Welcome!

IBM Cloud Authors: Zakia Bouachraoui, Elizabeth White, Yeshim Deniz, Pat Romanski, Liz McMillan

Related Topics: IBM Cloud, Cloud Security

IBM Cloud: Article

Untangle Your Web Security Deployment

Untangle Your Web Security Deployment

Computer security, no matter what platform, has traditionally been viewed as a necessary evil because most users believe it hinders their freedom to do their jobs. Over the years we have come to understand the necessity of computer security for business to endure. However, computer security continues to be stereotyped as a business overhead.

In today's e-business environment, in which your financial growth depends on successful and secured business transactions, security becomes a business enabler. No longer are you just displaying static HTML pages to provide your customers with your company's product and support information - by using application server tools like WebSphere, you are now engaging in real transactions for goods or services. As a result, your customers and partners are demanding a secure environment in which to participate in e-commerce.

For security goals and controls to be successful, it is imperative that upper management support their development. The most senior executives in your corporation must be convinced that security is, indeed, an e-business enabler and can make an impact on the corporation's financial goals. With the support of upper management, an implementation team can be appointed that will formulate and deploy your corporation's security policy.

A security implementation in an enterprise environment is a major project. As with any major endeavor, you need to follow good project management guidelines to ensure a successful implementation. One of the most important actions you can take is the creation of an implementation team. The implementation of your Web security software requires a concentrated effort by the individuals assigned to the implementation team, and also requires cooperation and contribution from the areas in your organization that will be affected by the implementation.

In addition to creating an implementation team, you need to:

  • Assign a project manager
  • Hold regular meetings
  • Establish an archive of all pertinent documentation relating to the project
  • Review your corporation's security policies and procedures

    Assigning an Implementation Team
    Before any serious deployment of new technology can begin, it is imperative that you assemble the proper implementation team. Since WebSphere-based applications touch so many IT disciplines, it is critical that you include all of these groups in your initial planning sessions. In addition, other departments (such as marketing, order processing, manufacturing, and finance) may also need to get involved since they could ultimately be the business owners of your Web applications. Some members of this team may not be doing the actual work; however, they will definitely have a say in the deployment architecture, methodology, and time line.

    Although you may have the actual vendor or a contractor run the project for your company, you should always own the implementation and have an internal team assigned to work with the deployment vendor. The following sections explain how to identify the internal members of your implementation team and define their roles and responsibilities.

    Identifying Team Members
    Your implementation team may consist of the individuals assigned to perform the actual implementation and representatives from each of the following affected areas:

    • Security administration
    • Systems software
    • WebSphere applications software
    • Operations
    • Auditors
    • Business users
    • End users
    Now let's take a look at the specific departments and roles in an organization that should be included in the implementation team.

    Defining Roles and Responsibilities
    After you have identified the organizational groups that will be involved in the planning and implementation of the deployment of your Web service security software, you need to ensure that each of their functions is clearly identified. Regardless of organizational responsibilities, the following roles should be considered and assigned to specific members of the implementation team:

  • Project manager: Owns the overall project management tasks, deliverables, communications, and timetables.
  • Security administrator: Responsible for the review and approval of design, architecture, and naming standards as they pertain to userIDs and resources.
  • Operations representative: Responsible for the day-to-day operation of Web security applications in terms of the hardware, software, and procedures required to maintain agreed-upon service levels.
  • Network and systems representative: Responsible for maintaining the connectivity of the environment in which Web security applications run.
  • End-user liaison: A business person who represents the end user experience when it comes to interface decisions or user awareness issues.
  • Business representative: Responsible for the policies that will affect the end user's experience with certain business Web applications as they are conducting electronic transactions for services or purchases.
  • Management: The success of any project requires the constant involvement and approval of senior management at every step of the way.

    Formulating a Security Policy
    The initial assignment of the security implementation project team may be to develop and recommend the security policy or the documentation of security objectives for your Web environment. You may be able to use or borrow concepts from the established policies of your mainframe or distributed environments since most, if not all, Web-based applications have the same generic security requirements, such as authentication and authorization.

    If the security policy or the documentation of security objectives has already been developed, the implementation team can use this document as its mandate. If these documents must be developed, the team is an ideal committee to do it since they can take into account the concerns of each affected area while developing the objectives. If each area agrees to the direction being set, which is more likely with active participation, then implementation can proceed smoothly without time-consuming discord between the areas.

    After the security policy has been formulated, upper management should issue a position statement to all internal employees and appoint a security officer (or at least a security administrator). The security officer can then ensure that employees are made aware of the security policies and procedures that they must adhere to and the consequences of any security violation.

    Statement of Goals
    In formulating a security policy, you first need to define the actual mission or goals of this policy. For example, when establishing the security goals for your Web environment you should consider:

  • The protection of corporate intellectual property
  • The protection of an individual's information
  • The segregation of customer, partner, vendor, or supplier information
  • The security of financial transactions
  • The implied trust of the Web environment you have created
  • Your commitment to provide a pleasant, yet secure, Web experience

    Your security policy needs to be clear and precise so that users can easily understand your corporation's security objectives. Your policies should also be easy for any type of user (intranet, extranet, or Internet user) to access without excessive searching. In other words, ignorance will not be an excuse for violating the security policy.

