Strengthening security posture for modern-age SaaS providers
•Transferir como PPTX, PDF•
1 gostou•471 visualizações
The document discusses strengthening security for modern SaaS providers. It describes how enterprise architectures have evolved from legacy on-premise models to today's cloud-based apps and data. Legacy security solutions are not agile or scalable enough for modern architectures. The document outlines Cloudflare's security solutions, including a gateway web application firewall (WAF) and distributed denial of service (DDoS) protection to secure connections and protect against attacks. It also discusses trends seen during the COVID-19 pandemic such as internet traffic surges and rising security breaches faced by SaaS providers.
Recomendados
Recomendados
Mais conteúdo relacionado
Mais procurados
Mais procurados (20)
Semelhante a Strengthening security posture for modern-age SaaS providers
Semelhante a Strengthening security posture for modern-age SaaS providers (20)
Mais de Cloudflare
Mais de Cloudflare (20)
Último
Último (20)
Strengthening security posture for modern-age SaaS providers
- 1. Strengthening security posture for modern-age SaaS providers
- 2. Confidential. Copyright © Cloudflare, Inc. 2 Chaim Mazal VP, Information Security, ActiveCampaign Arun Singh Security Product Marketing Lead, Cloudflare Speakers
- 3. 3 Evolution of the Enterprise Architecture
- 4. Legacy Enterprise Architecture Connection through the web and mobile Apps and API A well-defined network edge that is part of the infrastructure Security stack consisting of hardware appliances within the enterprise infrastructure Apps and data resides within datacenter premises
- 5. Today’s Enterprise Architecture Web/Mobile apps and APIs connect directly to the enterprise apps and data in the Cloud - IaaS, PaaS, SaaS Dissolution of the legacy network edge Legacy security solutions are not agile, scalable and intelligent to cater to the modern architecture
- 6. Cloud Transformation Challenged Legacy Security Solutions Rise of sophisticated attacks Lacks real-time intelligence and integrations to combat new age attacks Real-time intelligence curated by behavioral learning from a diverse and global data set Intelligence Apps and Data now reside in a hybrid environment Weekly, daily, even hourly application code updates Does not scale to protect apps and data on-prem and in the cloud Easy to deploy solution that quickly adapts to code changes Comprehensive, integrated solution to protect apps and data everywhere Transformation Legacy Security Solution Requirements for a Modern Solution Agility Scalability Slow to adapt to the fast velocity of application code changes
- 7. Cloudflare’s mission is to help build a better Internet Confidential. Copyright © Cloudflare, Inc. 77
- 8. 27M+ Internet properties 200+ Cities and 95 countries 45B Cyber threats blocked each day in Q1’20 99% Of the Internet-connected population in the developed world is located within 100 milliseconds of our network Note: Data as of June 28, 2019. Cloudflare’s network operates at massive scale Confidential. Copyright © Cloudflare, Inc. 8
- 9. Security Solution for the Modern Enterprise Customers connect across the world to closest data centre for a high quality of user experience Integrated security and performance fueled by intelligence curated from protecting 27 Million+ Internet properties: Quality, volume, diversity Comprehensive security against sophisticated attacks, agnostic of whether apps and data reside on- premise, in the cloud or in a hybrid environment
- 10. Cloudflare Security Product Portfolio Gateway Secure connections to the public Internet Internal app access Illegitimate user access attempt Layer 4 DDoSattacks SYN Flood, UDP amplification Layer 3 DDos attacks ICMP Flood, GRE attacks Layer 7 DDos attacks HTTP flood, DNS service attack Login attacks Brute force logins, API abuse Bot Attacks Credential stuffing, Inventory Hoarding App vulnerability attacks OWASP Top 10 and beyond Gateway WAF DDoS Protection Rate Limiting Bot ManagementMagic Transit Spectrum Access Man in the middle attack Snooping of Data-in-Transit, DNS spoofing 10 SSL, TLS, DNSSEC
- 11. 11
- 12. ActiveCampaign Customer Experience Automation Treat every customer like your most important — whether you have 10 or 10 million CX Apps Marketplace Remove silos | Connect across all channels | Automate the 1:1 experience Email Marketing Marketing Automation CRM Support 300+ Integration Partners 12
