|
Remote application delivery is high on the list of new technologies
being brought to market over the next three years. The positioning battle between the
major hardware and software vendors in the Application Service Provider marketplace is
being fought out on the front pages of the computer press. However, there is less being
seen in the server rooms where issues with quality of service, reliability and security
have a high profile. Security is a major area of concern and a number of ASPs are working
to address the issue. Some basic features can be identified and can be used to judge the
readiness and reliability of current offerings.
System security policy
Before any framework can be put in place, a detailed breakdown of the security environment
required must be investigated. This will include the examination of a number of areas, but
these can be categorised into four main requirements:
- Physical security – making the building and environment secure
- Procedural security – ensuring the processes are in place to
maintain security
- Personnel security – personnel vetting and access control
- Electronic security – controlling user and data access
Here we will cover Electronic Security but the other three areas are
equally as important and require full implementation to support any electronic measures
put in place.
The security policy must address the likely scenarios, perceived threats, and associated
risks of the application deployment system. Electronic measures to support this policy can
then be identified. The defining principles of network security in Application Deployment
are:
- Accountability
- Audit
- Confidentiality
These ensure individual events can be attributed to individuals, and
that information and applications are fully protected.
Central control
Security as a function must be centrally controlled for it to support the principles of
network security. This is the only way of ensuring that a full and easy-to-interrogate
audit and accountability log can be maintained. Separate systems have the potential of
gaps being left in the security architecture. This type of environment has been
traditionally designed around firewall gateway architectures. The market-leading vendor
for this technology, Check Point Software Technologies, supports a central administration
point with its product FireWall-1. In addition to firewall protection, systems must also
address one of the other major principles – confidentiality of data. Firewalls
protect a confidential area, but these must be extended with virtual private networking
(VPN) which allows data to be protected in transit. VPNs use encryption technology to
protect data using a number of different encryption formats, the most widely-used being
the Data Encryption Standard (DES) 56 bit. This is a robust encryption system with a low
bandwidth overhead on the connection.
Supporting remote users
Deploying a VPN through a firewall infrastructure provides secure connection for users
from fixed sites, but doesn’t address the mobile user who needs to connect from
wherever they are. Using the Internet for this connection avoids the need for expensive,
long-distance direct dial calls, but it must be secured. Technologies such as Check
Point’s SecuRemote enables an encrypted VPN to be created from any point on the
Internet and encrypts traffic using a code which changes every packet. Strong
authentication can then be supplied by token-based systems such as RSA Security’s ACE
Server and Secure ID.
Public Key Infrastructure (PKI)
In support of a basic security infrastructure, other technologies are emerging that can
greatly help the accountability and reliability of a security architecture for Application
Deployment. Public Key Infrastructure (PKI) is a new technology that will allow
individuals to control their own encryption schemes from their desktops. This will help
the individuals identify themselves and verify that they are who they claim to be. The
deployment of this scheme is currently being hampered due to the perceived complicated
nature of the architecture, and the lack of standards.
Managed Services
One of the key requirements in the ASP model is the provision of a complete service,
including the delivery mechanisms. This puts a requirement on the Application Service
Provider to be able to offer a fully managed security infrastructure. This is a major step
for many traditional network providers as security infrastructure management involves
tracking the accountability of individuals, access to individual servers and management of
encryption architectures. Security is a key concern of companies considering ASP –
and rightly so. Application Service Providers must address this concern by providing a
fully managed service that addresses the key principals of network security. Make sure you
ask the right questions!
Mik Stevens is Network Security Business Manager at ESOFT Global. www.esoft.co.uk
[an error occurred while processing this directive]
.
|
