(Cross post from Securosis ... which I will do from time to time when a post has relevance to InfoCentric security) -Adrian
Or more appropriately, "Why are we talking about
ADMP?" In his first post on the future of application and database
security, Rich talked about Forces and Assumptions heading us down an
evolutionary path towards ADMP. I want to offer a slightly different take on my
motivation, or belief, in this strategy.
One of the beautiful things about modern application
development is our ability to cobble together small, simple pieces of code into
a larger whole in order to accomplish some task. Not only do I get to leverage
existing code, but I get to bundle it together in such a way that I alter the
behavior depending upon my needs. With simple additions, extensions and
interfaces, I can make a body of code behave very differently depending upon
how I organize and deploy the pieces. Further, I can bundle different
application platforms together in a seamless manner to offer extraordinary
services without a great deal of re-engineering.
A loose confederation of applications cooperating
together to solve business problems is the typical implementation strategy
today, and I think that the security challenge needs to account for the model
rather than the specific components within the model. Today, we secure
components. We need to be able to 'link up' security in the same way that we do
the application platforms (I would normally go off on an Information Centric
Security rant here, but that is pure evangelism, and a topic for another day).
I have spent the last four years with a security vendor
that provided assessment, monitoring, and auditing of databases and databases
specifically.
Do enough research into security problems, customer
needs, and general market trends; and you start to understand the limitations
of securing just a single application in the chain of events. For example, I
found that database security issues detected as part of an assessment scan may
have specific relevance to the effectiveness of database monitoring. I believe
Web Application security providers witness the same phenomenon with SQL
Injection as they may lack some context for the attack, or at least the more subtle
subversions of the system or exploitation of logic flaws in the database or
database application. A specific configuration might be necessary for business
continuity and processing, but could open an acknowledged security weakness
that I would like to address with another tool, such as database monitoring.
That said, where I am going with this line of thought is
not just the need for detective and preventative controls on a single
application like a web server or database server, but rather the Inter-application
benefit of a more unified security model. There were many cases where I wanted
to share some aspect of the database setup with the application or access
control system that could make for a more compelling security offering (or
visa-versa, for that matter).
It is hard to understand context when looking at security
from a single point outside an application, or from the perspective of a single
application component. I have said many times that the information we have at
any single processing node is limited. Yes, my bias towards application level
data collection vs. network level data collection is well documented, but I am
advocating collection of data from multiple sources. A combination of
monitoring of multiple information sources, coupled with a broad security and
compliance policy set, would be very advantageous. I do not believe this is
simply a case of (monitoring) more is better, but of solving specific problems
where it is most efficient to do so. There are certain attacks that are easier
to address at the web application level, and others best dealt with in the
database, while others should be intercepted at the network level. But the
sharing of policies, policy enforcement, and suspect behaviors, can be both
more effective and more efficient.
Application and Database Monitoring and Protection is a
concept that I have been considering/researching/working towards for several
years now. With my previous employer, this was a direction I wanted to take the
product line, as well as some of the partner relationships to make this happen
across multiple security products. When Rich branded the concept with the
"ADMP" moniker it just clicked with me for the reasons stated above,
and I am glad he posted more on the subject last week. But I wanted to put a
little more focus on the motivation for what he is describing and why it is
important. This is one of the topics we will both be writing about more often
in the weeks and months ahead.
Recent Comments