2008 Security Forecast: 'Least Privilege' Engineering Will Gain Momentum
Allendale, New Jersey, January 8th, 2008 - Guardian Digital, the open source security pioneer, forecasts an increased need for comprehensive control over Internet and employee resources with 'least privilege' engineering in 2008. "Most vendors don't stress least privilege enough in their development architecture, especially with the increasing threats from human error and employee liability" says CEO Dave Wreski. "Security in 2007 has shown just how effective attackers can be at gaining authorized access to corporate resources. One of the best ways to protect against this is to lock down application access, not just user access."
Analysts are in agreement that phishing attacks will increase to an unprecedented level in 2008, especially targeted attacks made possible from social networking sites. As a result, Guardian Digital forecasts the new year will mark renewed buzz on the advantages of 'least privilege' in platform and application development.
Least privilege is the concept of giving access to applications based only on what is required for them to work, and no more. Pursuing this strategy can provide a tremendous benefit for security. Since application access is minimized, corporate resources remain much more secure, something that can be difficult when the platform and applications come from different vendors.
"The increased effectiveness of social engineering will propel least privilege back into the spotlight this year," Wreski continues. "The buzz on network security will decrease as there is an increased focus on solutions that combine platform and application development to reduce the risk of successful phishing attacks."
One example is the danger from web services. Without least privilege engineering, a tricked employee could allow an attacker to run an exploit on an Apache web server through a browser. Robust development driven by 'least privilege' can restrict this from within the application architecture, not just based on the privilege of the exploited user. If done properly, the web application can be engineered to explicitly run only the processes necessary, and will "jail" the attackers exploit, stopping it dead.
This requires experienced engineering that comes from developing both the operating platform and the applications, and integrating security into both. "Vendors that develop both," says Wreski "will be in a better position to successfully integrate least privilege into the corporate environment. We are proud to have emphasized this strategy with EnGarde Secure Linux since our founding in 1999 and will look to take advantage of the increased focus as the year progresses."
About Guardian Digital:
You cannot post until you login.