employee using laptop and coding injection

6 Steps to Create a Secure Website

There are roughly one billion active websites online, or one for every seven people alive right now. How about yours? Is it a secure website?

Every single second, a couple new websites are born into this world. That’s a lot of websites, so how are they being created, and how do you make one? And also, how do you keep your website secure from all the cyber threats out there?

A Secure Website in 6 Steps?

The steps needed for making a website, from registration to design, coding, operation and growth, can be a very long and complex process. Each step has a lot more nuance to it than fits here, but this guide should point you down the right path to setting up a secure website.

1. Choose Your CMS

How are you going to build your site? These days you don’t need to be a computer programmer to put together your own fully functioning website thanks to Content Management Systems (CMS). With CMS solutions like WordPress, Joomla, and Drupal, putting together a website is about as easy as building a house out of Lego. No matter what CMS you choose, there are new exploits that are uncovered almost on a weekly basis. This means you need to stay on top of software updates and patches to keep your site secure.

making a secure website with lego blocks like a house

2. Sign Up for a Web Host

Your domain name is like the street address and the CMS is like the materials you build your site with, but the web host is the actual plot of real estate where your website exists online. Some are free and come with bandwidth limitations or embedded ads, and there are commercial options that run much better. Many hosts also provide server security features which can better protect your uploaded website data. Check if a web host offers Secure File Transfer Protocol (SFTP) which makes uploading files much safer. Many good hosts should also allow for file backup services and have a public security policy showing how well they keep up to date on security upgrades.

3. Design Your Website With Security in Mind

What’s your website going to look like? Hiring a designer is usually worth the money you pay, but if your site is straightforward enough then you don’t need to do anything fancy. These days, simplicity is the golden rule, and minimizing add-ons and plug-ins is recommended for aesthetic, operational, and security concerns. The main thrust of your site should be text-based and presenting your product clearly, with images and design flourishes playing in the backup band. Basically you should focus more on avoiding bad design than embracing great design.

4. Apply a Web Application Firewall (WAF) to Protect Your Site

As soon as your website is online, it is exposed to a rogue’s gallery of cyber threats. Automated bots are out there scanning for vulnerable websites, and newly created sites are an especially tempting target. Adding a web application firewall (WAF) such as Cloudbric, Incapsula, or Cloudflare, will ensure that you have a secure website before the attacks start.

5. Do Business Online Secured by Secure Sockets Layer (SSL)ssl is like a handshake for a secure website coming out of a computer

If you’re going to have users registering on your website, and especially if there will be any kind of transaction, you need to encrypt that connection. Using SSL certificates creates a secure handshake between your website and clients’ devices, ensuring that no third party can covertly slip in between and monitor, hijack, or shut down any transactions taking place. GlobalSign is one good example of a widely available SSL certificate that pairs well with almost every website.

6. Grow as a Responsible, Respected Member of the World Wide Web

So you have a functioning. secure website protected from security threats, and you are engaged in commerce for your business. Now the main duty is to grow and reach more people! Reach out through SNS, set up your site so it can be indexed by search engines, and take advantage of SEO opportunities. The Internet is your oyster. But never lose track of your security needs, and focus on maintaining a reputation characterized by responsibility for cyber security matters.

Once you’ve finished these steps, your website is ready to make its mark on the Internet!


This blog post was originally featured on cloudbric.com. Visit their blog for more insight, news, and accessible information on web threats and trends. If you would like to learn more about Cloudbric’s logic-based WAF service, please contact info@cloudbric.com.

Award-Logo-Penta-Security

Asian Cyber Security Vendor of the Year: Honored for 2016

APAC market leader Penta Security Systems Inc. awarded by Frost & Sullivan

frost sullivan cyber security vendor awardSeoul, Korea: On June 15, Penta Security Systems Inc. was awarded the honor of Frost & Sullivan Asian Cyber Security Vendor of the Year. The award was given at this year’s 13th annual Frost & Sullivan Asia Pacific ICT Awards Banquet in Singapore.

