Authentication, Authorization and Accounting are 3 main features of any digital access to services for inbound traffic or outbound traffic. I only agree on a solution if all three are really implemented properly. Yes, any security individual will say I have patched, added a certificate and created a group for the servers. The answer is no and still the access to the servers is still hack-able. The reason is individuals putting servers in the public domains have long been thinking hard to make these servers secure but they do not know that pocking a hole in the servers is a dead-end situation that will risk compromising clients data and privacy.
We are an advocate of cut-through proxy authentication and it will overcome situations like leaving access accounts on servers in the open cloud or in any organizations less secure segments.
Now what is the solution to this issue that is overlooked by most, the solution is within the steps below.
1. Every organizations should understand that servers intended for eCommerce, should generate a prompt for authentication the moment a client on the untrusted zone (internet) tries to authenticate.
2. The authentication prompt should not come from the server itself but it should come from a security appliance in a trusted zone.
Once the client enters the credentials, a query is sent to the hosting AAA Server.
3. If the authentication is successful, the security appliance in this case lets just say a high grade firewall will redirect the client to the server.
4. Clients must make sure the site that is accessed is secure by checking the URL of the front end server website is https:// instead of http://. https will indicate that the SSL certificate makes sure that data is passed from the brower to the server securely.
Article by Habib Zakaria | Network Solutions Architect