home-metier    Home Sample-Unix     Hypo Notpd-Webtg     Hypo Dnote     Dnote - Notpd    Dnote - Mailbx     Dnote - Webtg     BI & business
intro problem    digi-Web v1    digi-Web v2    digi-Web v3    top  bottom

Business logic & data using Webthing

Security opertating Design
Management of hypothetical business application on Linux.
  1. Suppose our hypothetical application is named "DigiNotepad".
  2. It has stored code and data on the host (Unix).
  3. It needs to be connected using a webbased approach (webthing Unix).

The sample is covering the basic principles of implementing applications (business) on Linux. Linux is just a Unix variant, these samples will apply to all Unix variants.


Webthing - Diginote - The security challenge

Inventarization - requirements

Problem
WebThing is a generic service running at key "RUNWD" operationa support by "BEHWD" and administrated by "ADMWD".
Spawned process out of WEbThing are running at key "EXECWD" None of those keys have access to the appl01 of "DIGINOTE"

unsafe Solution root-other
The most fast way is to ingore all security requirements.
Run the WebThing by the system root key.
Do not any segregation with business data or logic. Open all access with directories/files with the others level

As security to the business data should be taken serioulsy, this proposal should not be taken serious.
It will get a working environment fast.
leaking of the data(business), losing control of it, is soon to be expected. This is not an accident or failure in the implementation. It is a missing strength calculation, blameworthy by design.

legal Solution well secured -1
Make the keys of WebThing member of the connected business applications like "appl01_sp" and "appl01_bp".

secure 3 Solution well secured -2
Make:


secure 3 Solution well secured -3
Make a difference with confidential/secret data (harmfull) and public/restricted (painless) data.
The confidential/secret data should not easily got open or bypassing the security. The public/restricted data may not be seen normally, when this by accident happens it will not cause much damage.
With this classification a simplification could be achieved withoud needing many rigid segregations.


WebThing - Static webpages appl--

Static webpages like images documentation to the users are after development not to be changed anymore.
The content is likley to be public or restricted. It will not contain any information that will be harmfull or otherwise being sensible as informtion leading to some persons/companies or describing something special to them.

WebThing - Dynamic webpages appl--

The dynamic webpages are most likely to be build with personal/company inforamtion. This information could be sensible. It should not to hand over to possible anybody in a uncontrolled way.

An special way to connect dynamic webpages is to generate thes by programs. Not having stored something on physical locations. This is a very secure way to these pages as they do not exist. It is the program that generates the page that will become critical. In such a program necessary checks are possible and required.

Data encryption, network encryption are addtional measures to be taken.



intro problem    digi-Web v1    digi-Web v2    digi-Web v3    top  bottom

legal

DigiNote to Webthing -v1

The most simplified approach is allowing the tool WebThing in the same way as all the other users of DigiNote

Proposal -v1

Make the keys of WebThing member of the connected business applications like "appl01_sp" and "appl01_bp".

Implementation-v1

The key-s (WebThing): "RUNWD" and "EXECWD" must be connected to every group used by the business applications.

These are(all): "appl01_sd", "appl01_bd" "appl01_st" , "appl01_bt" "appl01_sa" "appl01_ba" and "appl01_sp" , "appl01_bp" for one business application
unsafe

Shortcomings of DigiNote to Webthing -v1



intro problem    digi-Web v1    digi-Web v2    digi-Web v3    top  bottom

secure 3

DigiNote to Webthing -v2


Proposal -v2

Implementation-v2

additional connection groups WebThing - DigiNote
Needed are five (5) additonal groups.
  1. webappl - connection to static business pages.
    "RUNWD" and "EXECWD" to be added with this group
    All the appl--_s? keys also should get this group.
  2. webappld - connection to dynamic business pages.
    "EXECWD" to be added with this group
    "RUNWD" to be added in case of physical files are created
    All the appl--_bd keys and necessary personal keys also should get this group.
  3. webapplt - connection to dynamic business pages.
    "EXECWD" to be added with this group
    "RUNWD" to be added in case of physical files are created
    All the appl--_bt keys and necessary personal keys also should get this group.
  4. webappla - connection to dynamic business pages.
    "EXECWD" to be added with this group
    "RUNWD" to be added in case of physical files are created
    All the appl--_ba keys and necessary personal keys also should get this group.
  5. webapplp - connection to dynamic business pages.
    "EXECWD" to be added with this group
    "RUNWD" to be added in case of physical files are created
    All the appl--_bp keys and necessary personal keys also should get this group.