- 13. The Global Leader in Customer Experience Automation 100K customers 170 countries 6000+ active partners #1 on G2 & TrustRadius 580 employees CHICAGO | INDIANAPOLIS | DUBLIN | SYDNEY 2.5B weekly automated experiences $100M ARR 13
- 14. Some of the trends that we are witnessing… Confidential. Copyright © Cloudflare, Inc. 1414
- 15. 15
- 16. Confidential. Copyright © Cloudflare, Inc. Surge in internet traffic 16
- 17. London +22.6% Comparing activities January & March 17
- 18. Paris +22.7% Comparing activities January & March Comparing activities April & May Paris 18
- 19. Majority of the attacks peaked below 1 million packets per second (pps). Confidential. Copyright © Cloudflare, Inc. Network-layer attacks: Trends In Q1 2020, 92% of the attacks were under 10 Gbps, compared to 84% in Q4 2019 19
- 20. Larger attacks still persist, albeit in small volume. The largest attack in Q1’20 occured in March — peaking ~ 550 Gbps. SYN & ACK DDoS attacks (TCP) form 66% of all L3/4 attack vectors in Q1. Confidential. Copyright © Cloudflare, Inc. Network-layer attacks: Trends 20
- 21. Confidential. Copyright © Cloudflare, Inc. Application-layer attacks: Trends On an average, Cloudflare mitigated 57 billion application-level attacks each day between March - April, 2020, with majority of Cloudflare WAF rules being triggered in the US. 21
- 22. Confidential. Copyright © Cloudflare, Inc. Top 4 application attack vectors 22
- 23. What’s top-of-mind for SaaS organizations Confidential. Copyright © Cloudflare, Inc. 2323
- 24. Confidential. Copyright © Cloudflare, Inc. Mitigating the rising volume and sophistication of security breaches Avoiding costly downtime by making applications more resilient Attaining more visibility and control over data and deployed services Security and performance challenges faced by the new-age SaaS providers 24
- 25. Best practices for SaaS providers to deliver a superior online experiences Confidential. Copyright © Cloudflare, Inc. 2525
- 26. Confidential. Copyright © Cloudflare, Inc. 1 Ensure secure and reliable customer connections 2626
- 27. Shared Services Web (PHP, Ember, React) External API (PHP, Python) Internal API (PHP, Python) Cron Services (PHP, Java) CloudFlare Tenant Data Aurora MySQL ProxySQL Core Config Data Aurora MySQL ElasticCache Memcached, Redis Logging & Alerting Third Party Integrations Link Tracking (PHP) Web Application & Mobile Users APM Security PowerMTA Mail Servers Inbox Provider s Queueing - SQS
- 30. Vanity Domains CNAME Record Added TLS Certificate Issued
- 32. Confidential. Copyright © Cloudflare, Inc. 2 Protect data and web applications from abusive bots and vulnerabilities — including the OWASP top 10 and zero-day attacks. 3232
- 35. Confidential. Copyright © Cloudflare, Inc. 3 Minimize the risk of downtime by globally load balancing traffic and ensuring fast failover 3535
- 38. 3838
- 39. Thank you Confidential. Copyright © Cloudflare, Inc. 3939
- 40. Q&A Confidential. Copyright © Cloudflare, Inc. 4040
- 41. Appendix Confidential. Copyright © Cloudflare, Inc. 41
- 42. Paris +22.7% Comparing activities January & March Comparing activities April & May Paris
- 43. Berlin +11.2% Comparing activities January & March Comparing activities April & May Berlin
Notas do Editor
- Majority of the enterprises that have been in business for over 10 years, have some percentage of their infrastructure that looks like the simplified depiction in this slide - the on-premise datacenter. The key aspect of this architecture is that the Apps and Data used to reside within the first-party colo or datacenter that was owned by the enterprise. This implied that all the devices and people that were accessing the enterprises’ apps and data from an outside connection, branch office or headquarters had to connect through a defined edge of the network which was controlled by the enterprise. Network and security teams could segment and segregate this edge to build access control lists and other security measures to bolster the posture. This network edge was then followed by a stack of hardware appliance-based boxes where each box performed a specific function, such as DDoS protection, Network Firewall, Web Application Firewall, Remote Management Server, SSL/TLS inspection and so on. Once the request from the outside world was inspected as per the defined rules and policies, only then would they be routed to the appropriate apps and the relevant data. If the request did not meet the rules and policies then it was blocked or challenged.
