By Bob Michaud, Chief Security Officer, Q2
This year marks my fourth year participating in the October Cybersecurity Awareness Month as Q2’s Chief Security Officer. As part of this month’s activities, I’m sharing a blog every week focused on Q2’s distributed cloud model, looking closer at securing the distributed cloud. Q2’s multilayered security approach keeps the customer experience safe while protecting against brand fraud. This week, I’m sharing how Q2 protects our customers’ brands via perimeter security.
The distributed cloud model offers some unique challenges. Q2’s physical footprint spans 12 distinct cloud zones in North America alone, and three different vendors (Azure, AWS, and CyrusOne) power it. The points of control and responsibilities are different, which makes it essential for Q2 to adapt.
This week, I interviewed Jordan Hager, Q2’s VP of Hosting Architecture. Jordan has worked at Q2 for over 10 years, playing an instrumental role in developing our distributed cloud environment. I asked Jordan to shed some light on the challenges of perimeter security in our distributed cloud – and how we have mitigated risk for Q2’s financial institution customers and their account holders.
“We had to scale our egress protection to cover this disseminated footprint so recently consolidated several vendors into Cloudflare. That expanded our internet routing reach by moving from 19 points of presence to over 200 worldwide, and from seven domestic to 47,” Jordan shared. “This dramatic increase in points of presence allows the inbound traffic to find Q2’s network sooner, get scrubbed, and then travel to the hosting environment, meaning the session spends more of its journey post-scrubbed, cleaned, and protected. Leveraging CloudFlare’s 90 terabytes per second network, Q2’s customers are seeing zero impact from the more than 4,000 DDoS attacks on our hosting environment per month, a new DDoS attack every 10 minutes.“
Jordan also updated me on significant upcoming enhancements to Q2’s perimeter security approach and shared some interesting statistics around our response to the growing number of credential stuffing attacks. “Next up is migrating onto CloudFlare’s Web Application Firewall (WAF), using that service to front 50 concurrent credential stuffing attacks, with a new one happening every hour,” Jordan told me. “We currently block around 96% of all inbound traffic before getting to the application layer, some 320 million sessions per day.”
These are staggering numbers that require the best security posture. Read more about Q2’s zero-trust security posture in my upcoming cybersecurity awareness month blog, which will be published next week.
Thanks for reading, and happy Cybersecurity Awareness Month!