| |
|
Managed Security: Build It Right the First Time
Secure Web services require not only building a secure environment but also maintaining a strong security posture. Managed security solutions provide assistance in the aspects of maintenance that even the most diligent engineers miss.
by Arjuna Shunn
|
 roviding a service on the Web entails a wealth of concerns, from system design, network architecture, and application development, to maintenance and security. This last aspect is often overlooked and undervalued because proactive application, system, and network security offer little tangible return. Not until a Web service vulnerability causes loss of money, damage of reputation, and loss of customer confidence does security rise to the fore.
Building and maintaining a strong security environment has two primary phases: initial deployment and ongoing maintenance. The initial deployment is much like building a Middle Ages castle. The defenses for these stone fortresses were not just a wall or a moat but a study in the concept of "defense in depth" with a series of security controls intended to thwart attacks. Most castles had a series of inner walls in addition to their primary outer barriers, which allowed for a controlled retreat into a layered defense. Like the castle, a secure Web environment should be designed to control the movement of malicious, or potentially malicious, persons and slow any attacks that manage to breach one layer of defense.
The second major aspect of security, maintenance, is often neglected because it requires sustained vigilance. Take the castle once again. Without guards in watchtowers, locked gates, and constant vigilance, the walls, moat, and other defenses can be useless. If the drawbridge is left down, or worse a side gate left unlocked, the attackers can simply bypass the wall defenses all together.
Now, consider your environment. You have hardened your servers, configured your routers, and patched all known security vulnerabilities. Your castle is secure and all the doors are locked, so you and all the guards sleep soundly. But is your environment secure? Of course not. If all the systems administrators, network administrators, and application developers don't keep a watchful eye, your castle will be overrun as soon as an attacker finds a way to bypass all those defenses.
To design secure Web services you must not only build a secure environment but also maintain a strong security stance. One without the other is of no value.
Check It—Constantly
Although occasional checks and fixes provide a relatively strong barrier against known attacks such as worms, viruses, or the latest directory traversal, more insidious attacks often will test the defenses of your Web services. These attacks are often quite dangerous because they rarely are noticed during the course of normal business and are stealthy enough to slip past inattentive network and systems administrators. Maintenance, then, is not merely applying the latest hotfixes and patches, but a frame of mind. Logs are culled for potential signs of danger, port scans and probes of network security are not set aside as unimportant, but instead are monitored and investigated frequently.
Maintenance is one percent applying patches and access control lists (ACLs) and 99 percent vigilance in monitoring, log examination, and traffic-pattern analysis. In short, it can be very dull. However, this vigilance is far more important than building a secure Web service alone. Even if a service is insecure but a vigilant administrator, engineer, or developer monitors its activity, the chances of an attack succeeding are dramatically reduced.
|
Introduction 
Managed Security Solutions 
Build It Right the First Time 
