March 8, 2004 - Security continues to be
the predominant concern among service providers and enterprises that
deploy mission-critical IT applications. The frequency and
sophistication of network attacks are growing with the use of automated
hacking tools, worms and viruses that inflict worldwide damage over the
Internet in just a few hours.
Trend Micro (trendmicro.com),
the world's third-largest anti-virus software provider, recently
estimated that computer virus attacks cost global businesses $55
billion in damages in 2003. The firm expects the economic and financial
impact of worms and viral attacks will continue to climb in 2004,
following an established trend. Companies lost roughly $20 billion to
$30 billion in 2002 from virus attacks, up from about $13 billion in
2001, according to various estimates.
To combat associated losses in time and
data due to network attacks and server vulnerabilities, enterprises and
service providers are increasingly adopting pre-emptive measures.
The global market for secure content management, which, according to market research firm IDC (idc.com),
includes anti-virus software, message security and Web filtering, is
expected to reach $6.4 billion in 2007, representing a compound annual
growth rate of 19 percent. Spending will also be focused on identifying
and nullifying network vulnerabilities.
IDC notes that security attacks from
worms and hackers, and industry regulations such as the Health
Insurance Portability and Accountability Act (HIPAA) and the Financial
Services Modernization Act, will drive the market for vulnerability
management to more than 30 percent growth over the next five years.
One leader in the field of vulnerability assessment is Qualys, Inc. (qualys.com). The firm is a market-leading Web service provider that offers on-demand network security audits.
Qualys' flagship service, QualysGuard
automates network security audits and vulnerability management. More
than 1,300 organizations use QualysGuard for reliable protection from
worms and hackers and for third-party certification of network
security. QualysGuard enables organizations to measure vulnerability
risk and their security posture; enforce industry and enterprise
policies; and comply with regulations and enterprise requirements.
QualysGuard vulnerability management
provides reliable protection from worms and hackers through: continuous
discovery of hosts, services and unauthorized devices; continuous
assessment of online assets for the full range of vulnerabilities;
continuous analysis of vulnerabilities, trouble tickets and trend
reports; and remediation based on prioritized policies. Once
vulnerability assessments are conducted, QualysGuard's network security
audits deliver third-party certification of network security with
tamper resistant audit trails that record: when the security audit was
performed, what vulnerabilities were detected, how to fix them, whom
they were assigned to; and if they were remedied.
QualysGuard leverages a foundation of
automation to solve the biggest challenges in security auditing. This
foundation includes immediate and up-to-date knowledge of
vulnerabilities, high scalability of scanning in a distributed fashion,
and complete accuracy and reliability of network audits.
The system is appealing to use because it
employs remote Web services, which means that enterprises and service
providers are not compelled to maintain sophisticated software or
hardware in order to conduct assessments, though Qualys scanner
appliances are available.
The major issue with the system however
is that IT staff within the organization must act to correct or "patch"
all found vulnerabilities. This can be a daunting task since the
QualysGuard scanning system over the past 23 months has found literally
millions of network vulnerabilities. Qualys itself even acknowledges
that patching can be an inefficient process. The firm conceded at the
RSA Security Conference held in San Francisco in February that patching
software flaws is still far too difficult for many organizations,
leaving them vulnerable since they have not applied all necessary
critical updates to their system. The patching method can also be
problematic due to the expenses associated with maintaining staff to
monitor and react to vulnerability assessments.
As a result, organizations will want to
be apprised of the new, emerging breed of "patch-less" systems that
attempt to exclude vulnerabilities from IT architecture. Sage Inc. (sage-inc.com), a Texas-based Web security firm, offers a secure Web appliance entitled the BrickServer that entirely eliminates patching.
"The necessity for patching is precluded
since all table information and other software packages are hardwired
into the kernel of the operating system," states Louis Jurgens, an
executive vice president at Sage Inc. "As a result, our system is safe
and simple to use."
The appliance, which contains
pre-configured Web/FTP software and a custom-built email server, is
secure because no alterations can be made to the software. The server
packages are all hardened, and allow for no alterations. As a result, a
BrickServer provides worry-free maintenance.
The appliance supports SSL, SSI, PHP,
Perl , PYTHON, and TCL supports. The appliance also supports database
calls via MySQL, PostgreSQL and SQL libraries, and permits for
multi-domain hosting and Virtual IPs.
"The appliance is quite unique and
because of this we don't have competition in the technical sense,"
states Jurgens. "Our competition are those people who choose to build
hardened Web servers by themselves. Though our box is quite
restraining, the benefit is that you don't get hacked and you don't
have to patch. We have had various versions of this product out in the
marketplace for over four years and no one has broken into our boxes."
Jurgens also notes that the BrickServer
product is quite popular because it reduces costs. "We have spoken with
a number of good-sized IT shops and received overhead estimates about
patching. We know that between 12 percent and 50 percent of IT
resources are allocated to this task. We estimate that most
corporations and service providers can save 20 percent of IT overhead
and time if that patching task was eliminated. Our product aims to do
this."
The BrickServer utilizes a security model
called process-based security that replaces user-based or discretionary
access with mandatory access controls that invoke rules of least
privilege and separation of duties. Consequently, the device prevents
unauthorized access to system level function, creating a secure Web
appliance.
"Our device is a system administrator's
most frustrating product, because he actively cannot make modifications
to it -- but that's why it is so secure," states Jurgens.
While such a system might be constraining
to those requiring constant updates to their Web server, US government
departments and e-commerce shops that require static and secure
deployments have in contrast embraced the system to eliminate network
and server vulnerabilities and decrease costs.
Sage Inc. is actively working on
de-coupling its hardened operating system from its BrickServer device,
in order to license it to Web hosting firms. The company believes that
a value-added marketplace might emerge around hardened servers for
outsourced hosting customers as IT security becomes a top concern
amongst mid-sized enterprises.
About the Author Rawlson O'Neil King is a contributing editor and analyst at the Web
Host Industry Review. Before joining theWHIR, Mr. King was Director of
Corporate Communications at WebHosting.Com. During his tenure there he
established ineedsupport.com, the first branded destination customer
care site in the shared hosting industry. He has prior experience as an
IT consultant who served non-profit organizations, government and
private industry. He holds a Bachelor of Journalism degree from
Carleton University.