Cyber Security Vendor

Frost & Sullivan selected Penta Security Systems after concluding evaluations with a team of 30 analysts and consultants based in the Asian-Pacific region. Analysts examined a variety of indicators including revenue growth, market share, leadership in product innovation, major customer acquisitions, and business and market strategy. Specifically, Frost & Sullivan noted that Penta Security continues to make headway into new industries with its smart car security solution, AutoCrypt. AutoCrypt detects vehicular attacks from external systems utilizing its Application Layer Firewall, and has garnered significant attention with the increase in the news of vulnerabilities in smart cars.

CEO and Founder Seokwoo Lee attended the annual ICT Awards Banquet in Singapore in order to receive the award.

Regarding reception of the award, he stated, “We are honored to receive the Asian Cyber Security Vendor of the Year award. It confirms the 19 years of hard work we have put into development in information security.” He added, “We will continue to pursue excellence and growth in web and data security – not only in APAC, but worldwide.”

Having built relationships globally among enterprises and institutions, Penta Security Systems has grown rapidly along with the rise in demand for web and data security products. In 2015, its web application firewall (WAF) WAPPLES was acknowledged by Frost & Sullivan as the leading WAF in the APAC region in terms of market share.  The top WAF in Korea for three consecutive years, WAPPLES boasts a COCEP™ (Contents Classification and Evaluation Processing) engine, rather than traditional pattern-matching methods utilized by other cyber security vendors.


About Penta Security:

Penta Security Systems Inc. was founded in 1997 by CEO Seokwoo Lee. The company is a market leading provider of web and data security products, solutions, and services in the APAC region. Penta Security protects more than 117,000 websites. Additionally, it blocks more than 108,000,000 web attacks per month. Recognized by Frost & Sullivan, Penta Security Systems is the top Web Application Firewall vendor in the APAC Region based on market share.

For more information on Penta Security, please visit www.pentasecurity.com. For potential partnership inquiries, please send an email to info@pentasecurity.com. For more details on the Asia Pacific ICT Awards, please visit http://www.ict-awards.com/.

profile

Column-Level Encryption: What to Consider

There’s no single, magical, ultimate solution to keeping your information safe – if there was, the multitude of companies that have already invested millions of dollars into protecting their applications, systems, and networks would be much richer. The last couple of years has been difficult on companies and organizations that have suffered data breaches right and left. The reality is that no matter who you are or how well your company is doing, several measures of protection need to be taken to lessen the possibility of a database attack. One of those ways is column-level encryption.

I’m sure you’ve heard about encryption before – whether it is in the context of securing your database, or in the context of some thrilling movie where a code needs to be decrypted in order for the hero to make his way into a secret vault somewhere – but encryption, while a simple concept, has many variations to it as well.  Column-level encryption is one of them.

First things first, what is column-level encryption?

Assuming you understand the basics of encryption (if you don’t, not to worry – here’s a great Encryption 101 guide), let’s think about a basic database structure. A typical database will have columns and rows of data. Now, file-level encryption is a database encryption method where individual files are encrypted as a whole. There are benefits to this method as there is one master key for encryption. However, with column-level encryption, you can encrypt just individual columns – this also means that each column can have its own unique encryption key within the database.

The benefits?

Flexibility

Because you’re not encrypting the entire file, when choosing what data to encrypt, column-level encryption does allow for more flexibility. After all, why encrypt something that doesn’t need to be encrypted?

Additionally, column-level encryption is possible even when the database is active (Some types of encryption are only possible when data is “at rest” which means when it’s not being used, not when data is “in transit” or “in use” which refers to active data). This means maintenance of functionality, which when encrypting data that’s constantly being accessed or updated, is of significance.

Speed

Column-level encryption allows for efficiency because there’s less encrypted data. Overall, you’ll have better system performance because encryption for the whole file isn’t necessary. While it might not seem like a big deal, this becomes a huge benefit and efficient system when managing a significantly large database. Trying to encrypt a whole file can be overwhelming – for both you and the system.

For example, perhaps you’re in marketing and have a database of customer contacts. One of your fields might be the customer’s favorite color. Perhaps it’s their method of preferred contact. These aren’t fields that need to be encrypted, which could slow down the performance.

