Security is a process
A newspaper report recently warned that many IT products and applications, including payment systems, lack adequate security. The reasons cited are that firstly, security is treated as an afterthought, and secondly, because trained practitioners are not involved in the design and implementation. F5 views security as a process. It should be managed as such. There’s an important role for the security experts who build the policies that ensure security and compliance within the organization. And, there’s an equally important role for the programmers who develop the software. But the two are quite distinct from each other. Business applications are the critical assets of an enterprise. Its security should not be just left to the software engineers to decide because they are not security professionals. Therefore, the prudent approach is to offload the burden of coding security policies from the software programmers onto credible security solutions professionals. Viewed from that perspective, security is as an end-to-end process, with policies to govern the various areas wherever there is user interaction with the enterprise – device, access, network, application and storage. Given the complexities of the different moving parts, it sometimes makes sense to combine several of the point security concerns into a converged solution. In short, this is akin to process simplification not too different from what consultants would call “BPR" in the business world. However way, you see it, from a CFO perspective, this represents immense cost savings boh operationally as well as in capital costs. For example, when it comes to application security, the trend is to build it into the application delivery controllers. ADCs are designed to natively deliver applications securely to end users. In today’s context, ADCs act as secured gatekeepers to the applications; they prevent unauthorised access and are able to add-on capabilities to mitigate complex application level attacks such as those defined by OWASP. However, the situation is growing more complex. CIOs are increasingly faced with the task of balancing the needs of a younger, empowered and demanding Gen Y workforce who want the freedom to work from their device of choice as well as the ability to switch seamlessly between their social and enterprise networks. The CIO challenge is how to protect the company’s business assets in the face of increasing and more complex threats. Add to this the desire to leverage the cloud for cost control and scale and the security considerations can potentially spiral out of control. The situation calls for innovative security solutions that can understand the behaviour of enterprise applications as well as user behaviour, and be able to enforce corporate security policies effectively with minimum impact on user experience. F5 believes that security is a trust business. Having the right process and policies trumps choosing a vendor. It is the policies and process that determine the required solution, not vice versa. For a Japanese version of this post, please go here.
Who needs a Bot Army these days?
It’s been a while - a long while - since I last (officially) blogged. Too many distractions with a new role, new travels, and a new family member - sucks away the creative juices. Alas, sitting at an airport lounge after a 3 city Security Roadshow in Bombay/Delhi/Bangalore brings out the adrenaline rush of blogging once more. I’ve been evangelizing the need for DoS protection for quite a while. Events of last year (2013), and even the beginning of 2014, have made my job easier (Happy New Year!). I used to equate DoS (rather Distributed DoS) attacks with Bot Armies - kinda like the Orcs that we saw in the LOTR (Lord of the Rings**) saga. The Bots (Orcs) still exist - but seems like the Bot Herder (I’ll call him “Sauron” **) is summoning a new type of Army these days - a new generation of orcs used to carry out his mission to wipe a particular service/server from the face of the Internet world - You and Me! Yes - US! Who needs a Bot Army these days? There are gazillions of Internet users and servers out there. There isn’t a need for any kind of endpoint infection/malware. That would be troublesome. All you need is an unsuspecting (and poorly protected) + popular web server, and some programming flair with JavaScript (JS) or iFrames. Then you need to compromise that popular web server and input the malicious JS/iFrame into the landing web page. So when a user visits this compromised