I've had several discussions of late where people have wrestled with the problem of how best to secure their applications to a reasonable level of security, given that applications are increasingly integrated. Here's my take.
When a new project is initiated and you're asked as security to get involved, invariably you have to scope your effort. Failing to do this could lead to a situation where you have every sort of control possible in place, but monitoring and maintaining these are a nightmare. Also, some controls buy more security that others. For example, enabling SSL on an advert may be buying you confidentiality and integrity, but it isn't needed.
So, first off, you need an idea of what the security requirements of the project are. From there, you need to design a useful set of controls that can be properly maintained and monitored and that buy the right sort of security. This is a very 2 second summary.
The problem comes in with the interconnected nature of systems. One system may be of very low criticality, but if it has some access into a higher criticality system, things change. Pen testers will tell you that they use the old, forgotten, poorly-maintained system/application/script to break into the big systems all the time. They provide the toeholds. This is made worse with SoA, where services will be coupled into all sorts of processes with all sorts of criticality. So, what are we to do? We can't apply every control to all systems.
The answer is, unfortunately, not an easy one. However, the answer is certainly not a hard and fast rule, which brings me to what motivated me to write my little rant.
You cannot assume that because a highly critical component integrates with a low criticality component that the low criticality component inherits a high criticality.
Many a vendor would have you believe the opposite. Unfortunately, the real answer is: you have to think. Work out how the two systems are interacting and figure out what controls would need to be put in place to secure that interaction. Think of it on three levels:
- How can you prevent a malicious user from gaining access to the low criticality system.
- How can you prevent a malicious user from gaining access to the high criticality system if they gain access to the low criticality system.
- How will you detect and respond if a malicious user gets access to either system.