However, it’s important to mention here that faster performance isn’t always the case. If all individual columns are encrypted (with their own unique keys) within the whole file, that’s when database performance decreases. Even the act of indexing or searching for the contents within the database can take longer than necessary.

Security

I’ve already mentioned that different columns have unique keys, which means that this can give an added layer of security to your database. Just one key will not give access to the entire file. Decreasing the likelihood that data in your columns will be lost, column-level encryption also allows for delegation of keys to authorized users.

With its benefits, column-level encryption has been gaining in interest. But as we always say, it’s the user’s job to research and analyze each method before applying the solution, whatever the consequences may be. Hopefully this gives you a bit of an introduction into this encryption method. Think about what kinds of services may be right for you. What are some of your ideas?


For more information on MyDiamo, Penta Security’s security solution for open source DB (which utilizes column-level encryption), check out www.mydiamo.com

To find out more about Penta Security’s encryption solutions, head to the D’Amo Overview page, or contact us at info[at]pentasecurity[dot]com

car security using gps or navigation

Security in IoT

Since its first introduction 15 years ago, the Internet of Things (IoT) has now become one of the hottest topics. These days, thousands of new IoT products are launched into the market each year. Although the first IoT product was only a modified Coca Cola machine, IoT is now a part of our everyday lives. Now, we feel that this is a great change. Information security is often a neglected topic, but with IoT, it’s begun to turn heads.

Stories have been already published to show that security measures are needed for IoT products as IoT hacks are on the rise. With smart car hacks, baby monitors hacks, and children’s toys hacks running rampant, we have to ask about security. Technically speaking, not all IoT products need security. Children’s bracelets that only sense a child’s mood through body temperature do not need as many security measures compared to bracelets that track a child’s location. Security is often concerned only when data is evaluated as being valuable when compromised.

How Is Security Different for IoT Businesses?

Currently, there are three major types of security that businesses regularly use:

Physical Security

Physical security is the protection of personnel, hardware, programs, networks, and data from physical circumstances and events that could cause serious losses or damages. Examples of physical security include CCTV surveillance, security guards, access control protocols, etc.

Information Security

The second type of security is information security. Information security is a set of business processes that protects information regardless of how the information is formatted or whether it is being processed, in transit or stored. The most common methods of information security are: encryption, malware detection, and digital signatures.

different security for IoT

Convergence Security

The third and newest type of security is convergence security. Although the quickest growing, convergence security is a new security concept. Its meaning is just what its name suggests—a convergence or combination of physical and information security. With convergence security, the security systems of a company are joined together with the company’s IT solutions. This allows the company’s physical security to play an integral role to IT. Perhaps it may become the ultimate solution to IoT security.

Many people are mistaken that convergence security is difficult to develop. However, it is just the action of incorporating information security technology to existing industry systems. Convergence security is just the act of customizing physical and information security to an industry’s protocol. It does not require a whole new concept of security algorithms. For example, if a manufacturing factory is transitioning into a smart factory, where all the equipment is automated, security is needed to ensure that hackers do not interfere with manufacturing schedules and output. The factory can then work with an information security firm to make sure previous physical security measures are updated with the newly implemented information security scheme, thereby maintaining their existing security measures while updating protocols to meet industry convergence security standards.

Top Five Industries of IoT Security Development

The development of IoT can be categorized into five different industries. Just as industries vary with the type of data or functions that they process, their actual security regulations also vary. For example, the automotive industries security regulations are much stricter than those of consumer electronics. Also, the extent of what security solutions have actually developed is based on the extent in which that industry has been developed. Because as the demand for the product or service skyrockets, so does the demand for its security. Because of these reasons, five industries have been identified as focal points in the demand for IoT security development.

1. Automotive

Probably the most pressing IoT security issues is smart car technology. Duk Soo Kim, the CTO of Penta Security Systems, said that “Security technology has been used to protect the assets of businesses and people, while smart car security protects those people’s lives.” It is clear that hacking smart cars or transportation system/traffic information systems can directly lead to serious physical damage and/or casualties. The US Department of Transportation has already taken key steps toward requiring security technology to be installed in every smart car in the U.S by proposing regulations for standard Vehicle-to-Vehicle (V2V) technology. Smart car security solutions such as AutoCrypt, CycurLIB, ArgusIDPS and Aerolink are already available in the market.

