A Blueprint for Advanced Security over Your AWS Environment

Risk and compliance small

From CRM to email. and web applications in banking, retail, e-retail, and government, more organizations are adopting the cloud to save dollars and increase agility. These applications and the infrastructure that supports them – including storage, load balancers, and application servers – are adapting and evolving to address this trend. It makes securing this new model of infrastructure an interesting, relevant topic as well. It’s why Imperva, our parent company, today announced their Cloud Reference Architecture for AWS which integrates Skyfence technology to monitor activity and protect accounts accessing the AWS Management Console.

Infrastructure as a Service (IaaS) offers data center resources in a cloud-based environment, with a layer of automation, standardization and scalability that is difficult to achieve on-premises. Gartner estimates that the IaaS market size in 2014 was $13 billion, and growing fast. By 2018, it will be $42B (CAGR 35.6%). While there are many vendors offering IaaS today, AWS is the clear leader in this space and accounts for the majority of the business. According to Gartner, “AWS is the overwhelming market shareleader with 5x the Cloud IaaS compute capacity than the aggregate total of the [next] 14 vendors”.

While cloud is attractive to most organizations, security is usually cited as a top concern by IT pros as a potential obstacle or inhibitor to adoption. As Forrester noted in their AWS Cloud Security report earlier this year: “In the AWS world, security is a shared responsibility. AWS is not going to secure your applications or software infrastructure for you. AWS’ responsibility stops at the abstraction point between its services and the applications you deploy. It’s up to security and risk pros to engineer the correct security atop AWS.”


With Imperva’s Cloud Reference Architecture for AWS, organizations can deploy advanced security to protect the application, defend against attacks, and monitor administrator activity and accounts within the AWS environment. The solution is comprised of three elements:

– SecureSphere Web Application Firewall (WAF) for AWS protects data and applications in the AWS Cloud.

– Incapsula delivers an enterprise-grade, cloud-based Application Delivery Network for organizations hosting their applications on AWS. When used in conjunction with SecureSphere WAF for AWS, it delivers a security solution which more efficiently deals with large scale DDoS attacks, and provides additional levels of security for bot protection, access control, two-factor authentication, backdoor, and malware protection.

– The Skyfence Cloud Gateway offering delivers access controls to protect the AWS console administrative accounts, activity monitoring, and enables alerting for anomalous behavior, high risk tasks and critical operations.

The AWS Web management console is where Skyfence adds value. The console is essentially the control panel for all actions performed by administrators using Amazon’s infrastructure. The ability to monitor all activity – who did what within the environment – is a fundamental requirement. Many organizations will require more sophisticated policy and workflow defining what admins and developers can do – actions such as Create, Copy, Start, Delete, Terminate – in some organizations these actions should be limited to just those the user requires to perform their job function. Learn more about Skyfence for AWS here.

You wouldn’t build a house without a blue print. Don’t build a cloud infrastructure without one either. In any cloud environment – whether AWS or Microsoft Office 365 or any other app – what the cloud provider delivers in terms of security should not by default be your security strategy. Understanding the providers’ security model, their operational practices and their expectations of you as a subscriber are a great place to start.