- With the advent and significant adoption of the Cloud - IaaS, PaaS, SaaS - the architecture changed dramatically. Now, part of the app suite and data that in the legacy architecture used to reside solely within the premises of the datacenter were residing in the cloud. This created a hybrid model. The legacy network edge dissolved and did not exist anymore. Moreover, the clunky hardware appliance-based security boxes found it difficult to adapt to this modern architecture. They are not agile, scalable or intelligent to adapt to the changes.
- The advent of the cloud brought many advantages to the enterprise in terms of catering to the demands and needs of its customers. It created a new era of customer experience and defined the Age of the Customer. At the same time it challenged the legacy hardware appliance-based security service model. Let’s view these challenges across three use cases. Agility: Adoption of the cloud enabled enterprises to build apps from inception to market at unprecedented speeds. New code releases that were usually annual or a few times in a year were now being released at a monthly, weekly, daily or in some cases even at an hourly cadence! This allowed enterprises to gather A/B testing data on customer experience through digital assets and deliver a superior user experience. On the security side, the legacy model could not keep up with the velocity of this change. It started triggering an increased number of false positives, hence lowering the accuracy or breaking the delivery of the code. This was not acceptable and the enterprises started looking for a solution that is easy to deploy and is nimble to adapt to this unprecedented velocity of code changes Scalability: As shown in the previous slide, the apps and data were now residing in a hybrid environment. This challenged the legacy security solution as well, which was not poised to protect the apps and data in the cloud. Vendors made attempts to create ‘virtual patches’ and ‘cloud-based’ models as an extension of the hardware boxes but all of those solutions fell short. The requirements for a modern solution now was defined as one that can comprehensively protect apps and data agnostic of whether they live in an on-premise datacenter or in the cloud. Intelligence: The same cloud technology that enables enterprises to deliver a superior customer experience also enabled malicious actors to launch more sophisticated attacks. It’s of paramount importance for security services to have real-time context. When a vulnerability is made public through a CVE it’s a time race between the security teams and the malicious actor(s). Having a global and real-time context of the threat landscape which directly empowers the intelligence of the security service became critically important. Again, the legacy security services were found to fail in this regard, as they have no-real time context. They are reactive boxes sitting in a datacenter trying to block bad traffic against static rules and policies.
- Cloudflare’s network has the breadth and scale that organizations need to run their Internet applications. Organizations benefit from our unique architecture has all products and services running on every server, in every data center, improving our network for our customers with every new colo. Our network offers scale, the performance that helps organizations deliver superior application experience while keeping their environments secure.
- All of these shortcomings created a massive security gap for the needs of the enterprise. This gap started slowing down the pace of evolution and also put the financial, brand and customer aspects of the enterprise in jeopardy. Cloudflare recognized these gaps and needs a decade ago. As a result, we started working on a solution that would holistically meet the needs of the customers for today and the future. The key to solving this issue was to create a global cloud platform that is built on a global network. This global network would allow a diverse and rich threat intelligence context from protecting millions of Internet properties and leveraging the collective intelligence. The modern Security-as-a-Service solution is Cloudflare. No more static, non-intelligent hardware appliance-based security. All the connections from the outside world, whether they are from customers, employees from headquarters or branch offices, send the requests to Cloudflare which serves as the outer edge for the platform. The requests are inspected and blocked or challenged as per the rules and policies defined by the customer and dynamically with the real-time threat intelligence that Cloudflare curates by protecting over 20M+ Internet properties. Legitimate requests are routed to the desired destination agnostic of whether it’s on-premise or in the cloud. Simple, Fast, Reliable and Intelligent solution for the evolved enterprise architecture.