2. Consumer Electronics

Consumer electronics are the most common of IoT products. From major tech conferences, such as CES and the Internet of Things World Forum to television commercials, you can see that IoT is quickly becoming a part of our common lives. Although we have seen a surge in consumer electronic hacks in the past couple of years, the focus of smart consumer electronics remains to be “connectivity,” with little focus on security development. For example, home appliance manufacturers call its new refrigerator as “family hub” since items are more connected, but home appliance companies often don’t highlight how the data being collected is protected. Much to our surprise, reports of refrigerators containing spam began circulating starting in 2014, awakening the dangers of what is called thingbot.

3. Smart Office

Smart offices, also known as smart buildings or smart businesses, are a rising trend in companies. With the rising concern that smart offices are an easy target to hackers, it is imperative to develop smart office security as hackers can affect a business’ productivity when they access a building’s communications system. Security for standard buildings have been incorporated in the the past. However, smart offices now involve managing and restricting access that include physical, remote, network, and device level factors.

4. Smart Factory

A smart factory is a factory with a fully integrated automation solution in its facility. In smart factories, industrial control systems (ICS), which are computer based systems, are installed to monitor and control industrial processes such as power, oil, gas pipelines, water distribution and wastewater collection systems.

The most used type of ICS is Supervisory Control And Data Acquisition (SCADA), which allows factory workers to simplify their operational duties by only needing to use electronic communications instead of local documents. Despite its convenience, SCADA is not completely secure as it was proven during the huge malware attack in June 2014 in the European SCADA systems. A malware called Stuxnet was uploaded to European SCADA control systems and sabotaged major confidential projects as well as industrial control system software.

5. Smart Grid

A Smart Grid is when Information and Communications Technology (ICT) is incorporated with the existing electric grids so that the information about producing and consuming electricity is exchanged in real time. According to the U.S. Congressional Research Service, attacks on the U.S. power grid are continuing to increase. As countries’ economies, governments and securities rely on electricity, there is a need to build strong convergence security around smart grids’ industrial control systems.

These five categories vary in terms of their services and information processed, but it is imperative any company that deals with people’s safety (both physical and digitally) must invest in security. For products that are integrated with IoT, physical or information security is no longer safe enough. As the demand for IoT products and services increase, these companies need to commit to creating convergence security systems that completely secure customers’ products and private information.


This blog post was originally featured on cloudbric.com. Visit their blog for more insight, news, and accessible information on web threats and trends. If you would like to learn more about Cloudbric’s logic-based WAF service, please contact info@cloudbric.com.

SC Magazine Awards Europe

Best SME Security Solution at 2016 SC Magazine Awards Europe

Cloudbric recognized for its Web Application Firewall (WAF) and website analytics features,
designed for small to mid-sized businesses

Seoul, Korea: On June 7th, Penta Security Systems announced that Cloudbric, its full-service website security solution, was chosen as the winner of the Best SME Security Solution in the Industry Leaders category at the 2016 SC Magazine Awards Europe. The award was presented at the annual SC Awards Gala. It was held this year at the stunning Old Billingsgate venue in London. Penta Security was present along with other competitive industry names such as Sophos and Barracuda Networks.

penta security global team at sc magazines holding award

Each year, a panel of IT security experts from the private and public sectors reviews hundreds of entries. They narrow the field down to a select group of finalists. The finalists then go through a rigorous, in-depth analysis that includes applicable research, analyst reports, and/or product reviews. Cloudbric was selected as this year’s winner in Best SME Security Solution. The decision was made after a thorough and comprehensive analysis of each finalist.

“It is so important to encourage and praise innovation, recognize those who raise the bar, and reward exemplars who facilitate best practice. Cloudbric is a great example of this within the industry,” remarked Tony Morin, Editor in Chief, SC Magazine UK.

Best SME Security Solution

With Cloudbric, all customers receive comprehensive website protection features including a Web Application Firewall (WAF), CDN, and SSL, as well as timely and attentive customer support regardless of the payment plan. Especially the WAF, utilizing Penta Security’s patented logic-analysis engine, COCEP™ (Contents Classification and Evaluation Processing), provides customers with deeper assurance in their website protection. Additionally, with the Cloudbric dashboard, users can easily manage their businesses with more reliable numbers. This allows them to make more informed marketing and budgeting decisions. The judges of the SC Magazine Awards Europe agreed that the entry was a strong response.

Head of Planning at Penta Security Systems, Duk Soo Kim stated,security solution winner award banner for european awards in 2016

“Through its 19-year-history, Penta Security has sought to bring quality, unrivaled web security to the global market. This was further confirmed for us after reception of the Cyber Defense Magazine Awards back in March for our WAF, WAPPLES, and open source DB encryption solution, MyDiamo. Now, Cloudbric joins the ranks, and we look forward to its continued achievements worldwide.”


About Cloudbric

Cloudbric is an elite full service website security solution specifically designed for IT novices, entrepreneurs, and small and medium businesses. First launched in 2015, Cloudbric is based on the enterprise level Web Application Firewall by Penta Security Systems, a global information security firm headquartered in Seoul, Korea. Penta Security has served more than 3,100 customers for over eleven years. For more information on Cloudbric’s web security service, please visit https://www.cloudbric.com or contact support(at)cloudbric(dot)com.

About SC Magazine

SC Magazine Awards Europe is lauded as one of the most prestigious awards for IT security professionals and products. For more information and a detailed list of categories and winners, please visit http://www.scawardseurope.com/.

profile

DDoS Attacks: Top 5 Industry Targets

If you take a look in any online hacking forum, you’ll find the buzz term “DDoS attack.” Since 2014 alone, the occurrences of DDoS attacks have increased by +132.4%. To normal people, DDoS attacks seem to work like magic—sending a flood of zombie bots that can overwhelm a web app and shut it down.

With so much power and chaos, if a website is caught off guard without proper defenses, it is shut down in seconds. In fact, DDoS attacks are so popular in the cracking community (the correct term for hackers who use their skills to wreak havoc), that in 2013, the group Anonymous petitioned the U.S government to legalize DDoS attacks as a legal form of petitioning.

So, who are some of DDoS attackers’ favorite targets?  Check out our list of their Top 5 Favorites below.

1. News Sites and Media Publications

This attack was the largest DDoS attack to date. Web crackers against the Hong Kong pro-democracy protesters hacked multiple independent Hong Kong news sites supporting Hong Kong suffrage rights. Every time these sites were trying to organize mock executive elections, their websites were attacked with bigger and bigger DDoS attacks.

2. Universities

Some universities lose their internet connection due to the DDoS Attacks.

You might have heard about the controversy about Rutgers University with thousands of students losing internet connection due to multiple DDoS attacks. Apparently, the cracker who rendered the Rutgers networks to useless was hired by someone who had a vendetta against the school. Some attribute the reason to the attacks was the university’s rise of tuition for the 2015-2016 school year.

3. Online Services

This attack is the one that many news outlets declared “the attack that almost broke the internet.” This attack was against Spamhaus, a website that tracks Internet’s spam operations and sources. Spamhaus maintains real-time, spam-blocking databases that help Internet networks weed out bogus email. A service company with a noble goal; however, once it blacklisted a website called CyberBunker, it was targeted for the attack. Journalists declared that the DDoS attack was so large that its affects could be felt outside of the attacked web app. Whether that is really true is still up for debate.

4. Online Gambling Industry

Compared to 2014, there has been a +350% increase in DDoS attacks in the online gambling industry alone. For the crackers who want to get quick access to money, the online gambling industry seems like an easy target. Because the industry is very competitive, crackers will often work for a competitor site. A cracker will attack a site and cause latency—pushing users to want to use a competitor’s service instead of the attacked service.

5. Politics

Just like the group Anonymous, crackers often hack into web apps for political views. In early October, crackers attacked the Thai government’s websites to protest government’s plan to limit access to sites deemed inappropriate. The hack was a part of a petition against the government. Tens of thousands of people declared the government’s plan as the “Great Firewall of Thailand.”

