Akamai Security Products - Cloud Computing, Enterprise, Mobile

Akamai Security Products

©2011 Akamai Powering a Better Internet

Key Areas of Cloud Security for Akamai

Protect Web AvailabilityInternet Infrastructure Security

Web Application FirewallApplication Security

Remove Credit CardsPayment Tokenization


The Akamai EdgePlatform

• 85,000+ Servers

• 1,700+ Locations

• 900+ Networks

• 70+ Countries

• Compliance/Security:

• PCI Compliant SSL (Data)

• Distributed WAF (Apps)

• Edge Tokenization (Payments)

Daily Web traffic of over 4 Tbps


DDoS Attacks on the Rise

74% of surveyed companies experienced one or more DDoS

attacks in the past year, with 31% of these attacks resulting in

service disruption

• Forrester July 2009

―The Akamai network saw more DDoS attacks in the fourth

quarter of 2010 than in the first three quarters of the year

combined so as companies continue to push business-critical

data and operations into the cloud, the need to protect these

assets from the growing number and increasing sophistication of

Web attacks increases dramatically.‖

• Akamai chief scientist and co-founder, Tom Leighton


PROTECTED

US Customer #1

US Customer #2

US Customer #3

US Customer #4

US Customer #5

Times Above Normal

9,095x

5,803x

3,115x

2,874x

1,807x

Peak Attack Time

11/30

12/1

11/30

12/1

12/1

Holiday Season 2010 – Coordinated DDoSAttacked IR50-250 eCommerce Web Sites Protected by Akamai

Highly distributed DDoS attacks from Asia-Pac,

South America and Middle East

Customer #1

Customer #2

Customer #3

Estimated Potential Lost Revenue Impact = $15 million


PROTECTED

Attack #1

Attack #2

Times Above

Normal Pages

300x

35x

Time

Nov 18, 2010

Jan 14, 2011

One Customer, Different DDoS AttacksAttacked Top IR150 eCommerce Web Site Protected by Akamai

Attack#1 – Highly distributed, no recognizable pattern

Attack#2 - Highly distributed, concentration from Eastern

Europe – Russian Federation, Greece, Ukraine, Belarus,

Latvia, Kazakhstan

Peak DDoS traffic of 300 Mbps

#1 #2

Estimated Potential Lost Revenue Impact = $350,000

#2


PROTECTED

Gaming Site

Times Above

Normal Pages

33x

Time

Jan 3 2011

Korean Gaming CompanyMulti-Phase, Varying Signature Attack - Protected by Akamai

Phase#1 – repeated requests for non-existing object

Phase#2 – malformed HTTP requests w/o user-agents

Attack traffic directed from South Korea

#1 #2

Estimated Unique Customers Impacted = 1,500

Estimated Missed Advertising Impressions = 36,000


Trusted

Connection

Akamai

Site

Shield

End User

Web SiteInfrastructure

DDoS Mitigation with Akamai


Akamai Unveils New Architecture for DDoS

IP Blocking & Rate ControlIP blocking & rate limiting capabilities at

network layer

Web Application FirewallWeb application firewalling at Layer 7

(application layer)

eDNS w/DNSSECScalable protection for Domain Name

System (DNS) attacks

Global Traffic Management Blocking of traffic by geographic region

User ValidationIdentification of suspected BOTs from real

users to de-prioritize or block

Site ShieldAbility to cloak web infrastructure from the

Internet

DoS ReadinessDDoS specialists to assess infrastructure

and develop a run-time playbook

Customer Support 24/7 support with a response SLA

Akamai’s edge absorbs traffic and can

failoverAdvanced Caching, NetStorage + Failover

Fee ProtectionCapped exposure to bursting fees related to

an attack


Application Layer Threats

State of Application Security

95% of corporate Web Apps have severe vulnerabilities

• Average enterprise website has 13 serious security vulnerabilities1

• The average time-to-fix for large organizations is 15-weeks1

Why?

• Competition drives website innovation and complexity

• Migration of enterprise apps to the Web, outside firewall

• Introduction of many new technologies for programmers

Over 95% of corporate web

applications have severe

vulnerabilities

1WhiteHat Website Security Statistic Report

— Fall 2010, 2 Aberdeen Group, 2010


Akamai’s Web Application Firewall

Launched in Jan’10 — distributed in the cloud

Helping customers comply with Payment Card Industry — Data Security Standard (PCI-DSS)

• Web Application Firewall for PCI Section 6.6

Provides on-demand scalable protection from malicious Web application attacks such as cross site scripting (XSS) and SQL injection style attacks

• Example: eCommerce customer, 1-week

• 11 billion requests processed (110K/sec peak)

• Successfully alerted or blocked more than 8 million rules in a single week


Akamai Web Application Firewall

Web Application Firewall adds Layer7 & fast IP blocking

• IP blacklist/whitelist changes in 30-45 minutes

• Avoid Layer7 DDoS and injections

• Akamai WAF addresses PCI DSS 6.6 Compliance


Akamai Adds New Protection from Layer7

(Application Layer) Attacks

Addition of custom rules at the edge

• Augments existing core rule set

Partnership with Qualys for vulnerability scanning

• Used by Akamai PS to populate WAF with customer specific rules and virtual patching for web sites

• ―Partnering with Akamai was a clear choice for us, especially as more security moves to the cloud. We look forward to helping enterprise customers with our vulnerability solutions in order to increase their defenses against malicious web activity.‖ - Philippe Courtot, CEO of Qualys

Configurable IP rate limiting in the cloud

• Offloads unwanted bandwidth from BOT’s and scrapers

https://www.qualys.com/


Edge Tokenization PCI Challenges

PCI rules govern any card information stored or processed in the merchant infrastructure.

• Level 1, Level 2 merchants need to undergo audits, scans

• Level 3 and Level 4 need to fill in questionnaire

Costs for audit can be substantial, costs for breach can put companies out of business.

Number of card

transactions/year

Average PCI Audit

Preparation Expense*

Level 1 Merchant

More than 6 Million$2.1M

Level 2 Merchant

1 Million to 6 Million$1.1M *Source: Gartner 2008 —

numbers exclude PCI assessment

costs


Akamai’s Solution

• Servers placed in PCI compliant facilities

• Strict access procedures

• Logs of physical entry and cameras

• Key Management Infrastructure

• PII decryption in memory only, never on disk

• Annual audit to ensure PCI compliance

Secure SSL Delivery — Akamai’s Dedicated SSL Network

Akamai Operates the First PCI Compliant CDN


Edge TokenizationHow it Works

Payment Gateway’s

Data Vault

Merchant Order

Management

System

Customer

Datacenter

Payment Gateway


Benefits

• Reduces PCI scope for online transactions

• Leverages Akamai’s Level 1 PCI Compliant Network

• Enables web retailers to transact securely and at scale

• Tight integration with leading payment gateway providers

• Preserves Payment Gateway functionality

• Credit card data is never stored on customer infrastructure

• Easily integrates into existing workflow

• Accelerates critical commerce transactions on Akamai’s high-performance and highly resilient EdgePlatform

Akamai Security Products - Cloud Computing, Enterprise, Mobile

Documents

Transcript of Akamai Security Products - Cloud Computing, Enterprise, Mobile