Date post: | 19-Dec-2015 |
Category: |
Documents |
View: | 223 times |
Download: | 2 times |
Imperva
The Leader in Application Data Security and Compliance Eran CohenEMEA Sale [email protected]
2
Agenda
• Corporate Overview
• Application Data Security and Compliance
Why is it so difficult?
• Introduction to Imperva Solutions
• Universal User Tracking
• Why Customers Select Imperva
3
Imperva Mission
To deliver the industry’s most robust and widely deployed solution for addressing application data
security and compliance issues.
4
• Leader in application data security and compliance– The market leader in Web Application Firewalls
– Market leader in Database Audit, Monitoring and Security
– Most impressive data security and compliance customer base in the industry
• Founded in 2002
• Global Company
– US headquarters in California; International headquarters in Israel
– Local presence in all major global markets: USA, UK, France, Germany, Japan, China, Taiwan, Israel
• 50 active channel partners world-wide
• 300+ customers, will double customer base in ’07
• Seasoned management team, led by President and CEO Shlomo Kramer, one of 3 founders of Check Point
Imperva Overview
5
Finance
Media / TelcoHealthcareInsurance
CreditCard
Our Customers by Key Industry Segments
6
HealthcareInsurance
CreditCard
Government Technology
OthereRetail / RetaileRetail / Retail
Our Customers by Key Industry SegmentsOur Customers by Key Industry Segments
7
What is the Challenge ?Controlling Unauthorized Activity
Business Users
Administrators
Developers
Internal Users
Customers
Partners
Internet Users
External UsersApplication Data
Privilege Abuse
Vulnerability ExploitVulnerability Exploit
Privilege Abuse
• Privilege abusePrivilege abuse – Unauthorized Activity inside the Business Process – Unauthorized Activity inside the Business Process – Internal user usage of data outside their job function Internal user usage of data outside their job function
• Technical staff accessing data in the infrastructure they supportTechnical staff accessing data in the infrastructure they support– External users performing activity outside authorized use of applicationExternal users performing activity outside authorized use of application
• Vulnerability exploits Vulnerability exploits - Unauthorized Activity outside the Business Process - Unauthorized Activity outside the Business Process – Internal or external user exploiting vulnerabilities in the application or Internal or external user exploiting vulnerabilities in the application or
infrastructure to gain unauthorized access to datainfrastructure to gain unauthorized access to data
• Privilege abusePrivilege abuse – Unauthorized Activity inside the Business Process – Unauthorized Activity inside the Business Process – Internal user usage of data outside their job function Internal user usage of data outside their job function
• Technical staff accessing data in the infrastructure they supportTechnical staff accessing data in the infrastructure they support– External users performing activity outside authorized use of applicationExternal users performing activity outside authorized use of application
• Vulnerability exploits Vulnerability exploits - Unauthorized Activity outside the Business Process - Unauthorized Activity outside the Business Process – Internal or external user exploiting vulnerabilities in the application or Internal or external user exploiting vulnerabilities in the application or
infrastructure to gain unauthorized access to datainfrastructure to gain unauthorized access to data
8
The Data Governance Paradox
• Option 2: Fail Audits–Significant Implications
•SOX – Companies that fail audit can’t report earnings
– Loss of credibility, public trust and business
– Worst case scenario is de-listing
– Executives of companies that report fraudulently are personally liable and face jail-time
•PCI – Fines of up to $500,000 per failed audit
• Option 1: Manually Pass Audits– Expensive
• Consulting, verification and audit investment is high
• Medium business spend 2.55% of revenues on SOX compliance
– Disruptive• Often requires detailed analysis and major revamp of critical business processes
• Takes up significant amount of on-going personnel time (40% for some organizations)
90% of organizations fail auditshttp://www.itpolicycompliance.com/research_reports/spend_management/read.asp?ID=10
9
Web/Web Services
Cu
stom
Ap
plicatio
ns B
usi
nes
sA
pp
lica
tio
ns
Protecting & Governing Data: What’s Entailed?
