The top questions to ask your web application security provider

Heartland Payment Systems, a company which processes payments for more than 250,000 businesses, is itself still paying for the financial fallout from a 2008 data breach in which tens of millions of credit and debit card transactions were compromised. Heartland will disburse up to $140 million in settlements and class-action lawsuits.

“As I've gone around the country talking to people, there's a lot of chutzpa that this can't happen to them. The bad guys know all about the security methods employed in the industry. We need more humility. Those who feel comfortable with their security should ask themselves how they feel about their vulnerability to insider threats.”
-Robert Carr, CEO of Heartland Payment Systems Inc. (2)

This damage was caused by a single piece of malicious software, a "keylogger/sniffer,"¹ put in place by a hacker using a technique widely available on YouTube that targets web applications.

We know hackproof systems do not exist.  Short of refusing to do business online, there is no perfect defense against malicious activity on the Internet.  However, if online abstinence is not a possibility for your company, there are ways to effectively manage your information risk through the following process:

• Create an information risk management strategy and proactively implement policy
• Educate employees
• Design and implement the right technology solution
• Audit systems and policies
• Insure against liability

Internet security has recently hit a flexion point; the latest proliferation of low cost, cloud-based security services is incentive enough for all of us to take a closer look at web application defense.

1.     What is a web application and how do we use them in our business?

A web application is any type of interactive software that runs in a browser.  Any action on the web other than reading and basic navigation requires a web application, including 

• Online calendars
• Web-based email
• Personal online profiles (LinkedIn, Facebook, eHarmony)
• Google Anything

Millions of Americans use web applications to file their income taxes and manage their online banking information.  How do your customers use the web to do business with you?

2.     But my network is protected.  Isn't my network firewall enough?

Network firewalls protect networks and infrastructure.  Web app defenses protect e-commerce, software, and the databases associated with your valuable information. 

Customers use web applications to interact with the software and information behind the network layer; such interactions require an intentional "gap" in the network's defense.  These intentional openings require their own kind of specific protection.

3.     What are my total costs for maintaining application level security?

This depends on whether or not you install a hardware appliance or choose a Software-as-a-Service security solution.

If you purchase a physical appliance, expect to spend between $30,000 and $80,000 for a single box, plus operational costs of around $30,000, trained headcount, recurring fees for service, hardware maintenance, and software updates (These "soft costs" can be as much as 3x the initial investment in the hardware).  Also, for redundancy purposes, you'll need two physical appliances. 

As your business scales, so will these costs.

If you choose to activate a Software-as-a Service web application security solution, your total cost of ownership can be as low as a monthly fee of $99 - $3,000. 

4.     What are the other benefits of using a Software-as-a-Service web application defense?

The best SaaS solution activates within minutes and scales dynamically to fit changing business requirements.  Updates occur invisibly.  A true cloud security solution, unlike an appliance, adds no additional burden to your personnel, infrastructure, or network performance.

Cloud-based security can globally leverage the experiences of every user of the same service.  As information about new types of malicious behavior is detected at the site of one customer, all the users of the same service become protected.  Without being aware of it, companies using the same service mutually benefit from the experiences of each other.

5.     Is "the cloud" mature enough to handle my security?

Has been for some time.  "The cloud," after all, is merely a new name for a collection of technologies that predate the Internet itself.  Many large enterprises, including several members of the Fortune 500, entrust the security of their web applications to a cloud-based solution, such as XyberShield.

6.     What are the potential problems with cloud-based security?

Be aware of two problems worth avoiding: 

• Many cloud-based systems require you to host your protected data on their servers, rather than your own. You lose a measure of control over your own data.
• They may act as proxies, directing every single piece of web traffic through their own remote site before it gets to your site. This introduces an additional level of complexity, and slows down the customer experience because the service has to filter and examine every single piece of web traffic. Latency increases.

No-host, no-proxy solutions exist, and are gaining marketshare. 

7.      How do they work?

No-host, no-proxy solutions, such as XyberShield, typically ask the user to install a small piece of code on the top level of their web server.  This script is in constant communication with the provider's remote server center, where all the heavy lifting is done from a computational side.

This very light approach places all the work of protection squarely on the resources of the solution provider, while allowing the customer to maintain complete control of their own data, unlike a hosted solution.  No web traffic is re-routed for filtering purposes (the challenge with a proxy).

The script on the server observes all actions in every single session of website use.  The instant that inbound malicious activity is detected, the defensive system is aware and can take action, either warning the visitor, diverting them to another website, or blocking them outright.

Additionally, the service correlates information from all the sessions of every the website protected by the service, to improve the security for all users of the solution.

To view a collection of videos showing a SaaS web application security solution in action, click here.

To find out how Xecuritas can assist you in defending your web applications, help you qualify for PCI compliance, and protect your trusted, valuable information, visit us online at www.xecuritas.com/xybershield.

References: 

[1]  Heartland Payment Systems Hit By Data Security Breach, by Thomas Claburn.  InformationWeek.

[2]  Heartland CEO on Data Breach: QSAs Let Us Down, by Bill Brenner.  Computerworld.