The tide has turned in the battle for network security and by most accounts, the good guys are losing. In recent months, Petco was forced to agree to a financial settlement and 20 years of independent audits for leaving customer data exposed, and ChoicePoint exited a line of business less than three weeks after customer data was compromised.
Blame it on the extinction of the enterprise perimeter, the increasing sophistication of bad guys, or just poor business processes. Regardless, the reality is that estimates place 75% of attacks on applications and intrusions from "authorized" insiders as high as 80%.
So what to do? At the end of the day all roads lead to, and all attackers seek out, the place where the crown jewels live – the database. And in most cases, it's a very soft target.
Not your father's database
In the last several years, there has been a substantial growth in potential vulnerabilities as well as actual attacks on applications and databases. Many of these threats are a result of the changing nature of enterprise applications and databases.
A decade or more ago, databases were usually kept physically secure in a central data center and accessed mostly by applications within the corporate borders. Today, applications and databases may be distributed in business units to meet local needs, and are increasingly made available to suppliers, customers and business partners in order to conduct business over the Web.
But with this increased access comes increased risk. Many of the new threats take advantage of the fact that today's databases are not mere repositories for information, but robust development environments that allow developers – and hackers – to carry out complex functions within the database.
Getting your house in order
Most large organizations have already installed antivirus software, firewalls and even intrusion detection systems (IDSs) to protect their networks and host operating systems. Though these defense tools have a place for their servers and networks, they are not designed to detect application level attacks, nor are they designed to stop such threats before damage is done.
Firewalls provide protection only at the network level – examining packets and determining whether an incoming request should be given access to a given port. They do not understand database vulnerabilities or protocols (such as SQL) that may be used by attackers. Firewalls are also typically located on the edge of the network, where they are ideally situated to watch for attacks from outside the enterprise, but not from insiders.
And in a modern enterprise, firewalls simply have to let too much traffic through to provide foolproof application protection. In a world of virtual organizations and electronic commerce, an enterprise cannot afford to completely lock out customers, suppliers, distributors, remote employees or contractors.
Similarly, though many enterprises have deployed IDSs to improve network security, these too do little to protect core databases and applications. Such systems scan the network, comparing traffic and usage patterns to either historic trends or against the "signatures" of known network attacks.
However, most IDSs are passive, scanning for suspicious traffic and alerting the network administrator, but not taking any action to stop the attack. They are also designed as forensic tools, gathering evidence to analyze an attack after the fact rather than stopping it in real time.
Firewalls and IDS each have a place in a multi-layered security system. But they are not enough to protect organizations from internal and external threats while allowing appropriate access to applications and databases. The modern enterprise needs application-intelligent equivalents of its existing network and host-based security platforms, which can discover, assess and dynamically protect applications and databases against rapidly changing security threats.
The weapons of the new war
For a proven application layer security framework, look no further than the methodology organizations have already successfully applied at the network and host operating system levels. Just as at the host and the network perimeters, application-aware security solutions must provide vulnerability assessment, real-time intrusion protection and audit, and encryption. To achieve these goals, such application-level tools must provide:
Audit/Proactive Hardening: The system must audit the status and configuration of all application components and perform security tests and proactive hardening of such components while producing detailed security audit reports before and after application deployment. It must also ensure all current patches have been installed; default passwords have been changed; and recommended security configurations have been implemented. As with the network and host OS, assessing the vulnerability of application components helps an enterprise proactively minimize risk and gauge ongoing compliance with its security policies.
Real-Time Protection: The ability to detect and block attacks as they happen. Given today's rapidly propagating threats and the time needed to deploy patches, organizations require real-time protection to complement the proactive hardening provided by ongoing vulnerability assessments. And the growing threat from "zero-day" attacks points up the need for behavioral-based intrusion prevention systems that can detect, and block, application-level attacks for which there is no known signature to scan for, nor any patch to apply.
Encryption: The ability to encrypt the most sensitive data as a "last line of defense" even if the database itself is compromised without incurring the overhead or complexity of encrypting the entire production database. Selective encryption also prevents unauthorized access to data by legitimate users. For example, a database administrator needs administrative access to the application in order to grant, revoke or change users' access rights, but should not be able to see, change or copy the actual information in the database, such as customers' credit card numbers.
Summary
Applications and databases form the core of an organization's IT infrastructure. Without the business processes they support and the data they hold the business cannot function. Yet applications and databases have been disturbingly neglected within the enterprise compared to the security provided for networks and servers.
Organizations that understand the importance of their applications and databases recognize the need for proactive, dynamic tools that can find and stop attacks on applications and databases before they cripple the enterprise. Fortunately, hard-earned experience securing the network provides a ready-made blueprint for an effective approach to securing enterprise applications: vulnerability assessments, real-time intrusion protection and audit, and encryption at the application layer.
Aaron Newman is Co-Founder and the Chief Technology Officer of Application Security, Inc. (AppSecInc). In his current role, Aaron is responsible for defining the overall AppSecInc product vision. Widely regarded as one of the world's foremost database security experts, Aaron is the co-author of the Oracle Security Handbook, printed by Oracle Press. Visit www.appsecinc.com for more information.