popular website (e.g. an online gossip portal) to read about the latest Hollywood gossips, the hidden JavaScripts or iFrames gets executed within his browser and causes him to send multiple GET requests to the victim. And the victim gets hoarded with a torrent of GET requests, and if its not sufficiently and appropriately protected, guess what happens? Bam! 2014 began with an interesting new type of attack against a couple of gaming sites like League of Legends, Steam and Battle.net using yet another type of “botnet”, except that these weren’t bots but actual Network Time Protocol (NTP) servers. The NTP protocol is used by many servers and endpoints to sync system clocks - for example my mac uses time.asia.apple.com. Leveraging the inherent “trust” that the UDP protocol exhibits (aka stateless), and a relatively forgotten command called “monlist”, this is how it works. From my laptop, a small query of 234bytes returns a response of 100 packets each of 482bytes, producing an amplification factor of approximately 205x (you get the hint). So I need to be armed with a list of open and unpatched NTP servers (which isn’t difficult to find - there are automated programs out there that can “assist"), and spoof the IP address of someone whom I don’t like, and shazam. An example of the now infamous “monlist” command for an unpatched NTP server looks like: This reminds me of the DNS Reflective Amplification attacks during the Cyberbunker-Spamhaus saga in March of last year (2013). Again, the trust model of the DNS protocol was exploited, and what that didn’t help with the problem were those 20-something million open DNS resolvers which neither perform any kind of filtering nor any request verification or traffic management of DNS responses. And as a result, 300Gbps of DNS responses towards an unsuspecting victim, which even caused collateral damage to International Peering exchanges. Now, how do we deal with these? For the DNS and NTP reflective amplification attacks, apart from deciding to not be an open DNS resolver, or disabling the “monlist” command, if you are a service or hosting provider to one of these potential “Orcs”, one simple way is to monitor the outbound BPS/PPS/Number of connections originating from the server. When it gets anomalously high, move to the next step of monitoring perhaps the Top 10 destinations these guys are sending towards. It doesn’t make sense that a DNS server out there is sending 1M DNS “Any” responses per second to www.f5.com. Apply an appropriate rate shaping policy as needed and that will help protect your own network infrastructure, save some peering/transit costs, and help the poor victim. The HTTP reflection attack is a bit more challenging, given that as mentioned previously - it isREALHTTP traffic fromREALbrowsers out there. You can’t filter based on malformed HTTP packets. You can’t filter based on URL since it’s typically a legitimate URL. This calls for Anti-Bot Intelligence, like: TCP SYN Cookie verification (L4) HTTP Redirection verification (L7) JavaScript / HTTP Cookie verification (L7) CAPTCHA verification (L7) With the ability to step-up countermeasures dynamically and when needed. Of course, the latter verification methods are higher in the OSI stack (Layer 7), more advanced and computationally more expensive to perform. Here at F5, we’ve found that (3) and (4) have been extremely effective in terms of combating DoS tools/scripts and even the hidden JavaScripts/iFrames mentioned above. These guys typically bail out when it comes to solving complex JavaScript puzzles or checking of mouse/keyboard movements etc., and not to mention solving CAPTCHA puzzles. Once this happens, throw the errant source into a penalty box for a period of time, then repeat the rinse and lather. Dynamically increase this penalty box timeout when the errant source fails multiple times. This will effectively thwart any attempt from the errant source in sending HTTP requests to the victim server. Lastly, work with your upstream service provider, or engage a cloud-based anti-ddos service when the attacks become too large to handle. Sound the SOS! It is common-sense the only possible way to mitigate 300Gbps floods is in the service provider cloud / cloud-based anti-ddos service, likely using a distributed scrubbing “anycast” model, where each distributed scrubbing center sucks in the traffic destined for the victim like a big washing machine and starts cleaning. That said, there are many ways to skin a cat - likewise, there are many ways to solve a DoS problem. Pay particular attention to attacks as they move up the OSI stack toward Layer 7. These are typically harder to mitigate, but fortunately not for F5. So if you’re thinking that botnet armies are the Sole source of menace in the DoS world out there, they’re not. Everyday Internet users like you and me could be an unsuspecting participant in the world’s largest DoS to be. ** Source: The Lord of the Rings, J.R.R Tolkien, 1954
