Runsafe:Assure Sufficient Resources
Assure Sufficient Resources for Proper System Care
If you are responsible for implementing a web or other computing service it is very important that you assure sufficient resources are available for the design, procurement, implementation, and regular maintenance of that service. If it is important enough to implement, it is important enough to take care of properly to assure that the service remains in operation and any confidentiality or integrity needs are met. Additionally, it is important that it not be compromised and subsequently used to attack other systems.
A publicly accessible network resource needs special care in its initial setup. In addition, it needs regularly scheduled monitoring of system patches, system operational characteristics, log files, and system backups. For many platforms and applications, these tasks can be highly complex in nature requiring dedicated and experienced technical staff.
University of Virginia's guidelines suggest a server will take sixteen or more hours per month to administer properly. Budget planning, hiring procedures, staffing, and job descriptions should reflect the need for this maintenance.
While this monitoring can be done manually, such efforts result in response times that are tied to the manual procedures which may not be appropriate for sensitive systems. In addition, the monitoring is often tedious, complex, and detail oriented which can lead to mistakes and oversights. Aftermarket software can automate this functionality and should be considered part of the cost of providing a service along with the hardware and functional software.
In addition to ongoing maintenance, today's development projects often encompass many architectures, products, and technologies. Depending upon the level of your involvement with each component, you or your project team may need to be aware of a wide variety of issues. For example, a safe deployment of a web application may involve taking into account implementation and development issues in any of the following environments:
- Core operating system issues in Unix or Windows
- Web server issues in Internet Information Services or Apache
- Web development issues in server and client side scripting and components
- Issues with transaction processors or application servers like Tuxedo or MTS
- Backend database issues with Access, Oracle, or MySQL
Issues with authentication, file access controls, authorization, encryption, and network access controls often cross OS, web server, web development, application server, and database realms.
Proper training is essential.
The tasks of initial system design, setup, performance tuning, and operational monitoring are complex and time consuming. It is easy to wish these tasks away when we are concentrating on implementing a new service as soon as possible while consuming as few resources as possible. However, doing so will result in a service that is not properly protected or provisioned. It may result in loss of availability, confidentiality, and/or integrity and it may result in the use of the service platform by an outside party to perform an attack on other sites.