additional changes structure DigiNote
As proposal use a directory with te naming "www" to the web connection
Statical pages to be kept at the business locic side.
D map
F file
D
F
key:
group
key:
group
D
D
F
F
appl01_sd:
webappl
appl01_sd:
webappl
appl01_st:
webappl
appl01_st:
webappl
appl01_sa:
webappl
appl01_sa:
webappl
appl01_sp:
webappl
appl01_sp:
webappl
Role/Person - D T A P
/appl//appl01_d/www D RSX */3 R-X R-X R-X
/appl//appl01_d/www/* F */2 RW= */4 R-= R-= R-=
/appl//appl01_t/www D --- */5 R-X R-X R-X
/appl//appl01_t/www/* F --- R-= R-= R-=
/appl//appl01_a/www D R-X R-X
/appl//appl01_a/www/* F R-= R-=
/appl//appl01_p/www D R-X
/appl//appl01_p/www/* F R-=

As all the files used with webinterface must be present within the directory and the files must be copies (promoted deployed), the actions for configuration and versioning are clear.



Dynamic pages to be kept at the business data side.
map
file
D
F
key:
group
key:
group
D
D
F
F
appl01_bd:
webappld
appl01_bd:
webappld
appl01_bt:
webapplt
appl01_bt:
webapplt
appl01_ba:
webappla
appl01_ba:
webappla
appl01_bp:
webapplp
appl01_bp:
webapplp
Role/Person - D T A P
/data//appl01_d/www D RST */3 ---
/data//appl01_d/www/* F R== */5 ---
/data//appl01_t/www D --- RST
/data//appl01_t/www/* F --- R== */5
/data//appl01_a/www D RST
/data//appl01_a/www/* F R== */5
/data//appl01_p/www D RST
/data//appl01_p/www/* F R== */5




unsafe

Shortcomings of DigiNote to Webthing -v2



intro problem    digi-Web v1    digi-Web v2    digi-Web v3    top  bottom

secure 3

DigiNote to Webthing -v3


Proposal -v3

Make a difference with confidential/secret data (harmfull) and public/restricted (painless) data.

This will require an alignment with the business. Discussion of risk analyses.

Implementation-v3

additional connection groups WebThing - DigiNote
Needed are four (4) additonal keys WEbthing. Many more if needed by business requirements osnob
  1. webappld - connection to dynamic business pages. www update access, src/data read.
    moreover copy of "EXECWD" tailored to business
    All the appl--_bd keys and necessary personal keys also should get this group.
  2. webapplt - connection to dynamic business pages. www update access, src/data read.
    moreover copy of "EXECWD" tailored to business
    All the appl--_bt keys and necessary personal keys also should get this group.
  3. webappla - connection to dynamic business pages. www update access, src/data read.
    moreover copy of "EXECWD" tailored to business
    All the appl--_ba keys and necessary personal keys also should get this group.
  4. webapplp - connection to dynamic business pages. www update access, src/data read.
    moreover copy of "EXECWD" tailored to business
    All the appl--_bp keys and necessary personal keys also should get this group.


The goal of these dedicated keys is to achieve a more secure segregation.
unsafe

Shortcomings of DigiNote to Webthing -v3




intro problem    digi-Web v1    digi-Web v2    digi-Web v3    top  bottom
home-metier    Home Sample-Unix     Hypo Notpd-Webtg     Hypo Dnote     Dnote - Notpd    Dnote - Mailbx     Dnote - Webtg     BI & business

© 2012 J.A.Karman (02 may 2012 - PK )