Inevitably, intruders' most attractive targets have the weakest defenses. Therefore, it shouldn't be surprising that enterprise applications and databases are increasingly coming under attack from the kind of threats once associated mostly with operating systems and desktop applications.
As a result of this trend, most large organizations have already installed antivirus software, firewalls and even intrusion detection systems (IDSs) to protect their networks and host operating systems. But by comparison, enterprise-class applications have received relatively little attention, on the assumption that they are protected by firewalls and other defenses at the network perimeter. Yet these applications and databases are the major reason enterprises invest in IT in the first place, and the data they contain are often the enterprise's most valuable assets. Indeed, an enterprise without database security is like a bank with locks on the doors and armed guards by every entrance, but no vault.
Though a critical component of a layered defense, firewalls cannot detect and stop the new class of threats now being directed at applications and databases. Another widely deployed tool, intrusion detection systems, performs only passive monitoring and after-the-fact forensics rather than preventing attacks.
Organizations need to bring the same level of protection to applications and databases that they apply to servers and networks, with solutions that can automatically detect and respond to application-level threats in real time, and that are granular enough to provide access for customers and business partners while keeping attackers out.
Requirements for Enterprise-Class Application Security
What capabilities, then, are required to provide true security for the application layer? For a proven framework, look no further than the methodology organizations have already successfully applied at the network and host operating system levels. Just as at the host and the network perimeters, application-aware security solutions must provide vulnerability assessment, real-time intrusion protection, and encryption. To achieve these goals, such application-level tools must provide:
Audit/Proactive Hardening: The system must audit the status and configuration of all application components and perform security tests and proactive hardening of such components while producing detailed security audit reports before and after application deployment. It must also ensure all current patches have been installed; default passwords have been changed; and recommended security configurations (such as changing the default ports on which applications run) have been implemented. As with the network and host OS, assessing the vulnerability of application components is the bedrock upon which any security strategy is built. Without it, an enterprise cannot either proactively minimize risk or gauge ongoing compliance with its security policies.
Real-Time Protection: The ability to detect and block attacks as they happen. Not only are more hackers creating more attacks than ever, but the mal-ware they create is spreading more rapidly than ever. Further exacerbating this threat is the window of opportunity left open for intruders before the new vulnerability can be properly repaired. Given today's rapidly propagating threats and the time needed to deploy patches, organizations require real-time protection to complement the proactive hardening provided by ongoing vulnerability assessments.
Attacks can begin at any time. Another growing threat is from "zero-day" attacks which target vulnerabilities before their existence is published and before patches are available for them. This threat exemplifies the need for behavioral-based intrusion prevention systems that can detect, and block, application-level attacks for which there is no known signature to scan for, nor any patch to apply.
Not all security threats are created equal. Some will pose more severe threats than others; and some threats will be of greater danger to some types of organizations than others. For this reason, administrators must be able to tune their response to the danger posed by the security threat for their specific enterprise.
Encryption: The ability to encrypt the most sensitive data as a "last line of defense" even if the database itself is compromised. Encryption also prevents unauthorized access to data by legitimate users. For example, a database administrator needs administrative access to the application in order to grant, revoke or change users' access rights, but should not be able to see, change or copy the actual information in the database, such as customers' credit card numbers. Any such encryption solution must be transparent to the application components it protects, meaning that the encryption will still function even as needed changes are made to individual components.
Internal and External Protection: The ability to detect and protect against application or database attacks from inside as well as outside the firewall. Many organizations focus their security attention on attacks from outside the organization, and believe that a secure perimeter (such as firewalls) will eliminate most threats. But Gartner, Inc. estimates that 70 percent of security incidents that cause loss (rather than mere annoyance) to organizations involve insiders. Since an insider has trusted access to corporate systems, he or she is (by definition) inside the firewall - meaning that perimeter-based defenses will never see their attacks.
Multi-Tier Protection: The ability to protect against attacks at any tier of the IT infrastructure, including the Web front-end, the application and middleware, and the back-end database. Hackers increasingly are creating "blended" attacks that might use a port scan to find a way into a Web front-end, a password dictionary attack to gain illegal access to an application and a SQL injection attack against the database itself. Application-level security must work to protect every tier of the IT infrastructure.
Enterprise-Class Infrastructure: A unified scanning infrastructure that works in a common fashion and provides the same capabilities within each tier of the application environment. As organizations move towards flexible, service-based IT architectures, applications may run on any number of tiers (or platforms) throughout the enterprise. The number, and nature of tiers on which an application depends may change unpredictably as business or technical needs change. Organizations cannot afford to pay skilled personnel to monitor multiple security scanning tools, nor can their networks afford the bandwidth it takes for those scanners to look for threats and report their results. Just as with network and host-level security tools, organizations need scalable, enterprise-class application security tools that can grow to meet their future needs.
Distributed Management/Centralized Reporting: The ability to delegate the responsibility for and the work involved in, monitoring and managing application and database security across geographies or business units, while providing for centralized reporting of audit results. Modern businesses outsource more work than ever to consultants, contractors, or business partners such as distributors or contract manufacturers. An application-level security system must be flexible enough to delegate responsibility to such outside entities for keeping their portion of shared information systems secure. Even within a single organization, multiple business units, divisions or geographies must cooperate in keeping data secure, and take responsibility for securing that data. At the same time, however, the security infrastructure must provide a single, centralized security audit to provide for centralized accountability and enforcement of security processes.
Summary
Applications and databases form the core of an organization's information technology infrastructure. Without the business processes they support (such as sales, marketing, manufacturing, distribution and accounting) and the data they hold (such as customer names, production status, credit card data, and account histories) the business cannot function. Yet applications and databases have been alarmingly neglected within the enterprise compared to the security provided for networks and servers. Organizations that understand the importance of their applications and databases recognize the need for proactive, dynamic tools that can find and stop attacks on applications and databases before they cripple the enterprise. Fortunately, hard-earned experience securing the network provides a ready-made blueprint for an effective approach to securing enterprise applications: vulnerability assessments, real-time intrusion protection, and encryption at the application layer. |
