Visit the architecture page for suggestions on secure layout.

Since the engine is interacted with via a directory-like syntax, you can easily manage access privileges using the Apache "Location" directive. For example you may want disallow any external access to the engine:

<Location /ath>
    Order deny,allow
    Deny from all
Perhaps, internally you have two networks, one more priveleged than the other, for example an application server network and a monitoring network. You want to allow the application network update and status rights, but only status rights to the monitoring network:
<Location /ath/update>
    Order deny, allow
    Deny from all
    Allow from APP_NETWORK

Security for this tool is all about who can access what from where. Think carefully and consider who can reach these features, and then control them tightly using the Location directives: