Let me explain our situation in more detial. Due to budget and manpower
constraint, we plan to have only two sets of web-app-db server infrastructure
(currently we only have one set).
We have the following types of web applications:
1. Internet app with no-login and non-critical DB access.
2. Internet app with login and non-critical DB access.
3. Intranet app with no-login and non-critical DB access.
4. Intranet app with login and non-critical DB access.
5. Internet app with no-login and critical DB access.
6. Internet app with login and critical DB access.
7. Intranet app with no-login and critical DB access.
8. Intranet app with login and critical DB access.
Now our question is, how should we segregate the apps onto the two sets of
infrastructure?
Option 1: (1,2,3,4) in infrastructure 1, (5,6,7,8) in infrastructure 2
Reason: segregation by whether app needs to access critical data
Option 2: (1,3,5,7) in infrastructure 1, (2,4,6,8) in infrastructure 2
Reason: segregation by whether app require login or not
Option 3: (1,2,5,6) in infrastructure 1, (3,4,7,8) in infrastructure 2
Reason: segregation by whether app is internet or intranet
Option 4: (1,2,3,4,6, 8) in infrastructure 1, (5,7) in infrastructure 2
Reason: apps which accesses critical DB and do NOT require login poses the most
risk
...
The list can go on and on and on... What's the industry best practice to handle
this type of problem? Thanks.
-------------------------------------------------------------------------
Sponsored by: Watchfire
It's been reported that 75% of websites are vulnerable to attack. That's
because hackers know to exploit weaknesses in web applications.
Traditional approaches to securing these assets no longer apply. Download
the "Addressing Challenges in Application Security" whitepaper today, and
see for yourself.
https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmw
--------------------------------------------------------------------------
