Security is certainly a hot topic nowadays. This is evident in the high profile that attacks on Microsoft and others attract in the media.
In a way, this has been a time bomb in the making for a long time, but still many providers of network infrastructure and application services are complacent, thinking that this is someone else`s problem. Unfortunately, this problem will not go away.
While the area of network security is fairly well understood and maturing, the area of application security is still far from mature.
Jaco Botha, CEO, Trispen Technologies
A high profile break-in on an application service provider (ASP) in SA would likely cause permanent damage to the ASP`s image and possibly impact on the acceptance of the fledgling ASP model throughout the entire industry.
Looking at the ASP model, the concept is simple: provide an application that can be used by different independent companies over the network. The cost saving is in sharing of the various infrastructures, program licensing and management staff to maintain the infrastructure and application environments.
Although the concept has been in operation in the mainframe environment for many years, implementing secure systems in modern distributed environments is a lot tougher.
Infrastructure and application service providers need to look at a multitude of factors when designing security for their service offerings. The key word here is "should", since in many instances the reality falls short of the intentions. To balance this, users of these services should make sure that security is part and parcel of the service level agreements when signing up to these services. In addition, users need to ask pertinent questions about the ASP`s infrastructure to make sure that enough emphasis is placed on this aspect.
The only solution
So how can these services be secured in a way that provides secure access to users, preventing both hackers (unauthorised users) and other authorised users of the infrastructure to gain access to the wrong information? In my opinion, the only solution is a comprehensive multi-layer security infrastructure.
Designers of ASP environments have major challenges to provide comprehensive security models. There are, however, some promising technologies available to help:
- Cryptography is a strong ally. A PKI can be used as the mechanism that binds the different layers of the infrastructure together; encryption of traffic using protocols such as IPsec can provide exceptional security levels.
- Network security technology is maturing - but remember to look at various levels, including the application level security aspects.
- Understanding what is going on in your systems is also important; use host- and network-based intrusion detection systems for that.
Start by building security at the network level, securing the network communication between the service provider and the users [Yellow lines in Figure 1]. For this purpose, VPNs can be used, or if the application is made available over a browser, Transport Layer Security (TLS, also known as SSL) can be used.
These security protocols will identify users of the network services and secure the communication between the service provider site and the user PC or user site. VPNs can also be used effectively to secure the back-end communication that links the ASP to other service providers.
Other network security technologies are equally important, especially if ASP users are connecting over the Internet. Firewalling is required at the packet filtering level to prevent access to unintended resources in the service provider network. Firewalling at the application protocol level is useful if the application protocols are mature enough, but unfortunately this is often not the case. More effort should be put into securing the applications itself.
Fired up
ASPs should ensure that outgoing traffic is controlled to prevent hackers from abusing their infrastructure. Monitoring of these firewalls and Intrusion Detection Systems can significantly enhance the service provider`s offering.
Public Key Infrastructures form an integral part of securing the network infrastructure, and can also be used in higher layers of the application infrastructure.
While the area of network security is fairly well understood and maturing, the area of application security is still far from mature. Many ASPs incorrectly assume that they are secure if they have installed a firewall.
Many ASPs rely on Web servers as the entrance point into their infrastructure. The problem with Web servers are that they are becoming more complex by the day, driven by the addition of competitive feature sets often at the cost of security capabilities.
These Web servers are often interconnected with back-end servers and very often a tight trust relationship exists between Web server host and back-end database servers. This trust relationship opens up attack possibilities to penetrate the back-end database servers. This can be solved by installing Web server security software, or at the very least by keeping up to date with security patches.
Until the Web server vendors start building better security into Web servers, ASPs need to be very vigilant in keeping applications up to date as exploits are published and fixed.
Another required security practice is that of separating users and organisations from one another once they are accessing the services of the ASP. In order to do this, the user authentication needs to be linked into all levels of the infrastructure.
Secure application service provision is possible, but goes much further than simply installing a firewall. I hope the guidelines in this Industry Insight go some way to make this happen in practice and not only in theory.
* Please note that Industry Insight pieces reflect the view of the author only. For further stories and opinions on this subject, please visit ITWeb`s Security Section.
Share