ASP Security system

Security Policy

An ASP needs to develop a general security policy that addresses how it manages
and maintains the internal security posture of its infrastructure. Issues such as
password management, security auditing, dial-in access, and Internet access are
some examples of the areas that should be addressed in a security policy.The
policy is the written manifestation of current security requirements and guidelines,
as well as procedures that your ASP consistently uses.
Consistent policies will give clarity within the ASP about what steps to take
to ensure a minimal amount of security. If the ASP is to see immediate improvement
with its security position, establishing security policies is the logical step to
follow assessment, and should be initiated as an adjunct to security planning.
As the plan for security management unfolds, the specific elements within the
environment may change. As changes occur, the policies should be reviewed and
modified to ensure that they communicate the current plan for protecting your
ASP environment. Security policies should be reviewed at least every six months
to verify the validity of the policy, and they should be updated every time the
policy changes regardless of the reason.Therefore, security policies should be a
continual work in progress.
Developing a Security Policy
To develop a comprehensive security policy, you will first need to understand
what it is that makes for a good security policy. In general, a security policy
defines how an ASP manages, protects, and distributes sensitive information and
resources.Any ASP, before connecting to the Internet, should develop a usage
policy that clearly identifies the solutions they will be using and exactly how
those solutions will be used.
First, the policy should be clear, concise, and understandable, with a large
amount of flexibility, and some type of built-in mechanism that allows for periodic
revisions and alterations as changes become necessary.
Second, you will need to define the requirements to which the security
policy will adhere.To provide this, it will be necessary to draw on your usage
policy, and to use it as a guide for defining the security policy.This is necessary to
maintain the required functionality while providing the security function.Your
requirements should include the external customer demands as defined within
your service level agreements (SLAs), external legal requirements concerning
security, external supplier security policies, your internal security policies, and
other security policies that relate to integration of customer environments with
your company.
Third, you need to understand what needs to be protected.This might
include, but not be limited to, computer resources, critical systems, sensitive systems,
customer and company data, critical data, sensitive data, and public data.To
help you evaluate your individual system needs, it would be helpful to make a list
of all the nodes in your network, and to designate each of these with a level of
security.
For instance, a public machine that poses few consequences if it were to
become compromised might be considered low security; a Web server might be
considered medium security; and your financial databases might be considered
high security. Be careful when designating low-security systems, though. Just
because a system may not contain any sensitive data does not mean that they are
not a threat; if they have access to devices that do include sensitive data, they
might be used as a springboard to access other systems within the network.
Fourth, you need to define the security policy guidelines.To accomplish this,
two policies should be written; the first should consist of a high-level policy
written from the customers’ perspective, and should be a simple document that
gets directly to the point.You should base this document on security rationale,
and should have very little technical information.
A second low-level policy should also be written for security implementers,
and should include detailed technical descriptions of procedures, filtering rules,
and so forth.This document should clearly and concisely outline the exact security
procedures, and should only be viewable by those who require the information.
If such a document were to become publicly accessible, it could be used
against your systems maliciously by identifying possible holes in your security
policy and thus displaying methods into your network.
For instance, if you are using packet filtering to only allow traffic from a specific
network, it might be possible for a would-be cracker to spoof an IP address
that is in the accepted range in order to compromise your systems. Because of
this, it is best to keep your security policy very secure.
Finally, you must ensure that your security policy is based on actual customer
situations, while remaining clear, concise, consistent, and understandable.
Furthermore, to ensure a good security policy requires a periodic evaluation of
the effectiveness of the current security systems, as well as periodic evaluation of
the actual system configurations, or at least the security relevant components.
Sometimes it may even be beneficial to hire a third-party security firm to
provide an unbiased evaluation and assessment of your security systems. In many
cases, they may discover issues that you did not, and they might be able to suggest
possible fixes for some of the issues they encounter.
In addition, it is sometimes easier to sell your customers on your security
posture if an evaluation was performed by an outside security organization. It
could at least help to instill your customers with confidence in your organization.

Security Components

As an ASP, to validate both the security policy and the privacy policy, a review of
the various security mechanisms and methods used to implement those policies is
required.At a minimum, the following security components should be considered:
 Authentication
 Confidentiality
 Incident response
 Security auditing
 Risk assessment
Authentication
One of the most important methods to provide accurate security is the ability to
authenticate users and systems. In fact, all of your security mechanisms will be
based on authentication in one way or another. As an example, you will need to
authenticate users and nodes that access data on your systems.The authentication
might take the form of a username and password, or an access list that governs
access from a particular system’s IP address to another system’s IP address.
You may even use a different method entirely, or a combination of methods.
Regardless of the method used, it is apparent that without the ability to guarantee
or reveal the authenticity of a user or host, it is impossible to guarantee security. In
fact, the success of your security mechanisms will hinge greatly on the methods of
authentication they incorporate and you employ throughout your network.
User Authentication
A requirement for any ASP is the ability to positively identify and authenticate
users. Depending on the level of security required, the mechanisms to support
this requirement can range from identifying users based on usernames and passwords,
to personal identification numbers (PINs) and digital certificates.
Usernames and Passwords
The use of usernames and passwords is one of the most ancient of all authentication
schemes. I am sure at some point you have had to enter a username or password
to gain access to a resource, or even to log in to your own personal
computer.This being the case, you are probably already familiar with some of the
security concerns associated with the use of passwords such as not to share them
with others and to keep them private.
To accomplish this, you are aware that you are not supposed to write your
password on a piece of paper that is taped to your monitor, or that you should
not use a password that is easy to guess, such as your first name. However, just
because you understand these cardinal rules, it does not always follow that others
will too. Because of this, it is always important to set password guidelines for your
users, and make certain they adhere to those guidelines.
When evaluating identification and authentication mechanisms, you need to
consider both the mechanism and the implementation. A standard user ID and
password scheme should have a minimum password length of at least eight characters,
and require passwords to be nondictionary words. In addition, the implementation
should limit unauthorized access attempts and, at a minimum, after a
fixed number of failed attempts, lock out the account for some specified period.
If the account is locked out multiple times, it should be locked until an administrator
can speak with the owner of the account.
Personal Identification Numbers
A personal identification number (PIN) provides another mechanism that you can
use to enhance the security of a standard username and password system. In most
implementations, users log in to an ASP with their username and password. Once
validated, the users are asked to enter their PIN, which is usually a numerical
value that is predefined and known only by the user and authentication mechanism.
The PIN provides an extra level of access control, but can still be overcome
fairly easily.
Digital Certificates
Deploying digital certificate technology would be a more robust access control
mechanism.Today, the trend seems to lean toward a digital certificate-based
solution that not only validates the user, but also enables the establishment of a
session encryption key to support confidentiality of the transaction once the user
is authenticated.
If you use usernames and passwords solely for authentication services, you
may be exposing your ASP to an easy attack. If, for instance, an attacker were to
gain access to a system by compromising a username and password, he or she
would have access to all resources for which the account is privileged.This might
allow the attacker access to a single host or numerous hosts in your network. It
could also give him or her the opportunity to access and alter data, as well as
wreak havoc on your systems and their functionality.
There are numerous methods an attacker can use to bypass password-based
security mechanisms, the most popular of which are network sniffing and brute
force.