    Ensuring User Accountability
    Since security policies that are not enforced are useless, you should always strive to balance security controls with disciplinary action. It is easier to enforce your policies for internal employees, since employees are subject to corporate policies. It becomes difficult when customers, potential customers, or business partners do not adhere to your policies. Therefore, it becomes essential to have clearly defined security controls policies, enforcement methodologies, and disciplinary actions.

    Key components for ensuring user accountability include:

  • Ensuring that all users are made aware of your security controls policies
  • Letting your users know that you have an enforcement methodology
  • Letting your users know the disciplinary ramifications of any security violations
  • Reviewing your policies on a regular basis to ensure that they are still meeting your business objectives
  • Implementing a two-tier audit control methodology: real-time monitoring of serious security violations and postmortem audit reports

    Creating an Implementation Plan
    Now that you have formed a security policy that provides the foundation for success, you need to create a thorough implementation plan. Even if your security solution will involve vendors or contractors, you need to have ownership of the entire deployment process. This will ensure that you understand the technology you are deploying and are able to make any critical business decisions when required.

    Planning and scheduling the security implementation can help set the proper direction and keep the implementation on course. A well-designed implementation plan is your most important control mechanism.

    An implementation plan that facilitates successful deployment contains many components. These components can include:

    • Creating a good working team
    • Defining the scope of the project
    • Defining realistic timetables
    • Defining milestones and deliverables
    • Executing a small pilot environment
    • Phased implementation
    • Conducting product training
    Typical Implementation Plan Components
    The following tasks should be included as a part of a typical security implementation plan.
  • Product training: Time must be allocated to allow security administrators to be trained in the use of the Web service security applications.
  • Installation: Your installation of particular Web service security software depends on many site-specific factors. When planning your installation, you should consider a phased implementation to minimize any exposure.
  • Inventory of resources and users: The inventory phase can be one of the most time-consuming phases of the implementation. Its duration is determined by the number of users and resources in the installation. The results of the inventory can then be used as input in a phased implementation.
  • Definition of implementation strategy: Each organization may choose to approach the implementation in a different way, addressing different facilities and using different options and controls.
  • Development of emergency and troubleshooting procedures: Before misuse or misconfiguration problems occur, it is critical to schedule the time to develop emergency procedures that should help minimize the time required to diagnose and resolve specific problems.
  • Development of security maintenance procedures: Changes in your environment (such as new applications) may require changes to your security policies. Development of maintenance procedures should be scheduled early, in anticipation of subsequent maintenance requirements.
  • Testing: A test plan should be designed to ensure that your Web service security software is implemented and functioning as desired in the installation.
  • Security awareness programs: The solidity and permanence of the security implementation will depend on the support of the user community. Support will come only if the users are properly educated about the features of the security product.
  • Ongoing assessment and evaluation: Ongoing assessment and evaluation programs should be developed and scheduled at regular intervals.

    Defining the Scope of Work
    The first task in the planning phase is to determine the scope of the deployment. Perhaps you want to control access to a subset of users or to key business-critical applications. You can deploy the security applications throughout your company's WebSphere application platforms in a very granular manner, as shown in Figure 1. Regardless of deployment scope, the same fundamental infrastructure can provide security controls at whatever level you are comfortable with.

    Constructing an Implementation Schedule
    A complete implementation schedule consists of a task list or flowchart and a time schedule. The task list or flowchart shows all the tasks that must be accomplished to implement the Web service security applications provided by WebSphere and other application servers at your site. Developing a detailed task list or flowchart allows you to determine which tasks are dependent on each other and must be done as part of a step-by-step procedure, and which tasks are independent. By analyzing all requirements before you start the implementation, you may find that tasks targeted as part of later phases may need to be completed in an earlier phase.

    The implementation team should draft a flexible time schedule. Developing realistic time estimates for the schedule depends on how well you can judge the size of the tasks. In addition, you must allow for the unknown; for example, your user base and resources may not be completely known, and hidden tasks may be uncovered as the implementation proceeds.

    If at all possible, avoid setting a final implementation date until the inventory and design phases are completed. Plan to take care of the urgent requirements first, and then phase in the remainder of the organization. If careful planning and analysis are done initially, the implementation will progress smoothly and will speed up as the administrator becomes more familiar with the Web services security software, the environment, and the security administration function.

    Product Training
    Trained individuals who understand the dynamics of Web environments and the features and functions of the product make it possible to have the most successful implementation of your Web service security. Therefore, it is important that you schedule product training as part of the overall deployment schedule. Different types of training are needed for different users - from administrators and application programmers to end users, each group of users has different training needs. The return on investment in training can be leveraged by higher operational efficiency, increased product utilization, and reduced misadministration or security risks.

