March 1, 2010

Posted in:

The Pursuit of Security

March 2010 – As I was returning from a large internet convention in Miami, I thought about the one major topics missing from all the conversations around me. Everyone was talking about new features, new servers, social networking, messaging and collaboration. No one in the room was talking about the importance of security. Security is neither cool, nor sexy and it is generally considered an expense instead of an opportunity. In one conversation, a CEO told me “we get hacked all the time, but that’s ok, our customers never notice.”

Today’s hackers are bold and sophisticated, well funded and often times hacking as a career. They control armies of geographically diverse compromised computers they use to cover their tracks. Their success in penetrating today’s under-protected computers and servers is overwhelming. According to a recent Verizon report on data beaches, over 285 million records were stolen in 2008. Of those, 83% of attacks were rated as “not highly difficult” and 87% percent “were considered avoidable through simple or intermediate controls.”

In today’s interconnected world, security is more important than it has ever been. Protecting critical applications while making them publicly accessible is a balancing act that most companies struggle with to just keep up with emerging threats. It is important to understand that no matter what an organization spends on security, unhackable systems do not exist. The real aim of security is to make the time and effort required to gain unauthorized entry to sensitive data exceed the value of the data itself. Why break into the house with the barb wire fence, guard dogs, alarm system, and armed guards when the house down the street forgot to lock their front door? Implementing good security simply encourages the hacker to go down the street to that open house instead of yours.

Organizations with mission critical systems and sensitive data, frequently outsource the hosting of their infrastructure to dedicated experts whose sole focus is the operation of secure and high-redundancy data centers. Companies who specialize in hosting are better positioned to maintain and secure mission critical environments. Ideally, they should be committed to continuous investment in security infrastructure and staff training, have many years of experience and utilize a, multi-tiered design approach. With such an approach, each tier blocks a particular type of attack and acts like a vault. Penetrate the first vault, and you encounter another, then another, etc. Each tier creates a new barrier for the attacker discouraging him from proceeding forward in the following fashion.

Multi-Tiered Design Approach

>>See Diagram

  1. Traffic enters and leaves via one of 23 internet carriers with 5 GBPS of total bandwidth. All traffic is routed best path instead of lowest cost. The network is currently running 99.999% uptime for last 5 years. The network layer stops basic attacks with forged addresses and malformed internet packets.
  2. Redundant security modules perform blocking of malicious traffic, bogons lists, bad ports, and networks.
  3. Intrusion Prevention and Detection systems monitor traffic in real time and block an average of 1,000,000 attacks per day from hackers worldwide.
  4. Sanitized traffic is then passed to a redundant network core and network distribution system. Two completely separate networks are run to every rack to ensure network resilience. The network has additional layers of protection to prevent any one computer from monitoring traffic of another computer.
  5. A dedicated customer firewall then limits access for un-trusted outside sources, isolates one customer from another, performs additional inspection of internet traffic to detect hackers and establishes VPN tunnels for customer offices and remote VPN users.
  6. Final traffic inspection is performed on each web server via web application firewall that allows for granular controls of rules while creating a last line of defense to protect against 800 types of hacker attacks. It even protects against programming errors that could allow an attacker access to sensitive data because of human error.
  7. After the primary security layers have sanitized a request, it is finally passed to a web server for processing. The web server then communicates with a secure database to store and retrieve information. As a final line of defense, each web server also has an enterprise grade anti-virus system with behavioral analysis software to watch for patterns of behavior indicative of a hacker.


Go back