Friday, July 22, 2011

Managing Internet, the secure way

With an increase on the internet traffic, there is an increase towards compromising of security as well. Today, there is a growing concern about the way internet security is being treated. The nature of the web, global access, ease of connectivity and interaction, and lack of true client control

creates an environment where application misuse or abuse can create serious issues for an organisation. As such, almost any discussion of web applications and data integration quickly becomes a discussion of security. Web application developers must fully understand the security risks in order to address the legitimate concerns, while ignoring the hype.
If we look at the overall security scenario, web application security risks fall into three major categories of Snooping and Eavesdropping, User impersonation and  Unauthorized access.
Eavesdropping
It is roughly defined as the risk of having someone “overhear” data being sent over the Web is a primary concern when sending confidential data, such as credit-card information, over public connections.
On routed IP networks like the Internet data moves in the form of packets and it is relatively difficult to eavesdrop on specific connections without having privileged access to the local ISP routers. Communications packets of any given message could be sent over completely different routes to get from the sender to the receiver, rendering the coherent snooping of the ransmission nearly impossible.
The risk of “packet sniffing” is still there, however, especially in Local Area Network (LAN) settings.
What is User Impersonation?
There is a big risk of non-trusted users gaining access to secure information by impersonating trusted users. User authentication is the foundation of Internet based application security, and inadequate authentication leaves applications vulnerable to attack.
Unauthorized Access
This is defined as the risk of exposing sensitive information to unauthorized users is the biggest and most complex security risk, because the Internet effectively links every computer to one large network. While completely allowing or disallowing access to a given system or data source remains relatively straightforward, partial access remains risky. At the same time, access to distributed systems is what makes the Internet a valuable business tool.
Trends in the Market
Every Internet based application needs to address these basic security concerns. Over the past few years, several technologies and techniques have evolved as standard mechanisms with which to secure web applications.
HTTP data is often transmitted over open lines, shared data channels, and public access providers. If electronic snoops were to “eavesdrop” on this connection they would be able to copy every byte of data transmitted. While not a common occurrence, this kind of theft is technically possible, making this a legitimate concern, particularly for sensitive data such as credit-card information.
Data encryption is a mechanism used to prevent data from being stolen in-transit between the client and server machines. Electronic thieves can still grab the data being transmitted, but they will find it useless in its encrypted state.
The most common form of data encryption used by web-based applications is Secure Sockets Layer (SSL). SSL is a security protocol that provides Internet application protocols (like HTTP) with data encryption using public key cryptography.
Most web servers support SSL, allowing administrators to install a private key that is used to decrypt inbound data and encrypt outbound data. Once installed, the web server automatically encrypts or decrypts data as it is received or transmitted.

No comments:

Post a Comment