- This is our security suite of products. We are passionate about creating security solutions that protects our customers apps and data agnostic of where it resides - on-prem or in the cloud. That’s our main focus, so we put that in the center of our design philosophy. Then we look at the threat landscape of our customers - Zero-day vulnerabilities, brute force logins, API abuse, DDoS attacks, bot attacks and so on - and we purposefully build security products to protect against those. As part of our global cloud platform we offer security as a service to thwart attacks that attempt to leverage any of the attack vector mechanism shown in the slide. Our offering includes WAF, L3, L4 and L7 DDoS protection, Rate Limiting, SSL/TLS, DNSSEC, Cloudflare Access and Bot Management. Comprehensive protection for our customers applications and data, against the most sophisticated attack vectors.
- What is customer experience automation? It’s a new category of software that allows businesses to connect and automate personalized touchpoints across the entire customer lifecycle. It’s all about making every customer feel like they have a personal relationship with you, no matter how big you grow. Customer experience automation is different from other solutions in that it actually boosts the effectiveness of your existing toolset, work in tandem to make your business more customer-friendly.
- Today we have over 100k active customers on the platform, we run business in more countries than McDonalds, with half of our business being international, and we have over 300 integrations w/brands you know like Shopify and SFDC. We are rated #1 by G2 for marketing automation. We are #2 on the Shopify App Store for Marketing Automation, and has earned a 4.8 out of 5 rating with 85+ 5-star reviews. Today, we are the only marketing automation tool that caters effectively to Salesforce Essentials customers (SMB), and our listing is the #4 overall Marketing app of the entire AppExchange, and ranks #1 for Marketing Automation. We’ve been able to grow virally, without having to do a lot of marketing, because we’ve made most of our investments in delivering a customer experience. We use our own product to save time, and automate more personalized interactions through the sales process, deliver a really effective and personal customer onboarding flow, triage NPS to stakeholders and more.
- The chart in front of you shows the relative change in Internet usage as seen by Cloudflare since the beginning of the year. You’re seeing the moving average of the trailing seven days for each country, where we are using December 29, 2019 as the reference point. And this kind of increase is unprecedented at two levels: First, the scale is not unlike something that you might witness during the Super Bowl, but the key difference here traffic continues to stay high, and grow day after day. And secondly, this trend is seen globally! With India being the outlier in this set, all the major countries have seen more than 1.5 times increase in traffic since the pandemic started. US, Canada, Australia and Brazil are all running at approximately 50% higher usage compared to what they were seeing at the begining of the year.
- “Old School” Techniques Still Provide Significant Value: IR can leverage Rate Limiting, Challenge and Blocking Features during (D)DOS events Targeted Rate Limits for certain areas of our application: Links posted to social media results in scaled resource usage and occasional abuse
- CloudFlare enables us to balance and respond to changes in traffic shape. Placing public web infrastructure behind CloudFlare saves money, stress and the customer experience.
- CloudFlare enables us to balance and respond to changes in traffic shape. Placing public web infrastructure behind CloudFlare saves money, stress and the customer experience.
- We used the load balancing feature to slowly introduce an API gateway to our service infrastructure. Putting an API gateway (reverse proxy) onto our live API service -- which handles over 200 million requests daily -- had to be done with care and observability. The load balancing feature -- with CF’s analytics -- allowed us to control the traffic that was handled by the new proxy layer. Cloudflare made it easy and safe to test in production.