet
Trusted
Connection
Akamai
Site
Shield
End User
Web SiteInfrastructure
DDoS Mitigation with Akamai
©2011 Akamai Powering a Better Internet
Akamai Unveils New Architecture for DDoS
IP Blocking & Rate ControlIP blocking & rate limiting capabilities at
network layer
Web Application FirewallWeb application firewalling at Layer 7
(application layer)
eDNS w/DNSSECScalable protection for Domain Name
System (DNS) attacks
Global Traffic Management Blocking of traffic by geographic region
User ValidationIdentification of suspected BOTs from real
users to de-prioritize or block
Site ShieldAbility to cloak web infrastructure from the
Internet
DoS ReadinessDDoS specialists to assess infrastructure
and develop a run-time playbook
Customer Support 24/7 support with a response SLA
Akamai’s edge absorbs traffic and can
failoverAdvanced Caching, NetStorage + Failover
Fee ProtectionCapped exposure to bursting fees related to
an attack
©2011 Akamai Powering a Better Internet
Key Areas of Cloud Security for Akamai
Protect Web AvailabilityInternet Infrastructure Security
Web Application FirewallApplication Security
Remove Credit CardsPayment Tokenization
©2011 Akamai Powering a Better Internet
Application Layer Threats
State of Application Security
95% of corporate Web Apps have severe vulnerabilities
• Average enterprise website has 13 serious security vulnerabilities1
• The average time-to-fix for large organizations is 15-weeks1
Why?
• Competition drives website innovation and complexity
• Migration of enterprise apps to the Web, outside firewall
• Introduction of many new technologies for programmers
Over 95% of corporate web
applications have severe
vulnerabilities
1WhiteHat Website Security Statistic Report
— Fall 2010, 2 Aberdeen Group, 2010
©2011 Akamai Powering a Better Internet
Akamai’s Web Application Firewall
Launched in Jan’10 — distributed in the cloud
Helping customers comply with Payment Card Industry — Data Security Standard (PCI-DSS)
• Web Application Firewall for PCI Section 6.6
Provides on-demand scalable protection from malicious Web application attacks such as cross site scripting (XSS) and SQL injection style attacks
• Example: eCommerce customer, 1-week
• 11 billion requests processed (110K/sec peak)
• Successfully alerted or blocked more than 8 million rules in a single week
©2011 Akamai Powering a Better Internet
Akamai Web Application Firewall
Web Application Firewall adds Layer7 & fast IP blocking
• IP blacklist/whitelist changes in 30-45 minutes
• Avoid Layer7 DDoS and injections
• Akamai WAF addresses PCI DSS 6.6 Compliance
©2011 Akamai Powering a Better Internet
Akamai Adds New Protection from Layer7
(Application Layer) Attacks
Addition of custom rules at the edge
• Augments existing core rule set
Partnership with Qualys for vulnerability scanning
• Used by Akamai PS to populate WAF with customer specific rules and virtual patching for web sites
• ―Partnering with Akamai was a clear choice for us, especially as more security moves to the cloud. We look forward to helping enterprise customers with our vulnerability solutions in order to increase their defenses against malicious web activity.‖ - Philippe Courtot, CEO of Qualys
Configurable IP rate limiting in the cloud
• Offloads unwanted bandwidth from BOT’s and scrapers
©2011 Akamai Powering a Better Internet
Key Areas of Cloud Security for Akamai
Protect Web AvailabilityInternet Infrastructure Security
Web Application FirewallApplication Security
Remove Credit CardsPayment Tokenization
©2011 Akamai Powering a Better Internet
Edge Tokenization PCI Challenges
PCI rules govern any card information stored or processed in the merchant infrastructure.
• Level 1, Level 2 merchants need to undergo audits, scans
• Level 3 and Level 4 need to fill in questionnaire
Costs for audit can be substantial, costs for breach can put companies out of business.
Number of card
transactions/year
Average PCI Audit
Preparation Expense*
Level 1 Merchant
More than 6 Million$2.1M
Level 2 Merchant
1 Million to 6 Million$1.1M *Source: Gartner 2008 —
numbers exclude PCI assessment
costs
©2011 Akamai Powering a Better Internet
Akamai’s Solution
• Servers placed in PCI compliant facilities
• Strict access procedures
• Logs of physical entry and cameras
• Key Management Infrastructure
• PII decryption in memory only, never on disk
• Annual audit to ensure PCI compliance
Secure SSL Delivery — Akamai’s Dedicated SSL Network
Akamai Operates the First PCI Compliant CDN
©2011 Akamai Powering a Better Internet
Edge TokenizationHow it Works
Payment Gateway’s
Data Vault
Merchant Order
Management
System
Customer
Datacenter
Payment Gateway
©2011 Akamai Powering a Better Internet
Benefits
• Reduces PCI scope for online transactions
• Leverages Akamai’s Level 1 PCI Compliant Network
• Enables web retailers to transact securely and at scale
• Tight integration with leading payment gateway providers
• Preserves Payment Gateway functionality
• Credit card data is never stored on customer infrastructure
• Easily integrates into existing workflow
• Accelerates critical commerce transactions on Akamai’s high-performance and highly resilient EdgePlatform
©2011 Akamai Powering a Better Internet
Key Areas of Cloud Security for Akamai
Protect Web AvailabilityInternet Infrastructure Security
Web Application FirewallApplication Security
Remove Credit CardsPayment Tokenization
top related