Risk Management & Web Security - Part 1
Okay, you got me. What does Web Security have to do with SEO? Not much, really. But, if your web site is taken over by kA**FuKu** the master of hack, you'll wonder why you didn't consider web security sooner and why you didn't take steps to manage your risk.
The World Wide Web Consortium, the W3C, provides the following security considerations:
Web Services Architecture Requirements & Outlines for a comprehensive security framework:
- Authentication: guarantees that the service is accessible for anyone with a verified identity.
- Authorization: guarantees that the authenticated person has the right to access the service or data.
- Confidentiality: guarantees that the data passed between the requester and provider is protected from eavesdroppers.
- Integrity: offers that the message was not modified in its path from requestor to provider.
- Non-repudiation: guarantees that the sender of the message cannot deny that he/she sent it at a later point in time.
- Accessibility: ensures that the service is always accessible and that it is not impaired by attacks, like denial-of-service (DoS), from outside or inside of the system hosting the service.
A Risk Management Approach
IT professionals get schooled about managing risk. In fact, Risk Management - the practice of identifying and mitigating risk - has an entire discipline dedicated to IT Risk Management.
Now, the fundamental processes, or rather the principles of risk management, remain the same no matter what kind of risk management you're talking about. So, let's look at some of the methods of Risk Management and then relate them to our earlier recommendations.
The Steps in Risk Management
We'll begin with a Risk Management Assessment. Here, we'll identify areas where we're at risk, try to determine the likelihood of something bad happening, and try to place a value on the loss should our exposure here bite our back sides.
The idea, in a nut shell, is to see where problems could occur. Relating this to the W3C recommendations is easy enough.
The W3C says we're at risk where authenticating users is concerned. The risks are that we might allow users without authentication to access information not meant or them, or deny access to users who do have the right to view those documents.
We're also at risk where confidentiality is essential. That is, we must safeguard information from those who might listen in on our electronic dailogue without the right to do so.
Protecting the integrity of the information is another concern. We must not allow the information we send and receive to be modified in any way.
Of course, if we conduct any sort of business online we must be certain that consumers are bound to the agreements they amke with us. Agreements must be binding. We certainly don't want to deliver goods and services without an assurance that we will be compensated appropriately.
And, we might be at risk if we can't stay online. We must be certain that our site and service is always accessible, not knocked offline by attacks like denial-of-service.
If we continue with the Risk management model, we need to evaluate each of these exposures to risk in terms of likelihood and in terms of its potential impact on our business. When we've done that, we can prioritize our list and begin to plan: Risk Management Planning.
Let's assume our priorities are as follows:
- Accessibility
- Authenctication and Authorization
- Confidentiality and Integrity
- Non-Repudiation
We must first assure ourselves we will stay online and stay in the game. Then, we'll be certain we know who can access what material - and who cannot - and establish measures to authenticate and authorize accordingly. The we must be sure the data remains confidential and secure, maintaining the ntegrity of the data. Finally, we establish measures to make agreements binding.
When we get those things done, we'll have managed our risk according to a risk management strategy following the established risk managment process.
We'll look at risk management planning in Risk Management & Web Security - Part 2.
