Managing the Top Five Security Threats to Web Scale Success

Growing business on the Web has become essential for companies ranging from financial services organizations to social networking sites. The attraction is easy to understand: Building out services on a Web scale can result in enormous upside, with communities of millions of users.

Yet the massive reach of these deployments also draws in the darker side of the Internet. The more popular the site or service becomes, the more attractive it is to potential attackers. To find out where Web scale deployments are most vulnerable, Sun Inner Circle recently sought the assistance of two security experts in Sun's Global Sales and Services Security Office: Glenn Brunette, Distinguished Engineer, and Rafat Alvi, Principal Engineer.

“Finding the right balance between ease of use, performance, and security is critical to Web scale success,” says Brunette. “In some ways, it’s fortunate many security concerns are evergreen issues, since these problems are well understood. But because Web scale deployments reach so many people through constantly evolving delivery methods, long-standing security matters can take on new dimensions.”

In an in-depth conversation, Brunette and Alvi identified five areas that must be addressed to keep Web scale deployments safe from attack. “These five areas don't necessarily cover everything needed to keep Web scale deployments secure, but our list can serve as a quick primer on what to avoid — and how to do so,” says Alvi.

Rapid software development with continuous refinement is a hallmark of Web scale deployments, says Brunette. “Perpetually keeping software in beta is often used to excuse the rough edges of features and functions that get piled onto Web services,” he says. “This can be a problem when early versions of services and code updates aren't designed with the overall security picture in mind. Attackers don't wait for software to be fully baked.”

“In these situations, programs are often tested to ensure they work in ideal rather than adverse conditions,” says Alvi. “Familiar attacks such as buffer overflows, SQL injection, and cross-site scripting are based upon the premise that software is frequently not written to gracefully handle exceptions.”

Starting with time-tested building blocks and patterns is essential to Web scale success, say Brunette and Alvi. “That’s why the safe, reusable libraries and modules found in NetBeans and Sun Java Studio Enterprise are so important to consistently developing secure applications,” says Brunette. “Open source frameworks based on the contributions of large, security-minded communities are usually the better bet for application development. I'm hard-pressed to think of what can beat the time-tested principles of good security testing and automation tools such as JUnit and JsUnit.”

“There are security implications to every IT-based service, and Web scale deployments are no exception,” Alvi continues. “Nothing exists in a vacuum, and developers need to ask if their new Web-based offerings are secure — and what the overall IT impact will be if these offerings are breached.”

Once assembled, Web services must be installed where they can be accessed. This often means allowing access through traditional defenses, such as network firewalls. Brunette and Alvi suggest a holistic approach to threat management that includes application layer protections to detect and block Web-based attacks. Some possibilities include offerings from XML gateway vendors, such as Layer 7 Technologies, they note.

“There’s no substitute for defensive software development, but these products can be effective for implementing defense-in-depth architectures,” Brunette says.

How can security keep pace with the growing expectations of a user base that may comprise millions of people? “Once an organization determines its Web applications can scale, identity management is the next step in keeping security in step with Web scale growth,” Alvi says. “The constantly evolving nature of security was a major design consideration in the development of Sun identity management tools.”

Several Sun tools let organizations rapidly manage, provision, and audit Web scale deployments, Alvi notes. For instance, Sun Java System Identity Manager enables administrators to map users and access rights across multiple systems in days rather than weeks. That goes a long way in ensuring that security can expand with the growth of Web services and user identities,” Alvi says.

“Sun Role Manager also comes to mind, because it helps organizations discover, define, and manage user access with a common vocabulary that links business and IT processes,” Brunette says. “It also promotes sound IT governance in Web scale deployments where the access rights of large user communities must be managed and audited.”

Brunette and Alvi say Sun Java System Access Manager smooths Web scale deployments by acting as a single entry point for up to tens of millions of users. To secure each instance of a single sign-on, the new version of Sun Java System Access Manager centralizes management of security policies.

This means that role-based rules and policies may be assigned to particular classes of users. To tie everything together, Brunette and Alvi say that Sun Java System Directory Server can serve as a secure repository for user and entitlement information.

