Convenience or security - Why not both?

Meeting standards like security or performance is always a prerequisite for running an online business. However, there is always an “underground war” between the operators (ops) and the system security unit to achieve the ultimate goal of a system that is not only accessible but also safe and secure. Lack of compatibility is a common problem in many businesses, seemingly simple but needs a long-term solution to solve. Here we will analyze the pros and cons in detail along with a comprehensive solution to the core of the problem.

Convenience or security?

For an online system to operate smoothly, it is the result of contributions from many parties, of which the main ones are the operating unit and the security unit. Each party has a different preference for the system according to its expertise.

For example, an operator's priority is to create a stable system that is always available, with the goal of always keeping the system uptime 99.999%, moving to "five nines" (downtime less than 5.15 minutes per a year). Typical of a reliable enough system to keep investors and customers happy.

Meanwhile, the primary goal of the security unit is to help the system prevent any attacks and reduce the risk to an absolute level. The security unit may require an immediate system shutdown to perform the patching, which may not have considered the damage to the user.

It can be seen that, with the above approach, the operator and the security unit have to trade for each other more or less. Worse yet, as the number of servers and services grows at scale, when all services require protected and regularly monitored can easily lead to a crisis.

What is the best solution?

When it comes to patching, usually we will think of scheduled maintenance, the advantage of which is less immediate disruption and ensures continuous uptime of online services throughout weeks, even months before the next maintenance.

But the maintenance window is often not fast enough and responsive to new threats, as these vulnerabilities are often exploited very quickly, within minutes of being exposed (or even before it was discovered, e.g. Log4j).

Whether it's DevOps, DevSecOps, or any of today's popular ops, you must choose between fast patching to meet security requirements at the expense of availability or performance, or scheduled patching and acceptance security risks.

Easier said than done

Deciding what to do and how long it will take to patch is just the beginning. Sometimes, patching is not easy. For example, you can address vulnerabilities at the language level - which would affect applications written in that language, such as the CVE-2022-31626 vulnerability with PHP language.

Developers need to address vulnerabilities at the language level, where the easiest way is to update the language with a new version. Coupled with security improvements in updates are compatibility issues. That's why developers need to go through the second step: compensate for changes at the language level by rewriting the application. But that means re-doing the application tests from scratch and even needing to reapply for a license.

Just as operators want to avoid downtime, software developers also avoid having to rewrite or make major repairs on code because of the complexity of the software. work and potentially huge time consuming.

Simplify the process

You can easily see that patch management always creates conflicts on many different levels. A clear end-to-end rule (a-z) can solve the problem thoroughly, but it can also leave no one satisfied with the end result.

On the other hand, rigid policies can inadvertently create loopholes and make the patching process longer than necessary. Scheduled patches such as weekly and monthly may be seen as a temporary workaround, but only as a workaround until a major, urgent security issue emerges.

The answer lies in frictionless patching or uninterrupted patching, significantly reducing the conflict between immediate patching and delayed patching. Thanks to living patching technology, we can patch much faster than normal maintenance windows and don't need to restart the service to be able to apply the update. Patch quickly and securely, with little or even no downtime. This is a simple and effective way to resolve the conflict between usability and security.

VNIS - A comprehensive Web/App security platform for all organizations

To solve the above conflict, VNETWORK has developed and constantly upgraded VNIS (VNETWORK Internet Security) - a comprehensive Website security platform applying modern technology, providing organizations with the ultimate security solution. advantages such as:

- Cloud WAF (Web Application Firewall): Cloud WAF of VNIS is a comprehensive and versatile service that integrates more than 2,000 sets of security rules combined with CRS (Core Rule) management capabilities. Set) complex to protect your website as safe as possible against attacks on the application layer, protect the Website from the top 10 security vulnerabilities of OWASP and common attacks such as: XSS, SQL Injection, HTTP Protocol...

Besides, with the security team of VNIS's network security experts will help to continuously monitor to identify the latest potential threats to your Website and applications. Using VNIS's Cloud WAF technology, your Web/App will be secure with 3 outstanding advantages: Simplification, Built-in and Always improving.

- Origin Shield: Origin Shield is an advanced version of VNIS security suite, installed and deployed based on many top-level CDNs (Content Delivery Network), helping to deliver and monitor technical documents. digital on a global scale. The Origin Shield system of VNIS also integrates many Cloud WAF (Multi WAF) solutions, which control all access to the Origin Server and comprehensively protect layer 7 from sophisticated attacks through website and application vulnerabilities. (OWASP top 10 vulnerabilities).

In addition, Origin Shield of VNIS also manages and prevents bad Bots and allows valid Bots to request to Web Server. Origin Shield also incorporates an intelligent load balancing system (AI Load Balancing) to help increase network performance, maximize protection and recovery of origin servers.