Incapsula: using security from the Cloud to protect data in the Cloud
The Cloud will dominate. It’s simple economics. The Cloud offers greater efficiency at lower cost; so if your competitor is in and you are out, he wins and you lose. But concern over security is currently delaying deployment: if you don’t know where your data is, how can you secure it?
“One of the challenges of the Cloud,” said Marc Gaffan, VP Marketing with Incapsula, “is that you have to rely on the infrastructure that your Cloud provider offers.” And this is counter-intuitive, particularly since “most web application firewalls to date,” he continued, “have come in the form of an appliance. Typically, when you use a web application firewall, you take a physical server and attach the appliance to it, routing traffic through your physical appliance to your physical server. But when you move into the Cloud and use a Cloud provider, there is no physical rack for your physical appliance to connect to your physical server.” And it is this lack of physicality that worries us about the Cloud.
But in reality that’s because we misunderstand the nature of the internet itself. We think of the internet as some huge collection of interlinked separate computers to which we are connected, but do not belong. That misunderstands the nature of the beast. We should revisit Sun’s old motto: the network is the computer. Only now we should say: “The internet is the computer.” It is only when we start to look at the internet as just one huge multi-user amorphous computer that we will be able to harness its full potential. When we look at it like this, for example, it doesn’t really matter where the data is located.
Consider the computer on your desktop. We are accustomed to not knowing where our data is stored on this computer, because we don’t need to know. The filesystem knows. Access to our data is via the filesystem – and because of the filesystem we can still protect the data without knowing where it is situated and even though the operating system keeps moving it to different locations on the disk in our computer on the desk.
Now consider the internet. If the internet is the new computer, then DNS will be the filesystem and the service providers are the operating system (OK, loosely – don’t get too literal on me). And if the basic analogy holds, then we don’t need to know where our data is held (and will simply go mad if we try to find it and follow it), but we can still secure it via the DNS.
That’s what Marc Gaffan’s new Incapsula service does. It provides a virtual web application firewall that doesn’t care where your web is located. “In order to get the protection of Incapsula,” Gaffan explains, “all you need is control of your domain name server and five minutes. You change your DNS to route all incoming and outgoing traffic through Incapsula. From that point on, all your website visitors will first go through Incapsula, through our globally distributed network of servers, and we will proxy the traffic to you. We essentially front-end your website regardless of where it is hosted or who is hosting it, or whether you have control over that web server or not.”
This is using the Cloud and Cloud concepts to protect the Cloud. “A primary principle,” says Gaffan, “is pay as you grow. If you are a new company you can can start small; you don’t have to pay for excess capacity or provision for future growth, you just pay for what you need when you need it.”
But a second principle is collective or community strength. “By correlating information across our hundreds of customers and worldwide network of servers we create a community learning. If Incapsula sees someone doing something bad at one website; and minutes later that person goes to another website, Incapsula knows that nothing good is intended; and will instantly block access – and that correlation of experience across different Incapsula customers makes it a better service.”
This process of moving our security into the Cloud in order to protect our data in the Cloud has already started. First came spam-blocking services; then, inevitably, anti-virus products began to leverage the Cloud. Now Incapsula demonstrates the next step. “Once you get onto the Cloud, you must not be dependant on just the services that the Cloud provider offers you – you need the freedom to shop around and leverage services from other Clouds; like Incapsula. This process allows Cloud customers to take security back into their own hands, and not be forced to rely on or be constrained by the Cloud provider’s own offerings.”
Remember, the internet is the computer. You can indeed protect your data even if you don’t know where it is.