APAC market research points to WAF being integrated with application delivery
We entered 2014 on a fillip. Frost & Sullivan had just named us the vendor leading WAF market in Asia Pacific and Japan. The Frost Industry Quotient, put F5 and nine other companies under their analytical magnifying glass, examining our market performance for CY 2012 as well as key business strategies. They left no strategy unturned it would seem. Product and service strategy, people and skills strategy, business and even the ecosystem strategy were all held up to scrutiny. But the real scoop wasn’t that we were No 1 but that Frost IQ had discerned developments in the market that point towards WAF being integrated with application delivery. The researchers noted that the convergence would lead to a more intelligent and holistic way for organizations to protect their web applications. The market is validating what we said a year ago when we launched BIG-IP Advanced firewall Manager, the first in the industry to unify a network firewall with traffic management, application security, user access management and DNS security capabilities within an intelligent services framework. Every day, publicly known or otherwise, organizations grapple with attacks that target their applications in addition to those that threaten the network. Because F5 solutions occupy strategic points of control within the infrastructure, they are ideally suited to combine traditional application delivery with firewall capabilities and other advanced security services. The bell tolls for the traditional firewall. Eventually it will be replaced by intelligent security. F5’s integrated approach to security is key in mitigating DDoS attacks, helping to identify malicious actions, prioritize how requests from specific locations are handled and focus on addressing properly qualified requests. Enabling security services on our ADCs makes it possible to consolidate multiple security appliances into one single device. This consolidation includes a WAF that analyses traffic and can propose rules to automatically protect the enterprise. I caught up quickly with Christian Hentschel, SVP Asia Pacific and Japan, on his views of the new accolade. Aside from being very proud to be recognized as the leading WAF vendor in APJ, a testimony of our strategy and the team’s focus, he noted that customers view traditional firewall less relevant with the sophistication in cyber-attacks on layer 4-7 today.Tackling Cyber Attacks From Within
An increasing number of organizations face serious security threats that are socially, politically and economically motivated. Conventional firewalls are no longer enough to prevent complex and frequent cyber attacks such as multi-layer distributed denial-of-service (DDoS)/application layer attacks and SQL injection vulnerabilities. In the past year, the number of DDoS attacks targeting vulnerable spots in web applications has risen and attackers are using increasingly complicated methods to bypass defenses. Meanwhile, 75% of CISOs aware external attacks had increased – 70% of CISOs noticed that web applications represent an area of risk higher than the network infrastructure. The challenge with application-layer attacks is to differentiate human traffic from bot traffic. DDoS mitigation providers frequently utilize browser fingerprinting techniques like cookie tests and JavaScript tests to verify if requests are coming from real browsers. However, most recently, it’s become apparent that cybercriminals have launched DDoS attacks from hidden, but real browser instances running on infected computers. This type of complex cyber attack is incredibly hard to detect. What organizations need is a security strategy that is flexible and comprehensive, much like F5’s web application firewall (WAF) and security solution. F5 recently received the 2013 Frost & Sullivan Asia Pacific Web Application Firewall Market Share Leadership Award. This recognition demonstrates excellence in capturing the highest market share for WAF solutions in the region and its achievement in remarkable year-on-year revenue