While the AWS marketplace gives you the one-click convenience of security add-ons, the choice of almost 200 different packages can be overwhelming. At GreenSQL, we’ve decided to make it easy for you by taking a deep dive ourselves and listing the different offerings.
We don’t recommend any particular product on this list, except of course our own. There is no other database firewall listed because we are the only one compatible with AWS cloud services at this time.
If you are listed here and feel that we have not properly categorized your product, please get in touch and we will update the article.
We like it Suite
It’s probably easiest for most organizations to choose a suite of tools that integrates a number of different security tools. Under AWS, there are two ways to do get a package deal. The most straightforward is too chose a Unified Threat Management (UTM) suite. If you choose a unified suite, you’ll also want to go through the list of different types of security solutions here to make sure that the suite you choose has all the protections you want, and if not, supplement it with other tools in this article.
The following companies offer some form of UTM on AWS. (Note: Not all of these products are officially considered “UTM” but all of them offer multiple features on one product.):
- Check Point Virtual Appliance
- CloudPassage Halo
- NETASQ Cloud UTM
- Neusoft Integrated Security Gateway
- Sophos UTM
- Trend Micro Deep Security
- Trend Micro Deep Security for web apps
The other way is to choose a group of products that work together, like the Qualys product line. We found the offering slightly difficult to understand, because each element was offered separately, and it was not clear which ones would work stand-alone. Obviously, if you go on this track, you should be in touch with the vendor to make sure that you are getting the right combination.
And the winner is… WAF
Web Application Firewalls (WAF) from 13 different vendors are available on AWS. That shouldn’t be surprising, given that almost everyone in the cloud needs a WAF. Keep in mind that WAF is essential, but does not substitute for Database Firewall. Many of the UTM suites include WAF, so you may not need a separate product.
WAF offerings on AWS:
- Alert Logic Web Security Manager
- Barracuda Web Application Firewall
- Bee Ware I-Suite – Web Application & Service Firewalls :
- Cautela Labs Web Application Firewall
- DenyAll Protect
- Fortinet FortiWeb Web Application Firewall
- Imperva SecureSphere WAF
- Incapsula cloud-based WAF
- IndusFace IndusGuard WAF
- QualysGuard Virtual Web Application Firewall Appliance
- Riverbed SteelApp
- V-Series WAPPLES
Firewalls R Us
A variety of other firewalls are offered in the AWS marketplace. Most of the UTM products include a network firewall and WAF, as well as e-mail protection. GreenSQL is included in the category of firewalls, although we are specific for databases, and no other category includes this type of protection.
Following are the non-WAF firewalls available on AWS:
- GreenSQL (Database)
- Barracuda NG Firewall (Network)
- Brocade Vyatta vRouter (Network)
- FortyCloud Cloud Network (Network)
- Scrollout (Email)
Encryption: A Close Second
Just as everyone needs a WAF, for any data transferred over the network, encryption is a must. GreenSQL will be talking more about encryption in the future. Currently, we provide masking, which protects data, but doesn’t allow data transfer.
A variety of kinds of encryption are available, so you’ll need to know what serves your company best. Following are the encryption offerings and a bit about each one:
- Afore CloudLink : Encryption of SharePoint, database and application workloads.
- Boole Server : Military-grade encryption server.
- CloudLink Data Encryption: VM including encryption
- CloudMask : Encryption for GMail, Google Docs, MS Office 365, MS SharePoint, SalesForce encryption.
- CloudPrime Enterprise File Transfer
- Gazzang zTrustee : Key management, encryption, certificates
- SafeNet ProtectV: Full disk and storage encryption.
- Sengex BitSafeDS : Data encryption.
- Trend Micro Secure Cloud:Data encryption.
- Vormetric Transparent Encryption:Encryption, key management and access controls.
One of the more exciting areas of encryption that’s emerged recently is the area of file security. Products in this category protect files when they are sent outside of the organization. This is a developing category, and we’ve put it under encryption. In the future, it’s possible this will emerge as a separate category of security.
- Content Raven
Monitoring by any other name
Another huge category is the area of threat monitoring and detection. Threat monitoring is essential but does not provide real-time protection. Depending on the vendor, the scanning and monitoring process may cover different aspects of your network, and provide different levels of alerts in either real-time or on a periodic basis.
In this category, most scanning and monitoring solutions do not provide real-time threat resolution, but rather threat warnings and, in some cases, recommendations for remediation. This is essential for compliance but will not offer you the real-time protection of your systems that most organizations today require.
In the AWS marketplace, we saw 3 different categories of monitoring and threat detection:
- Scanning: Software that scans your system to find potential threats. You receive alerts and possibly avenues for remediation. Note that some of the scanners are quite specific (app, network, website, etc.)
- Monitoring: Software that monitors what is going on in your system and alerts of threats. Some monitoring is real-time, but some is simply a kind of periodic scan of the system that gives you warnings on a daily or weekly basis. Note that some of the monitors are quite specific (email, logs, etc.)
- Security Information and Event Management (SIEM): SIEM systems may have a combination of monitoring and scanning. In some cases, we didn’t see a significant feature difference between the monitoring solutions and the ones who defined themselves as SEIM. The industry hasn’t yet solidified a standard for considering a solution to be in the SIEM category. Some of these vendors seem to be working towards positioning themselves in the UTM category.
