Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

It’s All about the Applications

In my previous SecurityWeek column, I wrote about Managing Security with the Business in Mind and discussed briefly the importance of taking an application-centric approach to security policy management.

In my previous SecurityWeek column, I wrote about Managing Security with the Business in Mind and discussed briefly the importance of taking an application-centric approach to security policy management. I’d like to drill down into that a bit more because critical applications fuel the business and oftentimes there is a disconnect between the business requirements and the security policy. Aligning the two will ultimately improve security (i.e. safely remove firewall rules no longer in use by decommissioned applications) and allow IT to keep up with the dynamic needs of the business (i.e. process changes much more quickly and enable faster service delivery). The problem is, it’s not that simple!

To quickly recap, complexity is a killer of security and agility. Yet complexity rules our networks. As businesses have become more application-centric in terms of processing and storing critical data, the way these applications talk to other components in the network has become much more convoluted. A synch point for just one application may need to cross multiple policy enforcement points and individual firewall rules may support multiple applications. We’ve spun a web of complexity with many interdependencies across what can amount to thousands of rules across hundreds of devices, spread out all over the world. You get the point.

Application SecurityThe sheer complexity of any given network and all of these application-related interdependencies can lead to a lot of mistakes – whether opening security gaps or most likely causing outages and disruptions to key applications, segments of the network or even possibly the entire network. According to recent research, application-related firewall rule changes cause outages, breaches and/or decreased network performance for 80 percent of responding organizations.

Applications Drive the Business

The first step is to recognize that we’re in an application-driven business environment. If a critical application is down or performing at a non-peak level, the business will suffer. At a technical level, it’s understanding that most firewall changes are driven by business applications and understanding the impact to these applications and to the network by making sure that you can associate all firewall change requests to the appropriate application. The change process is where things often fall down (as noted by the 80% metric noted above). Today’s enterprise systems have become super-interconnected to other systems both inside and outside of the company walls and having visibility of all of this is very important – both from the perspective of security professionals and business personnel.

Applications Store and Process a Lot of Valuable Information

Step two is to recognize that valuable information – what the bad guys are after – is often stored behind vulnerable applications. Do you have visibility of the application connectivity needs and how data is flowing across your network?

Each business application within an organization should have an associated data classification so security personnel can effectively define controls around specific applications that are storing/using valuable data.

Since we all know we can’t possibly plug every hole in the dam it comes down to putting our resources to use in the most effective and efficient way possible so we get the biggest bang for our buck. Oftentimes, organizations spend a whole lot of time (and money) building strong security controls around applications containing public data which have minimal or no impact on revenue generation.

If we go back to the concept of managing security with the business in mind, security teams should be providing value to the business lines they serve. Too often this concept gets lost in the day-to-day grind, but the business is what provides our paychecks and at the end of the day everything security does should be to serve the business. Efficiently classifying data used by business critical applications is one effective way of doing just this.

Once classifications are in place, the next step is to map application data flows, including all egress and ingress data flows to enterprise systems. You can gain additional value by mapping vulnerabilities to these data flows to understand how an application is exposed (Tip – look for systems with sensitive data classifications with egress data flows to less secure systems). For example, a highly secured application that is storing or processing personally identifiable information (PII) is leaving data exposed if the application flow has the data moving to a vulnerable or poorly secured system.

The complexity of today’s networks, the business’ demand for always-on accessibility and availability, and the advanced threat methods being used today makes security tougher to manage than ever before. If we step back and look at this through an application-lens, we can set ourselves up for better security that enables the business to run effectively and efficiently.

Written By

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.