growth – a true testimony to the execution of F5’s security strategy. Christian Hentschel, (SVP, APJ) noted that cyber-attacks often result in the loss or theft of intellectual property, money, sensitive corporate information, and identity. An effective security strategy encompasses not only the enterprise infrastructure but also the devices, the applications, and even the networks through which users access mobile and web applications. F5’s ICSA-certified WAF and policy-based web application security address cyber-threats at the application level. In September 2013, F5 strengthened its security portfolio with the acquisition of Versafe Ltd. – a web anti-fraud, anti-phishing, and anti-malware solutions provider. The acquisition reinforces F5’s commitment to provide organizations with holistic, secure access to data and applications any time, from any device. F5’s comprehensive security solutions combine DNS security and DDoS protection, network firewall, access management, and application security with intelligent traffic management. Its flexibility to provide WAF both as a standalone solution and as an integrated offering on its BIG-IP® Application Delivery Controller platform provides customers with options that best suit their businesses. F5’s ability to provide end-to-end application protection, advanced monitoring, and centralized management without comprising performance make their WAF solutions the number one choice throughout the Asia Pacific region.F5 predicts: The dumb firewall will become obsolete
Based on Gartner’s prediction, by 2016, the financial impact of cybercrime would grow by 10 per cent per year, due to the continuing discovery of new vulnerabilities fuelled by the increasing adoption of mobile collaboration platforms and cloud services. Another study, titled The 2013 Cost of Cyber Crime Study, reveals that the cost of cybercrime in 2013 escalated 78 percent, while the time necessary to resolve problems has increased by nearly 130 percent in four years. This fundamentally results in the need for organizations to rethink the security defenses that is being deployed to protect their IT infrastructure. Most organizations typically rely on traditional security solutions like network firewalls, Intrusion Prevention Systems (IPS) or antivirus software that monitor network traffic and/or system activities for malicious activity. Today's threat landscape encompasses an increasing range of potential vulnerabilities and demands an appropriately sophisticated response by those charged with cyber defence responsibilities — whether in the family, organization or at the national level. The proliferation of Internet connectivity has allowed malicious software to spread in seconds to millions. And the malware itself has become much better at avoiding detection, taking steps to hide its signature. Most viruses today are obfuscated a number of times and checked to make sure no anti-virus software can detect it - all in a matter of seconds, and all before it's sent out to its victim. Sensitive data is facing new security threats—evidenced by all the application targeted cyber attacks we see in the news. High profile attacks, such as the Adobe data breach, attack by The Messiah in Singapore, the recent multi-layer distributed denial of service attacks, SQL injection vulnerabilities, and JSON payload violations in AJAX widgets, pose increasing risks to interactive web applications, data, and the business. Internet threats are widely varied and multi-layered. As these threats evolve, organizations find that traditional firewalls lack the intelligence and the scalability needed to stay effective and responsive under a multi-layered persistent threat scenario. Security practitioners are coming to grasps with the new paradigm of having to handle enterprise security as an end-to-end process from end-user device to networks to applications. The days of finding comfort behind a solitary firewall or a unified threat management device are gone with the current threat landscape. IT staff should be aware that any security solution should be able to handle attacks on multiple levels – i.e. at the network and at the application – providing a defense in depth; simple firewalls will easily be overwhelmed by the scale of the attacks that are experienced by enterprises today. "The threats that exist today are getting through many of today's existing security controls," warns Gartner Inc. analyst and Research Director Lawrence Pingree. "Advanced threat protection appliances that leverage virtual execution engines as a petri dish for malware are most effective to deal with the latest threats. Also, organizations must continue to upgrade their endpoint protection suites.