Following are the companies in this category, listed according to how they define themselves:
- Alert Logic Log Manager
- CloudCheckr Enterprise, Gov
- Cognizant Trail Digest (Auditing)
- evident.io ESP (Evident Security Platform)
- FireEye Threat Analytics Platform
- Fortinet FortiAnalyzer
- Message Logic MLArchiverAWS
- SecludIT Elastic Detector
- Lumeta ESI (Enterprise Situational Intelligence)
- NoSec Unified VRM
- QualysGuard® Virtual Scanner Appliance
- Tenable Nessus
- AlienVault’s Unified Security Management OSSIM
- Cautela Labs Threat Manager
- DenyAll Detect
- MetaFlows Security System (MSS)
Ready-made and pre-hardened
A number of the security products are simply pre-configured and pre-hardened virtual machines and operating systems. This is a great approach for some companies, especially if you are dealing with strict regulations such as military-grade. You’ll still need network security, but getting a pre-hardened operating system is a great approach to starting out right.
You may find the options dazzling. Buddha Labs, in particular, has a huge selection from different types of hardened virtual Red Hat machines for a variety of uses. You’ll need to select the one that is right for your organization.
- A10 Networks’ vThunder Amazon Machine Image
- Buddha Labs Red Hat Enterprise
- McAfee Secure Amazon Linux
- Netspectrum Vyatta Core
Secure management of your encryption keys is an important part of your security posture. In the area of key management, AWS offers:
- Penta Security Systems D’Amo SG-KMS
- Porticor VPD Appliance
- SafeNet Virtual KeySecure
- Townsend Security’s Alliance Key Manager (AKM)
A number of products are components of securing your network, but usually aren’t considered security products. Nevertheless, we found them under the security listings in the AWS marketplace, so to keep it easy for you, we wanted to include these vendors in the list.
Identity management is a prerequisite for security. Knowing who has access and managing people’s identity over multiple logins gives you control of the users in the system.
Identity management vendors on AWS:
- 9STAR Elastic SSO
- SecureAuth IdP
Like Identity Management, Virtual Private Network management is an essential part of keeping your network secure for any type of remote access, which, of course, is necessary for cloud computing. A number of the VPNs include firewalls or other types of security apps. While we consider this part of networking rather than management, AWS has categorized it as security, so it is covered in this article.
VPN vendors categorized in security:
- CipherGraph Cloud VPN
- Cisco Cloud Services Router (CSR)
- Cisco Cloud Services Router (CSR)
- CohesiveFT VNS3 Network Appliance
- Netgate pfSense Certified appliance
- TLS Accelerator
Backup and Restore
AWS includes a variety of backup and restore services. Only the ones listed under security are mentioned below.
- CloudAlly Cloud Backup
- CloudBerry Backup
- N2W Cloud Protection Manager
- SteelStore(formerly Whitewater)
The following application delivery platforms offer some level of security built in.
- F5 BIG-IP Virtual Edition
- F5 BIG-IQ Cloud
- Shaka Ishlangu Load Balancer
When using a cloud solution, API security becomes an issue. So much of the usage of AWS depends on API calls, it’s important to put API management and security measures in place. This is one of the few areas you may never had to concern yourself with when you had on-premises networks, but is of crucial importance when moving to the cloud.
- 3scale SaaS API Management
- Axway API Gateway
- Intel Expressway API Manager
Threat-specific for specific needs
A number of threat-specific options are still available. While most of the major players in areas such as anti-malware, DDoS, and endpoint security have moved towards UTM, there are still a few players who offer threat-specific packages. Some of them are highly specific, such as endpoint for mobile and geosecurity, and may not be covered even in the high-end UTM solutions.
- BitDefender Security as a Service : Antimalware
- Seculert : Antimalware
- Incapsula DDoS protection : DDoS
- UX World dnsfly : DNS
- aiScaler aiProtect : DoS
- McAfee SaaS Endpoint Protection : Endpoint security
- Mformation Enterprise Mobility Manager : Endpoint security
- You Shop Online YSO Xenofile : Geosecurity
- Alert Logic Threat Manager : IDS
- Fortinet FortiManager VM : Management
- Kali Linux : Penetration testing
- Tinfoil Security : Penetration testing
- Dome9 Security Business Cloud : Security group management
- Dome9 Security SecOps : Security group management
- Memeo C1 : Sharing
- Barracuda Spam Firewall : Spam protection
- TLS Accelerator : SSL
- Finally, there were a bunch of solutions listed under security that, at least to us, didn’t seem like they even belonged in that category. They all seem like perfectly fine products. They just aren’t security.
- Adobe® LiveCycle® Enterprise Suite : Deployment of apps
- CloudBerry Cloud Mitigator : Transfers data from one cloud to another.
- F-Switch : Monitors appliance performance
- JumpCloud : Automates devops tasks
- KMAP (Keivox Mobile Application Platform) : Distribute and manage mobile apps
- New Vision 4ME : Content management
- NGINX Plus : Load balancer, cache management
- piXlogic piXserve-Elastic Cloud : Index and search video files.
- Rightsline Asset and Rights Management : IP rights management