Blog Viewer

Automated Certificate Management and Security Policy Migration Made Easy

By Brian Anderson posted 04-06-2020 09:14
Imperva’s automated capabilities help users implement consistent security solutions and maintain operations at the speed of business.

The key to world-class security is consistency. The cybersecurity chain is only as strong as its weakest link.

Most organizations expose their weakest links when performing complex manual operations. The more manual steps in any single business process, the harder it is to adequately manage it operationally.  This problem is amplified when trying to insert security into an existing application deployment process, unless those solutions can support the existing process and toolchains that are in place. To make this process easier, Imperva has created a set of open source GitHub tools specifically for the purpose.

Step by step walk through of the GitHub tools mentioned in this article: 

Many of these tools focus on streamlining the processes where security vulnerabilities tend to creep in. It’s no coincidence that these are mostly tasks that involve putting complex data and configurations in transit, and they are tasks that many organizations (and their security vendors) perform manually.

We’re going to cover some of the tools Imperva users can capitalize on when managing security at scale and migrating security configurations from one place to another. Familiarizing yourself with these tools will not only boost your organizational cybersecurity posture, but also make your day-to-day life as a security professional much easier.

Automated Certificate Uploads for On-Premises and Cloud WAF

Encrypting web traffic using SSL has become an industry standard, and a necessity especially for business critical applications that process sensitive data.  Although traffic encryption is a good practice, implementing SSL does not mean that the application itself is secure, or is still not vulnerable to attacks and be compromised with attack vectors like SQL injection (SQLi), Cross Site Scripting (XSS), and Code Injection as outlined every year in the Open Web Application Security Project (OWASP).  

A Web Application Firewall (WAF) can help secure web applications mitigating these kinds of attacks.   A WAF will do so by inspecting this traffic, analyzing that traffic and blocking anything that is malicious.  In order to be able to inspect encrypted traffic, the WAF will need the SSL certificate. Automating the management of SSL keys as applications are deployed, and configuration of solutions like WAF that accompany them are critical to implement security at scale.   

Imperva has open source solutions for enabling exactly this kind of workflow. Both On-Prem WAF and Cloud WAF users can automatically upload their own SSL certificates directly to their security platform using open source, Imperva-made tools available on GitHub.

On-Premises Certificate Upload CLI

The SecureSphere Certification Upload CLI utility empowers users to automate and manage the certificate upload process directly from their command-line interface. This simple tool streamlines the process of managing certificates, and allows users to dynamically map each SSL key to the appropriate site configuration within the On-Premises WAF management server. 

Cloud WAF Certificate Upload CLI

The Cloud WAF CLI enables users to programmatically manage virtually any task, including the uploading and management of SSL certificates using simple and easy to understand commands.  This open-source CLI enables organizations to integrate security configurations directly into the existing CI/CD and SDLC deployment processes, managing security at scale.

Migrating Policies from On-Premises Platforms to Cloud WAF

Many enterprises begin their collaboration with Imperva using our on-premises WAF solutions. Wherever the hardware and infrastructure already exists, there is usually a good business case to be made for choosing on-premises solutions over cloud-based depending on the application requirements and architecture.

More and more companies are adopting web application firewalls as a hosted service as opposed to on-premise hardware, which can prove valuable as the hosted security service can also provide DDoS protection, global load balancing, CDN, bot mitigation, and protection for APIs in the same platform.  Please also see Cloud WAF Versus On-Premises WAF as a reference. 

As applications are migrated from the on-premise Gateway WAF to the Cloud WAF service, many on-premises WAF users may want to migrate specific custom policies from Gateway WAF for those applications to the cloud.  The Imperva’s API Composer can help with that process, migrating and converting policies via API from Gateway WAF to a format understood by Cloud WAF.  This functionality applies to policy groups as well as individual policies. Users can migrate both individual policies and policy groups to individual websites or to bulk site groups. 

In this way, Imperva customers can quickly create an entire policy architecture for every category of website they work with – one set of policies might apply to everything production-related, while a different set of policies apply to everything development-related. The API Composer tool allows Imperva customers to efficiently manage complex policy environments automatically.

Enable On-the-Fly Bulk Policy Migration and Certificate Uploading Capabilities

These are just a few examples of the kinds of tools Imperva has developed to make its customers’ business operations easier and more secure. We are constantly checking user feedback to find opportunities to develop new open source tools to make available on GitHub.

Every month we have new tools and updates available on our repository. Check out the latest open source packages and plugins now!

Learn More With the Imperva Community

The Imperva Community is a great place to learn more about how to use Imperva cybersecurity technologies like On-Prem WAF, Cloud WAF and more to establish efficient, secure processes for enterprise networks. Rely on the expertise of Imperva partners, customers and technical experts. 

Related Content: 
Imperva API Composer: Open Source On-Premise and Cloud WAF Automation
Transcript and Video from Webinar: GitHub Tools - Imperva API Composer 
Incapsula-CLI: An Easy-to-use Interface for Imperva’s Cloud WAF
HashiCorp Terraform: Cloud-Agnostic Deployment and Provisioning for Imperva Cloud WAF