“ ‘Intelligent security’ is becoming more important as cyber criminals become more sophisticated, and this is leading to the rise of security that is flexible and responsive based on factors such as the apps, location or the user. Ultimately, the right tool needs to be tailored for the right attack. One thing is clear: A one-size-fits-all approach to security won't work in 2014 and beyond. At the same time, security cannot be at the expense of performance. End-users are expecting high performance and security cannot be a bottleneck. Much alike the saying that no service can be “good, cheap and fast”, most security practitioners are looking for the ideal solution for an ever changing problem. But in reality we know that there cannot be one solution which can fulfil all requirements and be 100% foolproof. Like how insurance needs evolve over a person’s lifetime, security requirements also evolve over the enterprise business lifecycle. Therefore it is important to adopt an architectural approach to security which continually evolves as the landscape changes. Again remember that security is a function of people, process and technology and without the optimal use of the 3 components, 100% protection could be like a search for the Holy Grail! What is your view on the changing security landscape? Tell us in the comments below.F5 predicts: Social Adoption opens up security risks
Kicking off the ‘F5 predictions’ series is a topic that is proving difficult for businesses to ignore: the avalanche of social technologies coming into the enterprise. Many companies understand the value technology brings, such as increased productivity, a more efficient workplace and better collaboration between colleagues and departments, greater brand experience between customers and companies. Many companies are also witnessing an evolving market. Notably, the demand from Generation Y and Z is or a more socialized work environment. Taking Singapore as one example, the figure has been put at 60% of the workforce. This new breed emerges as the largest age group since the baby boomer generation: they are well-educated, well-traveled, tech-savvy, able to multi-task and reaching out for social interaction, Millenials urge even the most traditional companies to deploy a more collaborative and socialized environment. Catering to this new breed of employees, managers need to fully understand the user behavior whilst introducing refreshed guidelines to ensure a secure social environment at work. To the customers, companies need to understand the user behavior to generate business and brand loyalty in a secured environment. And security is in fact the Achilles’ heel in companies, according to Ernst & Young’s Global Information Security Survey 2013. The number of security incidents increased according to thirty-one percent of the respondents by at least 5% over the last 12 months. Further, the survey indicates that security functions aren’t fully meeting the needs in 83% of organizations. Companies are eager to protect themselves against cyber-attacks, be it for reputation, revenue, and accountability reasons. It is a step in the right direction, as by not taking security risks into consideration, companies become an easy target for cyber attackers, which can probably jeopardize an organization’s reputation. Security is one of the top hurdles in organizations adopting new technologies. Formerly, they have been able to keep data behind their walls and have control over it. But with newer technologies, customer data is more exposed. The number of security breaches is on the rise. Nonetheless, the pace of technology evolution will only accelerate – such as with the ‘social’ demands of these younger cohorts. Millennials will soon dominate the workforce – just the same way Baby Boomers did once. This tech-savvy and highly mobile generation grew up with the Internet and expects readily available information for work and for pleasure on their mobile devices, as they already have on a typical desktop computer. And soon these younger cohorts are going to be the biggest customer group, conducting their lives in the virtual space. Together, the technology and the customer demand of this newest group drive a transformation of how different sectors act. Looking at the banking sector, Millennials’ expectations are to have access to