Verizon reports in its 2019 Data Breach Investigations Report that web applications are the top hacking action in terms of breaches, with nearly 70% of breaches taking place this way. Conversely, the second leading breach action -- a backdoor or command and control channel -- was responsible for only about 25% of breaches. With such an obvious need to protect Web applications, our customer, TN Marketing, approached us about simultaneously staying on the frontline of cloud security. Like many businesses with a web-facing storefront, TN marketing wanted to ensure its web applications were protected while reducing cloud security management.
TN Marketing is an online media, marketing, and technology firm that connects people with their passions by producing and delivering online instructional video content, and other media through life passion-based communities. To help it accomplish its goal to stay at the front edge of web application security with less management, the TN Marketing and Flux7 DevOps security teams created a three-step plan.
Read the full AWS Cloud Security case study here.
- While TN Marketing already had an AMI creation process, it was manual. By automating AMI creation, the teams could reduce manual work and remove human error from the AMI creation process, thereby growing cloud security in the process.
The teams created an automation document process flow for baking AMIs. Now with the push of a button from the AWS Console, AMIs can be automatically created, greatly reducing overhead and removing the opportunity for fat finger mistakes that can introduce risk.
- The teams would take advantage of the new AWS Client VPN service. Doing so allows TN Marketing to securely access resources (AWS and others) from any location using an OpenVPN-based VPN client.
This solution replaces TN Marketing’s software-based VPN appliance which required the team to manage setup, security, and ongoing maintenance; the team was eager to use these resources elsewhere. With the AWS Client VPN solution, TN Marketing is now able to provide highly available and secure VPN access -- regardless of employee location, or the number of employees working from home. (Which is not trivial when Minnesota winter storms hit.)
- Last, the teams would replace TN Marketing’s fixed WAF rules with managed rules, including OWASP vulnerabilities, to ensure the protection of its VidStore.
With its eCommerce web applications at the heart of its business, staying at the forefront of security is paramount for TN Marketing. As a result, Flux7 and TN Marketing teams worked together to deploy AWS WAF managed rules. Already using WAF (a web application firewall that helps protect web applications from attacks), the teams looked to upgrade its rules from fixed to managed.
The managed rules deployed by TN Marketing are a set of rules written, curated and managed by CSC. We easily deployed the rules in front of TN Marketing web applications running on Amazon CloudFront. In addition to CSC’s standard rules for OWASP and PCI compliance, we configured AWS WAF rules to block web requests from blacklisted sources -- including IP addresses, HTTP headers, HTTP body, URI strings, SQL injection and cross-site scripting.
TN Marketing has a vested interest in staying at the forefront of agile cloud security as an incident could result in downtime, lost revenue, or worse, loss of customer trust. In addition, TN Marketing is committed to investing its human resources to strategic projects that generate value for customers. With the new AWS WAF managed rules, AWS Client VPN and automated AMI solution, TN Marketing delivers a secure, innovative, and reliable experience that is creating a virtuous cycle of customer satisfaction, loyalty, and greater lifetime value.
If you are interested in learning more about protecting your AWS environment with AWS WAF and other AWS security best practices, please check out our white paper, Achieving Security with Agility in the Cloud.