You're a security officer in your corporation and you've been informed your company is moving a datacenter from California to Chicago, Illinois. The applications generate over 50 million in revenue yearly. What advice do you follow and where do you start?
First you determine the style of the architecture of the applications. Then you investigate the age of the tools used to build the applications. If the applications have a web interface, you deploy tools to protect them from attack while making the applications more secure. Then upgrade the infrastructure components. Update the change and configuration management processes. Scan and correct the application's web errors. Lastly, modify the application so that it supports the latest security tools that integrate with the application such as Active Directory for authorization.
Some of the applications may be old and use client server or single tier web application design. Due to their age and architecture design, they lack many of the security improvements made in application and infrastructure security over the last few years. The company kept their IT expenditures at a minimum to grow the business. Now, theyve been purchased and their applications are tired.
Those same applications may use old application tools to maintain and modify the application. The language and tools used to create the application may not be supported anymore by the tool vendor. Keeping proper source code controls and promoting software through various development, test, and production environments may also be lacking. It is important to update development tools to vendor supported levels while maintaining the design. This port of the application to use new tools can occur before starting the infrastructure migration.
Since the bar for web application security is always going higher over time; mitigate internet risks by deploying a web based URL whitelisting tool. It tracks all URLs that are used properly over a period of a couple of weeks and makes a whitelist of them. Future attacks that attempt to move to URLs that are not in the whitelist will have the session dropped. This URL whitelisting protects web-based applications and gives a company time to mitigate application weaknesses.
Initially, the application is moved with the following security process and infrastructure changes:
1. New or updated change and incident management processes are followed.
2. New or updated configuration management tools are used to track configuration changes. This enables application roll-back if errors are difficult to resolve.
3. New IP addresses and DNS entries are created for the new virtual and physical servers.
4. Load balancers are configured to use a pool of servers to address web based traffic.
5. Various firewalls are configured to protect both the DMZ web servers and application data.
6. The databases are tuned and scaled for traffic demands.
7. The data in the storage subsystem is replicated to another subsystem in the new datacenter.
The second phase of mitigations addresses information security weaknesses at the applications level. It assumes that the new datacenter has Active Directory or LDAP (Light Directory Access Protocol) services, a remote monitoring tool, a HIDS (Host Intrusion Detection System) tool, an operating system upgrade tool, a logging tool, a web scanning tool and firewalls. The following security tools will likely be in the datacenter after the first migration occurs. That is because all the tools will likely be used for all future migrations.
1. Correcting application errors found with web scanning and code scanning tools
2. Authentication and authorization weaknesses
3. Remote monitoring of servers, network and storage equipment
4. HIDS implementation on the servers
5. Operating system upgrades
6. Logging of application, user, and administrative operations
7. Deploy firewalls in zones to protect data and applications effectively.
In summary, systematically and carefully protect the application with URL whitelisting where relevant. Then upgrade the infrastructure, application tools, and processes. Then correct the application errors found with web and code scans. Integrate the application with authentication and authorization, remote monitoring, HIDS, and auditing/logging tools. Lastly, protect the applications' data using a "Deep Theater Defense" firewall configuration.
Gregory Machler is an information security architect and cloud security expert and a frequent contributor to CSOonline