S 5.168 Secure connection of background systems to web applications

Initiation responsibility: Head of IT, Persons responsible for individual applications

Implementation responsibility: Administrator

Web applications frequently use background systems for storing data to a database or for using an identity memory for authentication, for example. The data of the web application must also be protected sufficiently when transmitting and storing data in background systems. For this, the background systems must be connected securely to the web application.

Typical background systems for web applications include:

• databases,
• directory services,
• middleware,
• web services, and
• legacy systems.

The following points should be taken into consideration regarding the secure connection of background systems to web applications.

Positioning of and access to the background systems

The users of the web application should not be able to directly access the background systems, since the security safeguards of the web application may be bypassed this way. Instead, access should only be possible by means of predefined interfaces and features of the web application.

Furthermore, the connection between web application and background systems should be protected additionally in the event of high protection requirements. For this, the systems should authenticate before data transmission and encrypt the transmitted data so that the data cannot be read or changed in an unauthorised manner (e.g. using SSL/TLS; see also S 5.66 Use of TLS/SSL).

If the IT systems involved are connected by means of insecure channels, a cryptographically secured tunnel with corresponding encryption and authentication should be used in any case.

Access to the background systems should be performed with minimum rights. For this, service accounts should be created on the respective background system.

If only one service account is used for accessing a background system, all queries are processed in the security context of this service account. This is then applicable both to accesses of users with limited access authorisations and for accesses of administrative users. In order to avoid this, several service accounts with different access rights should be used for one background system.

In the event of a suitable system environment (e.g. when using a directory service used for user administration both by the web application and for the background system), the user accounts of the web application users can be forwarded to the background system. This way, the privileges can be limited to the necessary rights of the user logged in to the web application in each case.

It must be ensured that a separate service account is used in the directory service disposing of limited authorisations for unauthenticated accesses to the web application.

Review questions:

• Is it only possible to access background systems of web applications using defined interfaces?
• Is the data traffic between the users, the web application, and the background systems controlled by security gateways (firewalls)?
• Are the connections between web applications and background systems protected by transport encryption in the event of high protection requirements?
• Is it ensured that queries of the web application to background systems are only executed on the background systems with minimum rights?