May
Top Five Security Threats to Web Scale Deployment
Glenn Brunette, Distinguished Engineer, and Rafat Alvi, Principal Engineer, in Sun’s Global Sales and Services Security Office relay the top five security threats facing Web scale deployments:
1. Rushing Services and Code Updates Without Considering Security Implications
Starting with time-tested building blocks and patterns is essential to Web scale success, say Brunette and Alvi. “That’s why the safe, reusable libraries and modules found in NetBeans and Sun Java Studio Enterprise are so important to consistently developing secure applications,” says Brunette. “Open source frameworks based on the contributions of large, security-minded communities are usually the better bet for application development. I’m hard-pressed to think of what can beat the time-tested principles of good security testing and automation tools such as JUnit and JsUnit.”
2. Inability to Secure and Audit Growing Customer Interactions
“Once an organization determines its Web applications can scale, identity management is the next step in keeping security in step with Web scale growth,” Alvi says. “The constantly evolving nature of security was a major design consideration in the development of Sun identity management tools.”
3. Haphazardly Linking New Web Scale Services to Other Environments
“Information that was once inaccessible externally now can be accessed from any location, often through multiple devices,” says Alvi. “This is a superb development, but linking the old, the new, and the unrelated multiplies the number of potential security challenges. It also raises trust issues when interconnected systems and devices are owned by different parties.”
“That’s why identity federation capabilities should be part of a well-stocked Web scale security arsenal,” Brunette adds.
4. Failing to Understand the Read-Write Nature of Web Scale Technologies
“The trend toward self-updating Web content is a mixed blessing,” Brunette says. “By allowing the access, execution, and aggregation of content at the client, a new doorway has been opened where attackers can trick users into running malicious code that reaches into corporate networks.”
Brunette says that the best defense against such threats is usually a good offense. “Educate your users about the dangers of accessing unknown sites and ensure that clients — including desktops, PDAs, and mobile phones — have security protections to defend against these attacks. But also ensure that a defense-in-depth architecture is in place — these frameworks have stood the test of time.”
5. Neglecting the Foundations of Web Services
“…a systemic approach to security that combines policy, methodology, architecture, and products is critical with Web services, because these environments are only as strong as their weakest link,” adds Alvi. “Web scale environments simply don’t fly for long unless they are based on a secure foundation.”
“The choice of hardware and operating system is critical in scaling out Web services securely,” says Brunette. “But security is also more than products and technologies. Best practices, training, education, processes, and policy all play important parts in deploying applications on a Web scale.”
See the March 2008 edition of Sun’s Inner Circle for the complete interview with the two Sun security experts and their suggestions on solutions that best address these issues.