Preventing DDoS attacks?

So how do you protect yourself against a DDoS attack? Dave Larson, CTO and VP, product, of Corero shares that in order to prevent DDoS attacks, companies need to mitigate all of their web traffic targeting their networks.

But, you don’t need to be a company to be attacked by a DDoS attack. DDoS attacks can hit anyone, so it’s best to take measures to protect your website. A web application firewall such as Cloudbric blocks botnet traffic. It disarms attacks by filtering them on the server level, so that they never make it to your website. If your website isn’t already secured against DDoS attack, it’s time to start now, because the threat is only getting stronger with time.


This blog post was originally featured on cloudbric.com. Visit their blog for more insight, news, and accessible information on web threats and trends. If you would like to learn more about Cloudbric’s logic-based WAF service, please contact info@cloudbric.com

Boy Programming On Computer With Multiple Monitors And Laptop On Desk

What’s a Zero-Day Attack?

Zero-day attack, as cool as it may sound, is one of the most harmful web attacks because it is invisible. It consists of exploiting a vulnerability of a software that its developers aren’t aware of. It is extremely hard to prevent these attacks and by the time there is a fix, the damage has already been done. The term “zero-day” derives from the concept when a critical system, software or platform vulnerability is discovered and subsequently patched. Usually, the time it takes to correct this vulnerability leaves users open for attacks.

Zero-Day Attack Example

WordPress, the content management system that powers 25% of the whole internet, experienced a major software vulnerability on its version 4.2. The attacks allowed the hacker to obtain admin credentials of a website powered by WordPress. This was done by cross-site scripting (XSS), which consisted of sending code snippets of Javascript to manipulate data stored in the server. Ultimately, the hacker could change the administrator’s password, create new credentials and take over the website completely. After the issue was reported, WordPress recognized the weakness and announced a security patch but wasn’t specific on the patch release date. This left millions of users wondering when a security solution would be implemented. Ever since the attack, WordPress has been fixing their vulnerabilities to assure safety to their users and avoid another major attack.

How to Deal with Zero-Day Attacks

Zero-day attacks can strike at any given time because we don’t know when commonly used programs or software experience security exploitations. This is why users, especially small and medium business owner must be proactive about web security. Cloudbric recommends users to have special safeguards in place in case a zero-day attack can strike. Here are three measures you could use while waiting for a security patch:

data protection depicted with lock

1. Inform Yourself

The first step in dealing with a security problem is to be aware of it. Be mindful of what exact software or programs experienced a security exploitation. For example, a great resource to check for security vulnerabilities in commonly used programs or software is the Exploit Database website. This website also provides information on when a security vulnerability may get patched.

2. Web Application Firewall (WAF)

Since users don’t know when zero-day attack may strike and, more importantly, when software might get patched, it is extremely important to have a great insurance plan. This is where a WAF can really help keep your website safe. Choosing the right WAF for your business will be critical. Cloudbric recommends using a WAF that not only detects web attacks at a high accuracy rate but does not incorrectly block innocent users.

3. Antivirus Software

Some antivirus software are very intelligent blocking malicious attacks to your internal network. These days, antivirus software uses heuristic analysis to determine not only if a file is dangerous but reviews its execution and behavior. In case any malicious files make their way into your network and system, you can rest easy knowing that you have proper antivirus protection.

Ultimately, zero-day attacks can be only fixed by the companies who made the software. In the meanwhile, implementing these measures listed above will help minimize any potential damage that can arise. To learn more about web security trends and issues, keep up with Cloudbric blog today!


This blog post was originally featured on cloudbric.com. Visit their blog for more insight, news, and accessible information on web threats and trends. If you would like to learn more about Cloudbric’s logic-based WAF service, please contact info@cloudbric.com.

clouds

Protect Sensitive Data within the Cloud

It’s pretty clear by now that the next frontier for online businesses is to move to the cloud. However, the term ‘cloud’ is still a relatively new idea that can help businesses greatly improve their productivity, efficiency, and save on resource costs. However, this overly anticipated rush to the cloud isn’t without its limitation. One such drawback of the cloud is the possibility for increased web attacks and infrastructure vulnerabilities. Today, we will explore the various ways to help safeguard any confidential information or sensitive data that is stored in the cloud.