the services, transact, any time and anyhow. Mobility strategy is not an easy endeavor for any company. Areas of consideration include access to applications and data, balance of security policies and user convenience, speed to provide needed information or complete a transaction, ease of browsing, etc. For most enterprises it is a time and resource-absorbing task to manifest mobile applications and to maintain these. What businesses need is a backend infrastructure that can help deliver image-heavy content, prioritize traffic to overcome mobile network latency, offer visibility into application performance, all these while keeping web vulnerabilities low. Furthermore, as cyber crime becomes more complex, with attacks from multiple angles on different devices, single-purpose security machines will be phased out in favor of sophisticated multi-purpose machines. This convergence will also happen in the context of performance, as businesses come to expect fast, reliable user experience on any device.Leave No Application Behind
F5의 새로운 아키텍처 비전 Synthesis 그리고F5 코리아의 괄목할만한 사업성과와 비전 F5 네트웍스 코리아는 지난 1월 27일 기자간담회를 열어 소프트웨어정의 애플리케이션 서비스(SDAS)를 제공하는 새로운 아키텍처 비전 ‘F5 Synthesis’를 설명하고, F5 코리아의 괄목할만한 2013년 비즈니스 성과와 2014년 계획을 소개하는 자리를 가졌다. 당일 발표는 F5 코리아 조원균 지사장과 아시아 태평양 지역 제품 마케팅 총괄 책임자 케이치로 노자키(Keiichiro Nozaki)씨가 함께 했다. F5가 지난 해 11월 발표한 F5 Synthesis는 탄력적인 고성능 멀티-테넌트 서비스 아키텍처에 기반해 데이터센터, 클라우드, 하이브리드 환경 모두에 걸쳐 SDAS의 제공 및 통합을 용이하게 만드는 아키텍처 비전으로 현재까지 F5 기술이 이룩한 혁신의 정점이라 할 수 있겠다. 새롭게 도입한 라이선스 옵션들과의 결합으로 발표된 F5 Synthesis는 고객들이 레이어 4-7 서비스를 어느 누구에게든, 제약 없이, 빠르면서도 비용 효율적으로 제공할 수 있도록 만들어준다. F5 Synthesis는 고성능 서비스 패브릭으로 가장 까다로운 환경에서의 요구조건을 충족하도록 확장이 가능해, 관리 도메인과 가상 인스턴스 도합 20.5TB의 처리속도와 92억 건의 커넥션 용량을 지원하는데, 이는 현재 전세계 모든 인터넷 사용자들의 연결을 관리하는데 필요한 용량의 3배가 넘는 수치이다. F5가 Synthesis를 통해 새롭게 내세우고 있는 “Leave No Application Behind/ 단 하나의 애플리케이션도 빠뜨리지 말라”는 메시지를 뒷받침해주는 수치이기도 하다. 한편, 현장에서는 참석 미디어의 문의에 따라 F5 Synthesis가 시장에 적용될 수 있는 일련의 레퍼런스 아키텍처가 선보여졌는데, 이들은 고객들이 이해하기 쉽도록 비즈니스 솔루션에 초점을 맞추고 고객들이 시장 진출 시간을 단축하여 널리 퍼져있는 도전 과제들을 해결할 수 있도록 디자인되어 있었다. F5 코리아의 조원균 지사장은 “F5는 빠르게 변화하고 있는 ADC 시장의 움직임을 잘 인식하고 있고, 이미 글로벌 리더십 입지를 확고히 하고 있다. 우리는 기업이 수십억의 사용자와 디바이스, 그리고 수 백만 종의 애플리케이션 등 IT가 향하고 있는 방향으로 나갈 수 있도록 돕는다. 오늘의 발표는 조직들이 지나친 복잡성으로 어려움을 겪거나 애플리케이션 성능과 보안을 희생시키지 않으면서 오늘날의 흥미진진하고 획기적인 기술들을 활용하도록 도와주기에 F5가 이상적인 위치를 점하고 있다는 우리의 믿음이 반영된 것이다”고 강조했다. 가트너는 2013년 3월 18일 발간한 ‘성능을 개선하고 비용을 절감하기 위한 네트워크 디자인의 5대 요소’라는 보고서에서 “애플리케이션 환경, 사용자의 기대치, 네트워크 서비스 등의 변화로 인해 네트워크 설계자들은 사고를 넓혀 네트워크가 새롭고 변화하는 사업상의 요건들을 지원하도록 만들 것이 요구된다. 그들은 내부적 그리고 외부적으로 관리되는 기업용 애플리케이션들을 가장 잘 지원하는 프레임워크 내에서 사용자, 애플리케이션, 디바이스, 위치, 활동 등 다섯 가지 요소를 잘 해결해야 할 필요가 있다” 고 발표한 바 있다.セキュリティはプロセスである
昨今の新聞記事において、支払いシステムを含めたIT製品やアプリケーションの多くが十分なセキュリティ機能を有していないという警告がありました。理由として、まずセキュリティは後付けという考えがあるということ、二つ目にはセキュリティの専門知識を持った人は、デザインやそれらの製品またはアプリケーションの実施に関わっていないということが挙げられています。 F5は、セキュリティをプロセス(過程)と捉え、そのように管理されるべきであると考えています。組織の中でセキュリティとコンプライアンスを機能させるためのポリシーを築くセキュリティの専門家には重要な役割があります。それと同様に、ソフトウェアを開発するプログラマーにも需要な役割がありますが、二つの役割は性質が違います。 ビジネスアプリケーションにおけるセキュリティポリシーの決定は、ソフトウェアエンジニアに委ねられるべきではありません。なぜなら、彼らはセキュリティの専門家ではないからです。そのため、堅実な方法としては、ソフトウェアプログラマーからセキュリティポリシーのコーディング作業の負担を減らし、信頼できるセキュリティソリューションプロフェッショナルに託すということです。 つまり、セキュリティをエンドツーエンドのプロセスであると認識し、デバイスであれ、アクセスであれ、ネットワーク、アプリケーション、データの保存であれ、企業とユーザー間で交流があるエリアにはどこにでもセキュリティ管理のポリシーが必要です。それぞれのパートの複雑性を考慮すると、いくつかのセキュリティの懸念を共有のソリューションにまとめた方がいい場合もあります。要は、このような方法でセキュリティプロセスを簡素化することは、コンサルタントがビジネスの世界で使う “BPR” (business process re-engineering: ビジネスプロセス・リエンジニアリング)のようなものです。CFO(最高財務責任者)の観点からすると、運営面からも資本面から見ても、これは莫大なコスト削減につながります。 例えば、アプリケーションセキュリティの場合、トレンドなのは、アプリケーションデリバリコントローラー(ADCs)の中にセキュリティ機能を組み込むことです。ADCsはもともと、アプリケーションが安全にエンドユーザに届くように設計されています。今日の文脈では、ADCsはアプリケーションのためのゲートキーパーのような役割を果たします。権限のないアクセスを防ぎ、Open Web Application Security Project (OWASP)※により定義されるような複雑なアプリケーションレベルに対する攻撃を防御することができます。 しかし、状況はさらに複雑になってきていて、CIO(最高情報責任者)は、他の課題にも直面しています。近年の若い従業員は、従業員としての権利を主張し、要求が多くなってきています。自らが選択したデバイス(タブレット、スマートフォン等)を自由に選択して仕事がしたいという彼らの要求に応えつつ、自身のSNSと職場でのネットワークをシームレスに切り替えたいという彼らの要望にも答えなければなりません。CIOにとっての課題とは、脅威の増加と複雑化を前に、いかにして企業の資産を守るかということです。加えて、CIOはコスト管理のためにクラウドを積極的利用したいと考えています。このようなCIOの希望とセキュリティ上の配慮を両立することは難しく、管理不能な状況に陥る可能性もあります。 この状況に必要なのは、ユーザーの消費行動に加えて企業アプリケーションも理解するソリューションです。加えて、ユーザーの使用環境への影響を最小限にとどめつつ、企業のセキュリティポリシーを実施することが必要となります。F5はセキュリティを信頼のビジネスだと考えています。正しいプロセスとポリシーを持ったベンダーを選択することが非常に重要です。ポリシーとプロセスが必要なソリューションを決定するのであって、その逆ではないのです。 ※Open Web Application Security Project (OWASP): ウェブアプリケーションセキュリティをとりまく課題を解決することを目的とする、国際的なオープンなコミュニティhttp://appsecapac.org/2014/owasp-appsec-apac-2014/about-owasp/ For an English version of this post, please click here.보안은 과정이다.
