IT Security Management

Security management is the effort to save effort...

Operative IT security in the hands of experts

A continuous upkeep of the required level of protection is most important in order to realize security measures. Dynamic technological progress requires a flexible design of security controls to identify and eliminate new vulnerabilities and to successfully block potential attackers.

Especially consequent system updating requires high staff and development investments from many companies. With our extensive Security Controls to protect internet services, you will profit from our expertise.

Additionally you will save the expenses for development of automated processes to monitor vulnerabilities, to manage patches and updates and to configure security systems. As your hosting provider, your application infrastructure is well-known to us after all, so we can answer to new threats quickly and goal-oriented.

Technical security controls
Technical security controls such as firewalls, VPNs and intrusion prevention systems provide protection regarding privacy, integrity and availability for all assets, information and data.
Procedural security controls
Procedural security controls such as software inventory, vulnerability monitoring and patch management are preventive measures to block attacks and vulnerabilities of information security.
Security audits and reviews
Security reviews check whether technical security measures and procedures relay to the risk evaluation and if security mechanisms are undergoing regular tests.

Realization of individual security policies

When defining security policies for operations, the conflict of interest that can arise between the functional design of the application and the necessary requirements of protection have to be kept in mind. Regulations in sample policies and documentations ‘in the web’ might seem sensible at first, but may not be practically applicable. Especially with complex e-commerce applications, an interdisciplinary knowledge is needed in order to design effective security rules that do not have to be adapted permanently due to functional problems.

Our experts in network and firewall systems, system administration, software development and IT security will support you with the implementation of a security policy adjusted to your needs, spanning all relevant areas such as access control, update and patch processes, data backup, encryption and protection from Denial of Service attacks.

Application Security Management

Our Application Security Service with web application firewall based on the Application Security Manager by F5 offers an effective shield of protection for both applications and data. BIG-IP ASM enables efficient blocking of elaborate threats and filtering of most illegal accesses.

BIG-IP ASM protects from the top 10 OWASP listed security threats such as Layer-7-DoS, SQL-Injection, XSS (Cross-site Scripting), Brute-Force and Zero-Day Attacks. The innovative protection also allows for blocking Heavy-URL attacks, bogus transactions and session hijacking.

The system features integrated techniques such as CAPTCHA queries and proactive functions to fend off bots. Suspicious queries are slowed down to identify bots and are then denied before they can reach the server.

A regular signature update also allows the identification of the latest attack methods. The system sends requests to the signature service of F5, updating itself automatically in the process.

Software Update Policy

An important topic of security policies are rules to upgrade system and application software. Because especially software upgrades are often procrastinated, creating a gateway for exploits, clear operation guidelines have to be set for both management and administrators.

When updating operation systems and applications, there has to be differentiated between the patch to fix security issues and the upgrade to a new software version. For both processes, we offer a software repository providing up-to-date software versions straight from the manufacturers as well as versions compiled by us.

When installing a patch, the scope of operation stays the same and compatibility issues can be ruled out. Patches are scheduled by the patch management, with an evaluation of the vulnerability information by the manufacturers regarding threat and risk levels. Ad hoc patches are signaled if implemented security measures (hardening, firewall) cannot offer enough protection from the exploitation of a vulnerability.

Just as with patches, upgrades to so-called minor releases are mostly noncritical to the functions of an application, because the changes are exclusively so-called bugfixes and small functional extensions that do not influence existing data.

Software Upgrade Policy

Major Release Upgrades

Major release upgrades are only conducted with the approval of our customer. Before installing a new major release, there has to be created an image of the productive system first. A roll back strategy regarding the storage time of images and re-conversion processes has also to be kept in mind.

If the existing data has to be converted when upgrading, the installation of the major release first has to be executed on a clone system to check its functionality. These tests have to span data compatibility, security (security audit) and side effects on other systems.

To keep the effort of major release upgrades as low as possible, the operational version of the operating system has to be updated rotationally. On systems which are vital for important operational processes, as a rule the installed software version is not to differ more than two major releases from the (latest) version released by the manufacturer. For these systems, upgrade subscriptions from the manufacturers are necessary.

Security Reviews

Rotational security reviews with our customers provide a transparent realization of security policies and display if security incidents have been dealt with in a target-oriented manner. Additionally, single processes such as Change Management are checked for their correct realization and complete documentation. If and how changes under either technical or regulatory frame conditions have to be incorporated into the security policy is also determined during security reviews.

The right way to reach a continuously high level security may be exhausting at first, but once the processes have been well-coordinated, it will become simpler than initially assumed.