• Direct Access via Database Protocols
– DBAs via query tools– Internal users via Fat client
applications (e.g., Visual Basic)
• Three-tier applications– Internal users via Business
applications• SAP, E-Business Suite, Peoplesoft• Custom 3-tier applications
• Web applications– Internal & External users via browser
interfaces• Both packaged and custom applications
• Application Interfaces– Applications via Web Services
Interfaces
Browser Browser
DBA
SQL
Data
Thin Client3 Tier App
Thick Client2 Tier App
Thin Client3 Tier App
ApplicationInterface
10
Why is this so tough?
• Business Applications are
Big and Complex
• So are Regulatory
Mandates
• Profitability of data theft
tempts internal users
• Many potential solutions
burdens IT
ERP
CRM
? ? ?
CustomLegacy Apps
Internet Facing Apps
Other Data Stores
Internal User
11
Introducing SecureSphere
• Industry’s only complete solution for security and compliance of enterprise data.
• Activity monitoring, audit and security for business applications and databases.
• Offers full visibility into data usage – From end user through application and into database
– Hybrid network and host-based architecture • Visibility and controls for all data access points
• >300 customers, 1000’s of sites and 10,000’s of applications protected
“Database monitoring and auditing is one of the most promising new categories of data security, and one with particular appeal to internal and external auditors.”
Rich Mogull, Research Vice President, Gartner
12
Easing Regulatory and Security Compliance
Meet Business and Technical Needs
Complete Data Governance and Protection• Assess the IT environment
• Set Controls and Policies
• Monitor Activity and Enforce the Rules
• Measure against regulatory requirements and security policies
Seamless Deployment, Unrivaled Operational Efficiency• No Impact on Database Server• No Impact on Applications or Network• No On-going Tuning• Hierarchical Object Oriented definition of Users, Roles, Applications• Task Oriented Workflow• Covers all WEB traffic and WEB Services
• Covers all major databases – Oracle, SQL Server, Sybase,IBM DB2 (including z/OS) and Informix
13
• MX Management Server– Centralized operations– Role-based Administration– Hierarchical management
for large organizations
• Web Application Firewall (WAF)– Automated, efficient application security– Starting point for some enterprises
• Most customers expand to DSG in second phase
• Database Security Gateway (DSG)– Adds preventative controls to DMG
• Active security enforcement
• DBA Monitor Agents– Provides full visibility into local activity
on database servers– Complementary to Database
Appliances
• Database Monitoring Gateway (DMG)
– Full DB Audit and security lifecycle
• Assessment• Policies• Monitoring• Measurement
– Full visibility to the end (application) user
– Full compliance policy and reporting suite
Imperva SecureSphere Product Line
Web Application Firewall
– Protect applications– Protect Web services
Database Monitoring Gateway– Audit database activity
– Assess DB against best practices
Database Security Gateway
– Protect database– Assess database and
audit activity
Management ServerUnified, scalable management DB Monitor
AgentLocal Privileged
ActivityMonitoring
14
Imperva Application Defense Center
• Application Data Security and Compliance Experts
– Researches latest threats and compliance best practices
• Applications (SAP, Oracle EBS, PHP, Perl, OWA & others)
• Databases (Oracle, DB2, SQL-Server & others)
• Compliance mandates (SOX, PCI, HIPAA & others)
– Provides weekly & on demand updates via ADC Insight Services
15
Universal User Tracking
Imperva SecureSphere provides the most:
• Accurate• Effective • Flexible
set of user identification mechanisms to identify the
user responsible for each instance of database access
16
Application User Tracking
• Web Application User Tracking: – Identifies and tracks individual web users and their interactions
with web applications
• Web to Database User Tracking: –Tracks each web application user’s activities from their
interactions with the web application through each of their interactions with the database
• SQL Connection User Tracking: –Links each end user’s identity to the SQL commands the user
makes to a database in cases of connection pooling
17
Why Customers Chose Imperva
Business Relevant Reporting
Highly customizable reporting for specific business applications & regulatory mandates.
Automation & Accuracy
Ability to model change to applications, usage patterns and data structures over time.
Integrated End-to-end Coverage
Full coverage for all paths to the data. A unified view of access that simplifies management and provides full information to
satisfy auditors and forensic investigators
Performance & Scalability
Capacity, availability and ease of management that meets the deployment requirements of complex global companies
World Class Customer Service
Imperva customers enjoy 24 X 7 X 365 access to a global team of engineers with deep technical expertise and real-world
deployment experience.
Thank You
Imperva, Inc.www.imperva.com