“Information that was once inaccessible externally now can be accessed from any location, often through multiple devices,” says Alvi. “This is a superb development, but linking the old, the new, and the unrelated multiplies the number of potential security challenges. It also raises trust issues when interconnected systems and devices are owned by different parties.”

“That’s why identity federation capabilities should be part of a well-stocked Web scale security arsenal,” Brunette adds. “These capabilities are built into Sun Java System Access Manager for Web environments. And to keep information accessible with partners, Sun Access Manager connects each silo of information like spokes to a central hub. Still, there's no substitute for clear contractual language between parties. Any federation scheme has to rest upon well documented legal contracts and policies between partners.”

“Increasingly it’s a Web-based world, but it’s unrealistic to suggest that it’s solely a Web-based world,” says Alvi. “Ultimately, most companies need to balance the speed and agility of Web scale services with the reliability, consistency, governance, and security of legacy environments — and this requires connecting all the dots.”

The vaunted read-write capabilities of Web 2.0 — popularly referred to as “mashups” — allow protocols such as Ajax and Atom to be integrated across environments. These capabilities, according to Brunette and Alvi, can also open clients and servers to attacks that can breeze right through traditional firewalls.

“The trend toward self-updating Web content is a mixed blessing,” Brunette says. “By allowing the access, execution, and aggregation of content at the client, a new doorway has been opened where attackers can trick users into running malicious code that reaches into corporate networks.”

For example, Ajax allows browsers to issue JavaScript calls asynchronously from a browser. But downloading JavaScript from untrusted sites can allow attackers to execute malicious Ajax calls onto browsers. The resulting cross-site scripting attacks are then able to hijack user accounts, launch phishing scams, and run malicious programs on user systems.

Brunette says that the best defense against such threats is usually a good offense. “Educate your users about the dangers of accessing unknown sites and ensure that clients — including desktops, PDAs, and mobile phones — have security protections to defend against these attacks. But also ensure that a defense-in-depth architecture is in place — these frameworks have stood the test of time.”

“Of course, users running any operating system can take advantage of Sun Secure Global Desktop software for secure access to desktops and applications,” Alvi says. “By virtualizing desktop access, an enterprise can reduce the number of targets available to attack. Take it a step further with Sun Ray desktops clients, and this holistic approach eliminates the always-popular individual desktop target.”

Additionally, says Alvi, Solaris Trusted Extensions can be employed with Sun Rays to enforce access control policies, which can promote mobility and easy access to corporate IT resources.

“While Web scale deployments may seem like entirely new environments, many of the security considerations should be familiar,” Brunette says. “The foundations of Web services require time-tested security assurances, such as authentication, authorization, confidentiality, integrity, and auditing in systems, networks, storage, and services. Without these factors in place, security will simply break down.”

“That’s why a systemic approach to security that combines policy, methodology, architecture, and products is critical with Web services, because these environments are only as strong as their weakest link,” adds Alvi. “Web scale environments simply don’t fly for long unless they are based on a secure foundation.”

Brunette and Alvi say numerous features of the Solaris 10 Operating System help provide this secure foundation. As an example, they point to how zones and privileges in Solaris Containers separate particular kinds of data, which allows companies deploying Web services to keep critical assets away from unwanted attention.

According to Alvi, the workload implications of built-in security features should be another key consideration for Web services security. “It makes me shudder when I think about how frequently security gets turned off because of performance and response time concerns,” he says. “This is where the embedded encryption design of UltraSPARC T2 processors comes in. By offloading the encryption workload to co-processors, these chipsets ensure that security is not sacrificed for the sake of performance.”

Additionally, say Brunette and Alvi, specialized processing technologies to increase the speed of parsing XML can indirectly strengthen security for signing and encrypting XML messages. Offerings to consider, they say, include Sun's Fast Infoset technologies and appliances from vendors such as Layer 7 Technologies.

“The choice of hardware and operating system is critical in scaling out Web services securely,” says Brunette. “But security is also more than products and technologies. Best practices, training, education, processes, and policy all play important parts in deploying applications on a Web scale.”