Establishing Digital Trust: Don't Sacrifice Security for Convenience
Then start by looking no further than the tools you already have.
Chances are there are quite a few security enhancements that you canmake simply by making better use of what's almost certainly already onyour system.
I have spent a significant amount of time over the years assessing thesecurity of business applications, and one of the consistent problemsthat I've seen is that the security capabilities of the network,operating system, and/or the applications themselves are not beingexploited to their fullest extent. For example, operating system fileaccess controls are often either overlooked or not adequately fine-tunedto the needs of the application when installing the application.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i I call this operations security because it generally is done within thedata center operations, and it supports all of the other networksecurity, system security, and application security efforts that alreadygo into designing and implementing a business application. As such, itis the final link between an otherwise secure application and the datacenter environment that it will operate in.
Mistakes made at the operations security phase can completely underminethe application's security. But the converse also is true: improvementsmade in operations security can very much enhance the overall securityof the environment. Start by protecting the application and its data,and proceed all the way through the operational aspects of effectivelyresponding to security events.
Starting down at the network level, the key principles arecompartmentalization and access control. Here's where most data centersgenerally do a pretty good job already, but it's likely that you canstill find plenty of room for improvement. For example, consider furtherseparating your applications on isolated network segments (or VLANs) andtightly configuring the network components to enforce the network-levelpolicies concerning which network services are permitted both in and outof each segment.
Another high-value, low-cost tip is to provide a separate networksegment for administrative traffic, such as system monitoring, actualsystem administration tasks, and event logging. This benefits both theperformance of the production data segments, as well as the security ofthe environment, since administrative traffic is kept isolated fromproduction, requiring an intruder to break through another layer ofprotection before he can compromise your application.
High-quality event logging and monitoring is the lifeblood of incidentresponse operations. Many organizations have implemented pretty goodevent logging at the network and operating system level, but very rarelyat the application level. There are opportunities here, as well, toenhance the overall security of the application for relatively littlemoney.
The reason it's so important to log events all the way up to theapplication level is because, to the incident response analyst, eachlayer of logging brings its own perspective on a security event. And afull complement of those perspectives is necessary to really understandwhat took place at the time of an attack.
For example, when trying to forensically determine how a site wascompromised, the network logs show the date, time, protocol, source,etc., of the attack. The operating system logs show what the intruderdid and accessed on the host's operating system. The application logsprovide insight into what data the intruder accessed, modified, deleted,etc., within the compromised application. Without that ''big picture''view, it is exceedingly difficult to provide company executives with anaccurate damage assessment so they can make the appropriate businessdecisions on how to proceed. It also is exceedingly difficult todistinguish between an IDS false alarm and a real, potentiallycompany-threatening incident.
Next, the operating systems that are generally found in today's datacenters almost always include security capabilities that go unused inthe integration of the applications that are running on them. Principalamong these are file access control and targeted event logging. Accesscontrol that is precisely tuned to the needs of the application takestime and it takes a deep understanding of the application and theoperating system's capabilities, but the rewards are well worth it, fora multitude of good and valuable reasons.
The following is a checklist of a few things you can consider doing inyour data center to improve both the protection mechanisms, as well asthe tools available to support the incident response posture:
Most of these tips are not overly expensive to implement. Almost all ofthem, though, require a deep knowledge of each business application andhow it functions. That will no doubt involve close collaboration betweenyour application development and integration staff, networking staff,and security staff.
All of this is time well spent, as I see it.
Kenneth van Wyk, a 19-year veteran of IT security, is the prinicpalconsultant for KRvW Associates, LLC. The co-author of twosecurity-related books, he has worked at CERT, as well as at the U.S.Department of Defense.