Security is an important element of any Web business. When you are examining your security, you should ask yourself, “What am I protecting? What is my crown jewel?” For a leading soft drink manufacturer, their crown jewel might be the recipe or the proportions of the key ingredients. While they would undoubtedly strive to protect other areas of their business, such as employee records in their HR department, they would spare no expense to protect their recipe since leaking it could destroy their business.

You should also consider, “Who am I protecting my environment from? Competitors? Rogue hackers? Script kiddies? Employees?” Running through the steps of risk management is critical. Just as you do not want to protect the wrong things, you don't want to exhaust your resources protecting against things that aren't as likely to happen. For example, as a business, do you really need to invest in protection against a nuclear attack? Probably not if your company specializes in selling cookies over the internet. As an e-commerce Web site, you DO need to consider how you will handle credit card information.

It's important to review some of the principals that guide security. Three of the core elements of a good security posture include the following:

• Defense-in-depth
• Principal of least privilege
• C-I-A (confidentiality, integrity, availability)

Elements of Good Security

Defense-in-depth: This is sometimes referred to as layered security; it aims to employ several varied security measures rather than just one "super" layer. For example, consider the all-in-one security appliance that promises to "protect you from hackers in 3 easy clicks!" Sounds really exciting, but such promises often fall very short in practice. A single layer is really a single point of failure. It's similar to having a firewall without any other security measures in place. In a layered-security approach, an environment might have the following elements in place (to name a few):

• Firewall
• Certain protocols restricted to VPN only
• IDS (NIDS and/or HIDS)
• Passwords required to access restricted resources
• Strong passwords enforced
• Auditing of certain actions
• Periodic security scans from outside perimeter
• Multiple login failure lockout
• Penetration testing
• Periodic code validation
• Segregation of duties (both human and in technology)

While the above list seems very long and complex, it usually isn't in practice. Educating your users will help in an environment, like the one above, work more efficiently. When users have an understanding, at least in part, of security and why certain elements are in place, they will themselves become agents that assist in auditing and maintaining the environment.

Principal of least privilege: To explain this concept in simple terms, if someone or something doesn't NEED access to a resource, they don't get it. For example, when you hire a new employee and give them keys to the building, do they need keys to the front door, back door, safe, your office, and keys to everyone's desks? Probably not. It’s the same with information security; a user might only need access to a single directory. Giving them administrative privileges to ALL directories would be a mistake. Even if you trust them and know without a doubt that they will not go into any other directory it's a bad idea. What if someone obtains their login and goes into those other directories?

C-I-A: C-I-A is a concept of ensuring confidentiality, integrity, and availability of data/resources within an organization. Let's take a closer look:

• Confidentiality: The idea is to ensure that only those who are permitted to access a given resource can do so. Further, it is typical for the manner in which such resources may be used or shared.
• Integrity: In general, this aims to ensure that the data has not been manipulated.
• Availability: What good is safe and accurate information if it is not accessible? Availability ensures that the resources are accessible at all times.

Security Summed Up

This is just the tip of the iceberg of information security. For each of the areas touched on briefly above, there are a number of sub-areas and considerations. Security is perhaps best summed up by knowing what to protect, understanding the risks, and provisioning reasonable and appropriate security measures to ensure that the protected areas are safe and available at all times.

5 Common Security Mistakes

1. Using default passwords or weak passwords.
   When passwords are assigned to you, you should always change them and never share them with others. Strong passwords are ones that have a minimum of 8 alpha-numeric characters and at least one non-alpha-numeric character. An even stronger security measure is to use passpharases. A passphrase is a sentence/phrase utilizing full punctuation and 20+ characters. Research has shown that passphrases are often more difficult to break than a very complex 8-character password.
2. Failing to assign different access levels to different users.
   Not every user needs access to everything, as outlined in the "Principal of Least Privilege" above.
3. Failing to install security patches.
   Make sure you or your hosting provider keeps critical patches up to date since they address serious security concerns.
4. Assuming that having a firewall means you are fully protected.
   A firewall is only one aspect of Web-site security, albeit an important one. Too many people put a firewall online and assume they are going to be secure just because of its presence, and fail to take a Defense-In-Depth security approach.

Christopher Grello is the technical architect for INetU Managed Hosting.