최근 해외의 권위 있는 한 신문은 결제시스템을 포함한 많은 IT 제품들과 애플리케이션들이 적절한 보안을 갖추고 있지 못하다고 경고했다. 이 신문은 첫째, 보안이 최우선적인 고려사항으로 간주되지 않고 있으며, 둘째는 시스템의 디자인 및 구현에 보안 전문가들이 관여하고 있지 않기 때문이라고 그 이유를 밝혔다. F5 네트웍스는 보안을 일회성의 조치나 행위가 아닌 일련의 과정으로 생각하고 있으며, 보안은 이런 관점에서 접근되어야 한다. 조직 내의 보안과 규정 준수를 담보하기 위한 정책들을 수립하는 보안 전문가들에게는 매우 중요한 역할이 있으며, 소프트웨어 개발을 담당하는 프로그래머들 역시 이에 못지 않게 중요한 역할이 있다. 하지만, 그 둘의 역할에는 분명한 차이가 있다. 비즈니스 애플리케이션들은 기업에게 핵심적인 자산인 만큼, 기업의 보안을 보안 전문가들이 아닌 소프트웨어 엔지니어들에게만 맡겨두는 것은 금물이다. 따라서, 소프트웨어 프로그래머들이 보안정책을 소프트웨어로 만드는 부담을 덜어주고 이 업무를 신뢰할 수 있는 보안 솔루션 전문가들이 담당하도록 하는 것이 현명한 접근법이라고 할 수 있다. 이런 관점에서 볼 때, 보안은 엔드-투-엔드 과정이며 디바이스, 액세스, 네트워크, 애플리케이션 및 스토리지를 포함해 사용자와 기업간의 상호작용이 이루어지는 모든 분야를 빠짐 없이 관장하는 정책을 필요로 한다. 이렇게 움직이는 각 부분들의 복잡성으로 인해, 때로는 몇 개 지점의 보안 문제들을 하나의 솔루션으로 통합하는 것이 더 바람직하다. 간단하게 말해 이것은 절차의 간소화와 유사하며, 비즈니스 세계에서 컨설턴트들이 “BPR (업무 프로세스 재설계 – Business Process Reengineering)”이라고 부르는 것과 크게 다르지 않다. 각 개인에게는 이것이 어떻게 보일지 몰라도, CFO (최고재무책임자)의 관점에서는 운영비용 및 투자비용에서 엄청난 절감효과를 의미하는 것이다. 예를 들어, 최근 애플리케이션 보안은 애플리케이션 딜리버리 컨트롤러 (ADC: Application Delivery Controller) 내에 탑재되는 추세이다. ADC는 태생적으로 애플리케이션을 최종 사용자에게 안전하게 제공하기 위한 목적으로 개발되었다. 오늘날, ADC는 허가되지 않은 접근을 차단하는 한편, 국제 웹 표준기구인 OWASP에서 규정한 것들과 같은 고도의 애플리케이션 레벨 공격들을 막아주는 역량이 추가되면서 일종의 안전한 애플리케이션 보안관과 같은 역할을 담당한다. 그러나, 상황은 더욱 복잡하게 변하고 있다. CIO (최고정보책임자)들은 젊고, 유능하며, 요구사항이 많은 Y세대 직원들의 요구를 해결해야 하는 상황에 직면해 있는데, 이들은 자신이 선택하는 디바이스를 이용해 일하기를 원하고, 개인생활과 직장 네트워크 사이를 자유롭게 전환할 수 있기를 바란다. CIO들은 더욱 복잡해지고 증가하는 위협들로부터 기업의 자산을 지켜야 하는 과제를 안고 있다. 게다가, 비용관리와 확장성을 위해 클라우드를 이용해야 함에 따라 보안 문제는 통제가 불가능한 수준으로 커지고 있다. 이러한 상황으로 인해, 사용자의 행동양식만이 아니라 기업 애플리케이션들의 행동양식도 이해하고, 사용자 경험에 최소한의 영향을 미치면서 기업의 보안 정책을 집행할 수 있는 혁신적인 보안 솔루션들이 요구되고 있다. F5는 보안 사업이 신뢰를 기반으로 하는 사업이라고 믿는다. 올바른 절차와 정책을 수립하는 것이야말로 업체를 선택하는 것보다 중요한 일이다. 정책과 절차가 필요한 솔루션을 결정하는 것이지 그 반대가 되어서는 안 된다. Original blog post by Kuna.
