Re-thinking the Access Control List for Web Application Security
For many people when they hear about Access Control Lists (ACLs) they cringe at the bad memory of applying policies on legacy security products. They acutely know the pain of managing a long list of IP addresses and struggling to keep each ACL up to date by adding new IPs, or removing old ones, and spending hours updating access across different parts of their organization. And let’s ignore the fact that remembering why a particular IP address is denied access is close to impossible. The headaches were nothing but time-consuming.
Distil has recently spent time thinking about, and re-imagining, the Access Control List (ACL). This week we announced the launch of the web application security industry’s first Universal Access Control List (ACL) that offers a policy-based approach to whitelisting and blacklisting website user access across Distil’s web and API security products. With this feature users are able to define clear-cut rules that apply for all of their website; whether it is for their entire domain, for specific paths, or for their APIs, and once the policy is defined, it is then applied to specific resources.
Prior to this announcement, users of the Distil platform had two separate sets of ACLs; one within the website product, and one within the API security product. With bot threats increasingly attacking both the website and APIs, it is important that these solutions converge to help defenders simplify configuration and management.
Imagine you want to block a cloud-hosting provider. You may know their IP ranges today, but what happens when they add some IPs and remove others. How are you updating your IP lists map to their specific changes? Rather than leaving it as your problem to fix, at Distil we provide our customers with the ability to just type out the organizations that they want to allow or block, and we automatically perform the constant dynamic mapping constantly rechecking all the IPs to make sure they only include what’s supposed to be in that organization.
The same principal applies to countries. IP addresses aren't always assigned country by country, even though there is a general sense of geo IP information. But if you want to block a specific country, or whitelist another, you can’t just set a static IP range and then leave it alone. With the Universal ACL, Distil manages the IP addresses per country for every customer, saving time for the security administrator.
Another key differentiator is that unlike traditional ACLs that offer limited response based solely on IP address, this update allows users to whitelist or blacklist based on IPs, countries, organizations, tokens, device hi-def fingerprints, user agent and referrers. This level of granularity allows you to control access to web properties down to the specific device.
Furthermore, the Universal ACL allows you to apply policy to specific domains, and down to specific paths. This level of control in a simple to use interface that doesn’t require the writing of rules helps defenders easily take care of policy management, configuration and updates.
The benefits of this new approach to businesses are simple. Rather than manually tailoring an ACL for each new domain, web defenders can create a universal ACL, configure access rules, and add multiple domains to the list – saving time and money.
About the Author
Edward Roberts leads Product Marketing and has over twenty years experience in technology marketing. Previously he worked for Juniper Networks, heading up Product Marketing for the Counter Security team. Before that he ran marketing for Mykonos Software, a web security company.More Content by Edward Roberts