Business Case
From email hacking and mobile malwares to more prominent data breaches—insecure websites and vulnerable web applications have become a de facto standard to commence all types of attacks. As businesses continue to lean on mobile applications and IoT devices to facilitate business interactions, many online transactions occur at the application layer. Attackers often target these applications to reach the sensitive data stored in the backend database—that can be accessed through web applications.
A web application firewall (WAF) protects web applications from a variety of application layer attacks such as cross-site scripting (XSS), SQL injection, and cookie poisoning, among others.
WAFs are important for a growing number of organizations that offer products or services online—this includes mobile app developers, social media providers, and digital bankers. WAFs can help businesses protect sensitive data, such as customer records and payment card data, and prevent leakage.
While it’s important to have a WAF to protect critical information in-transit between the users and the applications, it’s equally important to combine it with other security measures. Such as, securing the encryption key used by WAF when decrypting the TLS HTTPS encryption.
Extending Fortanix FIPS 140-2 Level 3 Security to Imperva Cloud WAF
Imperva Cloud WAF is delivered by multiple cloud-based points of presence globally. Fortanix works with Imperva WAF to ensure that the cryptographic keys used to secure the TLS connections are protected and controlled in a manner commensurate with requirements of standards and rulings such as PCI-DSS, Schrems II and HIPAA.
Using Fortanix DSM in conjunction with Imperva WAF means the encryption keys are stored and secured safely within Fortanix Data Security Manager, separate from Imperva’s servers ensuring separation of key material from the data and a tamper proof audit trail of cryptographic key usage with the ability to immediately disable a key rendering it unusable if required.
The protection of encryption keys in Fortanix DSM gives customers assurance that traffic between clients and the protected web servers cannot be decrypted by any unauthorized party.
Key Capabilities
- FIPS 140-2 level 3 certified HSM.
- Separation of key material from data.
- Tamper proof audit log of key usage with SIEM integration available.
- Single pane of glass key and cryptographic policy management.
- DSM SaaS architecture allows for easy scaling of transactional throughput capability to support any level of load.
- Highly available with intelligent load balancing built in.
Solution Highlights
- Certified solution supported by Fortanix and Imperva.
- DSM SaaS is a cloud native subscription-based solution.
- Cloud powered with the robust protection of an on-prem solution.
- Hold Your Own Key solution (HYOK) where there is a regulatory need to ensure keys are separated from your data.
- Enterprise level access control and audit logging.