Assessing security of Web services, part one |
 |
EXPERT RESPONSE FROM: Donald Flinn
|
|
|
|
| > |
QUESTION POSED ON: 16 June 2003
What would you recommend as a way for a company to assess whether or not its Web services were secure?
|
|
| > |
The answer to this question will be a set of general guidelines for assessing the security of your Web services because the details of a securing a site is highly dependent on the individual business, e.g. the size of the business, the value of the resources to be protected, the type of access to be allowed to potential partners, suppliers and customers, etc.
I recommend a three-step approach to examining the security of your Web services:
- Perform a risk analysis of your companies assets
- Match the security that you are using for each class of assets against the value of the asset.
- Assess the security architecture of your site
These steps will require a non-trivial amount of work by you and your associates owing to the specific risk tolerance and asset valuation of your particular company. You will have to adapt the general security principals that I will lay out to the way your company uses and values the importance of its assets.
Turning to step #1, I would recommend starting out with three categories of risk, High, Medium and Low. You will probably expand these categories as you delve into the assessment but it is best to start out simply. High-risk assets are those that would cause very serious damage to your company if they were compromised. This might be the result of a bogus, large purchase order, i.e. financial risk, or disclosure of sensitive customer data, i.e. reputation risk. Medium risk assets are those whose compromise would hurt the bottom line or result in a temporary black eye but not be threatening to the survival of your company. Low risk assets are those whose compromise would have a negligible effect on your business. Some companies may have no high-risk assets, e.g. no individual transaction would have a devastating effect on the business, but this condition is rare. There are usually some critical assets to be protected. However, in general, most businesses have a small number of assets in the high-risk category.
I recommend starting your evaluation by concentrating on protecting your high-risk assets, then look at the security of the medium risk assets, putting aside work on the low risk assets until after you have examined and made any corrections to the first two categories.
Click to view part two of this answer.
|
|
|
|
|
|
|
|
Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and
answer pairs from more than 250 TechTarget industry experts.
|
|
|
|
|
|
|
|
|
|
|
|