Current Cyber Security Landscape

In today’s computing environment, there are an abundance of network and cloud infrastructure providers. But, the question we need to ask ourselves is, “who is managing and tracking all of the inbound/outbound traffic?” In other words, organizations are eager to provide incredibly cost effective and efficient cloud infrastructure, but there hasn’t been much thought or planning surrounding the protection of this cloud infrastructure.

The market is slowly starting to see the effects of improper web protection, however. According to Gartner, by 2020, more than 60% of web applications will be protected by cloud service Web Application Firewalls. Just as fast as people are looking to upgrade to the cloud, there is a growing interest on how to protect these next generation infrastructure solutions. In essence, companies and online website owners are starting to become more proactive, but the job doesn’t end there.

How Do We Protect Ourselves?

The very nature of the internet is to be open, but this could ultimately leave one to be vulnerable to web attacks if not careful. This is the ultimate cloud fallacy. As much as we want to move towards sharing resources, infrastructure, or testing new innovative solutions, this can only be done to a certain degree. Until recently, most companies have been looking to fortify their internal networks and systems to prevent any attacks. The issue is that the internet was designed to freely share and communicate information with the open world. The best way to work around this predicament is not to block ourselves in by building higher walls, but to build smarter gateways. Two ways that we can achieve this is to utilize a perimeter based Web Application Firewall and Database Encryption technology.

diagram showing WAF protecting a website or sensitive data from hackers and bots

 Web Application Firewalls (WAF)

WAFs can help protect all inbound and outbound traffic that flows through the web/application layer (OSI Layer 7). These days, as more and more websites rely on dynamic web applications to power their sites, the vulnerabilities of these applications continue to persist. WAFs are perimeter based web security solutions, which means that they look to monitor all HTTP/HTTPS traffic to sift for any malicious or suspicious web behavior. Once detected, WAFs can automatically block any web hacking attempts that target a web application and ultimately intend to steal sensitive data on a web server/backend database. WAFs can be your first line defense to protect your online business from web attacks when you least expect it.

There are various benefits to implementing a WAF solution into your cloud web security profile, such as:

  • Cleaner & safer network – mitigate major hacking incidents
  • Peace of mind – always active security that works on the perimeter
  • Performance – security that doesn’t affect performance or incur latency issues
  • Compliance – satisfy PCI-DSS requirement 6.6

silver lockpad over data and series of 1s and 0s safeguarding sensitive data

 Database Encryption to protect sensitive data

Database encryption software transforms data stored in a backend database into “cipher text”, which can make the data incomprehensible without first being decrypted. In the event that a web hacker was able to bypass your first line of defense (in very rare instances or caused by rogue insiders), a high performance database encryption software could be your savior. DB encryption software not only prevents sensitive data leakage, but even if data is stolen, encrypted data will be deemed useless since web hackers will be unable to decrypt the information. As an added measure of security, database encryption companies, such asMyDiamo, can separately store database keys into third party key management servers to eliminate any possibility of a data breach.

Here is a short list of the benefits of using a database encryption software:

  • Protect Data Completely – encrypted data information is protected, even if it is stolen
  • Guarantee Data Integrity – easily detect whether data was manipulated/tampered
  • Compliance – satisfy legal & internal/external audit guidelines (HIPAA, SOX, PCI-DSS, etc.)

The key to protecting data stored in the cloud is to take a more perimeter based proactive approach. It’s best to secure your more sensitive data before cyber criminals ever reach your vulnerable web applications. This can be accomplished by utilizing a Web Application Firewall and Database Encryption software as an added security insurance. Get started on protecting your data in the cloud today!

 


This blog post was originally featured on cloudbric.com. Visit their blog for more insight, news, and accessible information on web threats and trends. If you would like to learn more about Cloudbric’s logic-based WAF service, please contact info@cloudbric.com.