    Conclusion
    In many organizations Web service security is a critical but often overlooked component of e-business or e-commerce project deployment. It requires the same attention and coordination that any other important component of the project does. With careful planning and concerted efforts from upper management to end users, Web service security can become a business enabler rather than an afterthought.

    SIDEBAR

    Computer Associates eTrust Security
    Computer Associates eTrust Access Management provides policy-based dynamic security for critical business assets, ensuring end-to-end access control across multiple platform and application boundaries. It provides complete solutions for securing both Web and system resources and proactively prevents intrusions. By integrating WebSphere and other application servers into one consolidated security management layer, it enables new, secure online services today and provides a foundation for building Web services solutions in the future.

  • More Stories By Peiyin Pai

    Peiyin Pai is the eTrust brand marketing manager at Computer Associates. He is responsible for marketing strategy and communication, brand management, and product direction of several security products in the eTrust portfolio. Peiyin has worked in the IT industry since 1987 in a variety of roles, including marketing, software development, quality assurance, technical support, and project management. He has been actively managing security projects since 1996.

    Comments (0)

    Share your thoughts on this story.

    Add your comment
    You must be signed in to add a comment. Sign-in | Register

    In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


    IoT & Smart Cities Stories
    Moroccanoil®, the global leader in oil-infused beauty, is thrilled to announce the NEW Moroccanoil Color Depositing Masks, a collection of dual-benefit hair masks that deposit pure pigments while providing the treatment benefits of a deep conditioning mask. The collection consists of seven curated shades for commitment-free, beautifully-colored hair that looks and feels healthy.
    The textured-hair category is inarguably the hottest in the haircare space today. This has been driven by the proliferation of founder brands started by curly and coily consumers and savvy consumers who increasingly want products specifically for their texture type. This trend is underscored by the latest insights from NaturallyCurly's 2018 TextureTrends report, released today. According to the 2018 TextureTrends Report, more than 80 percent of women with curly and coily hair say they purcha...
    The textured-hair category is inarguably the hottest in the haircare space today. This has been driven by the proliferation of founder brands started by curly and coily consumers and savvy consumers who increasingly want products specifically for their texture type. This trend is underscored by the latest insights from NaturallyCurly's 2018 TextureTrends report, released today. According to the 2018 TextureTrends Report, more than 80 percent of women with curly and coily hair say they purcha...
    We all love the many benefits of natural plant oils, used as a deap treatment before shampooing, at home or at the beach, but is there an all-in-one solution for everyday intensive nutrition and modern styling?I am passionate about the benefits of natural extracts with tried-and-tested results, which I have used to develop my own brand (lemon for its acid ph, wheat germ for its fortifying action…). I wanted a product which combined caring and styling effects, and which could be used after shampo...
    The platform combines the strengths of Singtel's extensive, intelligent network capabilities with Microsoft's cloud expertise to create a unique solution that sets new standards for IoT applications," said Mr Diomedes Kastanis, Head of IoT at Singtel. "Our solution provides speed, transparency and flexibility, paving the way for a more pervasive use of IoT to accelerate enterprises' digitalisation efforts. AI-powered intelligent connectivity over Microsoft Azure will be the fastest connected pat...
    There are many examples of disruption in consumer space – Uber disrupting the cab industry, Airbnb disrupting the hospitality industry and so on; but have you wondered who is disrupting support and operations? AISERA helps make businesses and customers successful by offering consumer-like user experience for support and operations. We have built the world’s first AI-driven IT / HR / Cloud / Customer Support and Operations solution.
    Codete accelerates their clients growth through technological expertise and experience. Codite team works with organizations to meet the challenges that digitalization presents. Their clients include digital start-ups as well as established enterprises in the IT industry. To stay competitive in a highly innovative IT industry, strong R&D departments and bold spin-off initiatives is a must. Codete Data Science and Software Architects teams help corporate clients to stay up to date with the mod...
    At CloudEXPO Silicon Valley, June 24-26, 2019, Digital Transformation (DX) is a major focus with expanded DevOpsSUMMIT and FinTechEXPO programs within the DXWorldEXPO agenda. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term. A total of 88% of Fortune 500 companies from a generation ago are now out of business. Only 12% still survive. Similar percentages are found throug...
    Druva is the global leader in Cloud Data Protection and Management, delivering the industry's first data management-as-a-service solution that aggregates data from endpoints, servers and cloud applications and leverages the public cloud to offer a single pane of glass to enable data protection, governance and intelligence-dramatically increasing the availability and visibility of business critical information, while reducing the risk, cost and complexity of managing and protecting it. Druva's...
    BMC has unmatched experience in IT management, supporting 92 of the Forbes Global 100, and earning recognition as an ITSM Gartner Magic Quadrant Leader for five years running. Our solutions offer speed, agility, and efficiency to tackle business challenges in the areas of service management, automation, operations, and the mainframe.