When I started working in Information Security, standards in place primarily focused on Department of Defense considerations. Mandatory Access Control (MAC) with policies built around data classification levels was the order of the day. Fast forward to the present and now information security for commercial organizations is far more aligned with the principles of Discretionary Access Control (DAC), wherein accesses are largely managed by data owners. While the swing to the DAC model is easily understood, what is important here is to figure out what guidelines should be provided to data owners and application teams when setting up security controls.
Unfortunately guidelines can range drastically between paranoid and downright lax. Oftentimes even two security consultants will find it hard to agree on what is acceptable security. So here is a checklist I have put together for securing a typical application or website; hopefully it will help you navigate through obviously murky waters and define your own level of "reasonable" security .
1. Identify who will access the application or website
Start by figuring out the types of users who will access the application or website and the data it manages. Are they employees, consultants, consumers, business partners, vendors or distributors? If your application is managed offsite, factor in managed service administrators.
2. Classify Application Criticality
Every organization has a hierarchy of criticality, when it comes to applications, websites and data. Assign a security value to your application or website, from 1- 10 where “1” is least critical and “10” is most critical. For example an application that supports online sales of your organization’s primary product should definitely rank higher than one that provides consumers with general information about your organization.
3. Categorize User Groups and Accesses
For each group of users that need to access the application or website, identify the different types of accesses required. For example if it’s a website which exposes information about your organization's products, employees might be allowed to view and modify information on products yet to be released. Consumers may only be allowed to view access once the product is released, whereas distributors might need to view access and order samples just prior to release. This would suggest three categories of users, with different levels of access.
4. Define Access Controls & Access Control Policies
This step is very important for applications that are categorized as level 4 or above. How will users be authenticated by the application or website? Once authenticated, how will authorization levels be determined? Do mobile users pose a greater risk? Should geo location from where a user’s request originates affect data to be provided? Once the user is accessing the application or the website are appropriate fine grained controls in place to ensure appropriate access?
5. Define Audit & Monitoring Controls
How will you determine who accessed what and from where? Define policies for identifying anomalous behavior patterns and acting upon them. Would you like alerts generated if a user with access to sensitive data, changes normal access hours?
6. Develop an Incident Management Plan
Despite the best controls, be pragmatic. There is no guarantee that your application or website will not be breached. Put together a plan for handling a security event, assessing losses and reacting appropriately. Often tactical decisions made under time and management pressure result in greater exposure than the original incident itself. Ensure that everyone responsible for administering the application or website is familiar with their role in handling the incident.
7. Augment Disaster Recovery Plan
Disasters can come in different shapes and forms. A security incident could wipe out or corrupt your data sources and your website. Ensure that your DR plan takes into account such a scenario and offers instructions for recovery in a timely manner.
As I have said in almost every one of my posts, security is no longer just a checklist item. The threat landscape is constantly evolving and you need to stay abreast of vulnerabilities. So once you are done with everything above and have deployed it in all environments, add periodic security health checks to your operational todo list and then sit awhile and rest. That is until the first alert comes your way!