incapsula: how to increase saas websites’ uptime and accelerate performance
TRANSCRIPT
© 2015 Imperva, Inc. All rights reserved.
Incapsula: How to Increase SaaS Websites’ Uptime and Accelerate Performance
Nicole Donner, Incapsula
Jason Sweitzer, Tempus Technologies
© 2015 Imperva, Inc. All rights reserved. Confidential3
Introduction
• Thanks for joining our webinar• The webinar will last 30 minutes and will be recorded• Questions will be answered during the session
• Incapsula: Incapsula provides any website and web application with best-of-breed security, DDoS protection, load balancing and failover solutions—available as standalone services or as an integrated solution.
• Tempus Technologies: Whether your business accepts payments by credit card, debit card, or health benefit card, PaymentMate® is the versatile and cost-effective software solution.
For audio, please dial into 1-(888) 681-1078, conference code is 490 048 1
© 2015 Imperva, Inc. All rights reserved. Confidential4
Agenda
• Business and Technical Challenge for SaaS companies
• Solution #1: Saving Time with WAF
• Solution #2: Increasing Up Time– Failover ISPs– SSL Frontend– DDoS and PCI
• The Results and Benefits
• Wrap-Up
• Q&A
For audio, please dial into 1-(888) 681-1078, conference code is 490 048 1
© 2015 Imperva, Inc. All rights reserved. Confidential5
Poll
How many of you run or help manage IT for a SaaS company?
Please answer in the chat, reply to “All – Entire Audience”
For audio, please dial into 1-(888) 681-1078, conference code is 490 048 1
Confidential6 © 2015 Imperva, Inc. All rights reserved.
Business and Technical Challenge for SaaS companies
For audio, please dial into 1-(888) 681-1078, conference code is 490 048 1
© 2015 Imperva, Inc. All rights reserved. Confidential7
Business and Technical Challenge for SaaS Companies
• Scalability– Needed to scale application between multiple data centers
• Availability– Automatic failover in the case of a server or data center outage
• Security– PCI Compliance
• Web Application Firewall for PCI
• Load Balancing/Failover– Best done at proxy level– DNS Failover has a relatively slow failure detection/re-route– Needed to meet demanding customer SLAs
For audio, please dial into 1-(888) 681-1078, conference code is 490 048 1
© 2015 Imperva, Inc. All rights reserved. Confidential8
Business and Technical Challenges for SaaS Companies
• Physical hardware deployment issues– Expensive up front costs– Very Little practical DDOS capability
• Rate limiting• Simple remediation measures are quickly rendered useless if your internet connection has been
saturated by attacker’s data• Far more practical 5 years ago when attack vectors were less sophisticated and had far less
volume
– High touch administration• Constant firmware and signature updates requiring reboots causing administrative
costs/productivity loss
– SSL• Required all SSL Certificates to be installed on all server clusters• SSL Costs became prohibitive for our SMB clients
© 2015 Imperva, Inc. All rights reserved. Confidential10
Poll
Have you used a WAF for your company’s website before?
Please answer in the chat, reply to “All – Entire Audience”
© 2015 Imperva, Inc. All rights reserved. Confidential11
Saving Time with WAF
• Quick site setup– Configure a domain– Reconfigure DNS– Wait for SSL certificate issuance
• Reduced maintenance– All signatures are automatically updated– Zero-Days are automatically patched and deployed
• Dashboard– Live view gives deep insight into traffic and attack patterns in real time– Flexible rules allow for custom rule writing
© 2015 Imperva, Inc. All rights reserved. Confidential13
Increasing Up Time: Failover ISPs
• Application availability is paramount– Tempus utilizes live load balancing between 3 data centers and 6 ISPs
– Configurable with various routing rules
– Quick detection and re-route of traffic
– Allows us to utilize more lower SLA providers for a higher overall uptime percentage with a lower overall cost
– Easy server maintenance• Simply take one data center or origin server down for maintenance and traffic keeps flowing
© 2015 Imperva, Inc. All rights reserved. Confidential14
Increasing Up Time: SSL Frontend
• SSL Deployment critical– Use one SSL certificate on the origin server
• Significant network simplification– 1 IP per server instead of 1 IP per site
– Use Incapsula generated and signed certificates on all front end servers
• Reduces deployment and SSL costs• Allows us to offer vanity domain names for our clients at a cheaper cost• Reduces administrative overhead of managing SSL certificates for dozens of clients
– No certificate expiration management
© 2015 Imperva, Inc. All rights reserved. Confidential15
Increasing Up Time: DDoS and PCI
• Hardware based WAF will not handle modern DDoS– Layer 7 is the only data it will see– Other network infrastructure will crumble under network layer DDoS such as syn floods,
DNS reflection, etc– Layer 7 protection won’t help if the network flood overwhelms network pipe
• Even large (1GBPS +) pipes are easily overwhelmed by DDoS for hire
• Block attack traffic in the cloud before it gets close to your infrastructure
• Incapsula is PCI Complaint– Allows compliance with PCI DSS Mandates
© 2015 Imperva, Inc. All rights reserved. Confidential17
Results and Benefits
• Significant cost savings– No hardware costs
• Comparison: Barracuda 860 WAF $24,999 + $17,749 annually for signatures, support, and replacement insurance (Double for redundancy)
– No additional SSL certificate costs– No Signature update/Annual maintenance costs– 40% Reduced bandwidth costs due to edge caching
• Enhanced security– Automatic zero day fixes– Automatic attack signatures/mitigation
• Availability improvements– Near perfect uptime due to multi-site/multi orgin server failover– Having Incapsula operations team on the front-end allows leaner operations staff
© 2015 Imperva, Inc. All rights reserved. Confidential19
Wrap-up
• Quick set-up with WAF, reduced maintenance, zero-day vulnerabilities are patched and deployed, dashboard is available for live analytics
• Use load balancing to increase application availability
• SSL deployment is critical
• Block attack traffic in the cloud before it gets close to your infrastructure