Multifunction security device safeguards SOA, streamlines company's infrastructure

An Edinburgh insurance and pensions company has used an appliance to improve its application security and to streamline its infrastructure. Learn what the application security tool has done to improve the company's overall security posture.

Securing a complex infrastructure migration involving hundreds of mission-critical data services is no easy task. However, following a recent appliance implementation, Edinburgh-based Standard Life PLC was able not only to streamline an unruly IT infrastructure, but also greatly improve application security.

The company is migrating from a small number of large mainframes to a collection of smaller servers, which should allow greater scalability and more flexibility in the way it provides services.

Standard Life has been a pioneer in the use of service-oriented architecture (SOA) framework, which allows the reuse of coding components. Its roughly 500 business services, or distinct coding modules, are mixed and matched to provide services for 200 applications, said Joe Phillips, a SOA enterprise architect with Standard Life.

More on application security
Protecting enterprise networks from new mobile application downloads

Phillips said the increasingly distributed architecture quickly became more complex, due in large part to the many application components, as well as SOA support services like caching and load distribution. There were also concerns that the more distributed architecture would make it harder to ensure the security of mission-critical Web applications, and adding more network devices would not be a viable strategy.

"It became clear that if we continued with that approach, we'd have a proliferation of boxes to maintain," Phillips said. "We drew up some topologies and it was beginning to look complex, and when we added in the infrastructure required to host the application server components, our diagrams were getting pretty big!"

In an attempt to simplify its IT architecture and augment application security, Phillips began looking for a way of centralising some of those key functions into a single device. "When you cross out all that edge-of-network stuff and replace it with one box (or two actually, for standby), it looks a lot simpler," he said. "The attraction of an application form-factor that was rich in functionality and simple in footprint was quite alluring."

Philips wanted a device that could handle application load balancing between the multiple servers, as well as provide security against application-based attacks, such as SQL injection. "We looked at a number of vendors featured in the Gartner reports," he said. After a detailed scoring exercise, which looked at performance, functionality ease of use and the reputation of the different vendors; the BIG-IP appliance from F5 Networks Inc. came out on top.

Deciding factors included not only the technology, he said, but also that F5 is well established in the financial-services industry, and has a local office in Scotland, close to Standard Life's Edinburgh headquarters.

The BIG-IP architecture allows for different modules to be implemented, each of which perform a specific function, so Standard Life initially opted for modules to manage load balancing, caching of traffic (to boost performance) and the Application Security Module (ASM), which acts as a Web application firewall.

The single appliance, installed near the end of 2009, has resulted in a much tidier IT environment. "The alternative would have been to put in a lot of different software," Phillips said. "It was much faster and more efficient to install the single box. And it will scale to levels way beyond what we will need."

The appliance sits in the DMZ between the outside world and the internal systems, where it deals with ingoing and outgoing HTTP requests. Its custom-built hardware is able to decrypt incoming requests, analyse them, decide where they need to go (Standard Life has multiple websites), then re-encrypt them and send them on their way.

"Other software could [perform the aforementioned functions], but the fact that we can do the Web application firewalling, the caching, the HTTP load inspection and routing, all in one place with the same administration tools, is compelling. We could build systems to do the same thing, but this appliance has purpose-built hardware that makes it much more efficient."

Standard Life operates two data centres on either side of Edinburgh, and has installed a BIG-IP in each location for redundancy. At any one time, one appliance is active and the other is in standby mode. If any update is needed, that is done on the standby machine, and then the operations staff triggers a failover to switch appliances.

The ASM module provides Standard Life with a further layer of defence against threats such as SQL injections attacks and cross-site scripting.

Although the company is using source code analysis tools to improve security of individual programs, the dynamic nature of e-commerce means that systems are subject to frequent changes. The ASM provides a further layer of defence by checking incoming requests to detect any dubious traffic before it reaches the Web application. Even if a program change had introduced some new vulnerability, the ASM would be able to trap any attempted attack before it was able to cause any damage.

"It gives us strength in depth," Phillips said. "We don't want to let things through that look like attacks, but we also want to have code that protects against attacks."

He said configuration of the ASM is still at an early stage, but in time it will allow Standard Life to exert detailed control over each application and how it is used. "We will make enhanced use of the functionality of the F5 Web application firewall. It takes work, but the appliance can be configured on an application-by-application basis. Someone with application knowledge has to teach the appliance about the nuances of the application, and what is and isn't expected," he said.

According to Phillips, the ASM will also help with compliance by enforcing security policy, for instance, controlling the transfer of credit card numbers in order to comply with the Payment Card Industry's Data Security Standard (PCI DSS).

Owen Cole, F5's U.K. technical director explains: "In the case of PCI compliance you can set the policy to stop any string of 16 digits that looks like a credit card number. You can configure the ASM to substitute asterisks for the first 12 digits, for instance. It means that if something horrible happens within the application, or it is compromised in some way, the digits won't get out. That is set by policy."

If auditors detect any errors in code during one of their regular reviews, the ASM can buy time until the error is corrected. "Flaws in code can sometimes take time and money to remediate, but ASM's firewalling gives the intelligence to plug the hole," Cole said. "They still need to fix the hole, but they have the agility and flexibility in the network to make application-based decisions to allow you to carry on. Otherwise, you might be prevented form taking credit cards until you fix the hole in the code."

Read more on Application security and coding requirements