[an error occurred while processing this directive]


jargon busters mainJargon Busters -
Safe Arrival - (March 2000)
Mik Stevens looks into making remote application delivery secure

[an error occurred while processing this directive]

Remote application delivery is high on the list of new technologies being brought to market over the next three years. The positioning battle between the major hardware and software vendors in the Application Service Provider marketplace is being fought out on the front pages of the computer press. However, there is less being seen in the server rooms where issues with quality of service, reliability and security have a high profile. Security is a major area of concern and a number of ASPs are working to address the issue. Some basic features can be identified and can be used to judge the readiness and reliability of current offerings.

System security policy

Before any framework can be put in place, a detailed breakdown of the security environment required must be investigated. This will include the examination of a number of areas, but these can be categorised into four main requirements:

  • Physical security – making the building and environment secure
  • Procedural security – ensuring the processes are in place to maintain security
  • Personnel security – personnel vetting and access control
  • Electronic security – controlling user and data access

Here we will cover Electronic Security but the other three areas are equally as important and require full implementation to support any electronic measures put in place.

The security policy must address the likely scenarios, perceived threats, and associated risks of the application deployment system. Electronic measures to support this policy can then be identified. The defining principles of network security in Application Deployment are:

  • Accountability
  • Audit
  • Confidentiality

These ensure individual events can be attributed to individuals, and that information and applications are fully protected.

Central control

Security as a function must be centrally controlled for it to support the principles of network security. This is the only way of ensuring that a full and easy-to-interrogate audit and accountability log can be maintained. Separate systems have the potential of gaps being left in the security architecture. This type of environment has been traditionally designed around firewall gateway architectures. The market-leading vendor for this technology, Check Point Software Technologies, supports a central administration point with its product FireWall-1. In addition to firewall protection, systems must also address one of the other major principles – confidentiality of data. Firewalls protect a confidential area, but these must be extended with virtual private networking (VPN) which allows data to be protected in transit. VPNs use encryption technology to protect data using a number of different encryption formats, the most widely-used being the Data Encryption Standard (DES) 56 bit. This is a robust encryption system with a low bandwidth overhead on the connection.

Supporting remote users

Deploying a VPN through a firewall infrastructure provides secure connection for users from fixed sites, but doesn’t address the mobile user who needs to connect from wherever they are. Using the Internet for this connection avoids the need for expensive, long-distance direct dial calls, but it must be secured. Technologies such as Check Point’s SecuRemote enables an encrypted VPN to be created from any point on the Internet and encrypts traffic using a code which changes every packet. Strong authentication can then be supplied by token-based systems such as RSA Security’s ACE Server and Secure ID.

Public Key Infrastructure (PKI)

In support of a basic security infrastructure, other technologies are emerging that can greatly help the accountability and reliability of a security architecture for Application Deployment. Public Key Infrastructure (PKI) is a new technology that will allow individuals to control their own encryption schemes from their desktops. This will help the individuals identify themselves and verify that they are who they claim to be. The deployment of this scheme is currently being hampered due to the perceived complicated nature of the architecture, and the lack of standards.

Managed Services

One of the key requirements in the ASP model is the provision of a complete service, including the delivery mechanisms. This puts a requirement on the Application Service Provider to be able to offer a fully managed security infrastructure. This is a major step for many traditional network providers as security infrastructure management involves tracking the accountability of individuals, access to individual servers and management of encryption architectures. Security is a key concern of companies considering ASP – and rightly so. Application Service Providers must address this concern by providing a fully managed service that addresses the key principals of network security. Make sure you ask the right questions!

Mik Stevens is Network Security Business Manager at ESOFT Global. www.esoft.co.uk
jargon busters main

[an error occurred while processing this directive]