1. Data Security in a Web
Environment
Lecture 1
Bekir Morina
Applied Information Technology Programme
bekirmorina@gmail.com
2. Outline
• Data security in a Web Environment defined
• Data in a Web Environment - security concerns
• Securing data in a Web Environment
• Evaluating Systems
• Citations and references
• Summary
3. Data security in a web environment
defined
• Data security in a web environment:
▫ Cloud security,
▫ Web application security,
▫ Virtual Private Network (VPN) security.
4. Data in a web environment - security
concerns
• Cloud computing: security issues, risk issues,
and legal aspects
▫ Security Issues: virtualization, provisioning, cloud
storage, cloud operation, security, and networking
▫ Risk Issues: risk assessment, privacy and
confidentiality concerns, data ownership and
locale concerns, auditing and forensics, emerging
threats, etc.
▫ Legal and Regulatory Issues: third parties, data
privacy, and litigation
5. Data in a web environment - security
concerns
• Web application security issues
6. Data in a web environment - security
concerns
• Virtual Private Network (VPN) security issues
7. Securing data in a Web Environment
• The Security Principles of Saltzer and Schroeder, on design and
implementation of security mechanisms:
1. Economy of mechanism: Keep the design as simple and small as
possible.
2. Fail-safe defaults: Base access decisions on permission rather than
exclusion.
3. Complete mediation: Every access to every object must be checked
for authority.
4. Open design: The design should not be secret.
5. Separation of privilege: It’s safer if it takes two parties to agree to
launch a missile than if one can do it alone.
6. Least privilege: Operate with the minimal set of powers needed to
get the job done.
7. Least common mechanism: Minimize subsystems shared between
or relied upon by mutually distrusting users.
8. Psychological acceptability: Design security systems for ease of
use.
8. Securing data in a Web Environment
• Securing the Cloud:
▫ Architecture (patterns and elements):
Cloud Security Standards and Policies (NIST,
ISO27001, OCTAVE-S, CC)
Defense In-depth
Isolation (honeypots and sandboxes), etc.
▫ Data Security:
Data categorization
Data encryption (at rest and in motion)
Authentication and identity
Access control mechanisms, etc.
11. Securing data in a Web Environment
• Securing web applications:
▫ Adopt a DevSecOps Approach
▫ Implement a Secure SDLC Management Process
▫ Regular Pen-Testing and Security Audits
▫ Continuous Risk Assessment
▫ Patch Management
▫ Choose the Right Security Tools (Make sure that the security
solution includes scanning tools, pen-tests, security audits, next-
gen WAF, DDoS protection, false-positive management, patch
management, reporting, customizable security, and encryption,
among others.)
▫ Authorization, Authentication, and Access Controls
▫ Data Encryption
▫ Input Validation
▫ Maintain Proper Reporting and Documentation
13. Evaluating Systems
• FIPS 140 (a U.S. government computer security standard
used for evaluating cryptographic modules)
• The Common Criteria for Information Technology
Security Evaluation (referred to as Common Criteria or
CC) - an international standard (ISO/IEC 15408) for
computer security certification..
• The Common Criteria (CC) ≠ Creative Commons (CC)