In this blog, we look at how taking a Zero Trust approach to developing and provisioning apps can help to prevent security breaches.
Guest blog from Simon Minton, Global Cyber Security Advisor at Cisco
The security threat of using apps
Sharing meeting notes. Processing customer transactions. Logging expenses. Signing contracts. More and more business processes are getting the app treatment. And that means more and more data is being exposed to potential security threats.
How businesses are using the cloud
To ensure apps deliver on stakeholders’ agility and efficiency expectations, organisations are increasingly using the cloud to provision functionality to users both in the workplace and beyond. Apps aren’t just being provisioned via the cloud; they are being developed in the cloud too – and that introduces another layer of complexity and risk.
Cloud-native development enables organisations to build and update apps quickly. But the speed at which apps evolve can result in security being overlooked – especially as organisations increasingly bring application development back in-house due to its strategic and competitive importance.
Join the DevSecOps revolution
The need to balance security with agility has given rise to a new operating model in the app development world. DevSecOps isn’t just about adopting new processes and tools; it’s about adopting a new mindset in which everyone in the app lifecycle is responsible for security – whether they are a developer, a business stakeholder or a user.
What is DevSecOps?
DevSecOps shifts security from a bolt-on activity late in the process of application development, when much of the architecture has already been defined, to a fundamental part of the design, build and continuous delivery.
In order for DevSecOps principles to take root in an organisation, developers need to be encouraged to take ownership of security, much like they are incentivised to develop metrics around application availability and performance.
Reducing the impact of data breaches when using apps
Most data breaches occur from two interlinking scenarios; an exploitation of either the application itself and/or exploitation of the infrastructure hosting the application. Several recent high profile breaches occurred because of a misconfiguration of the supporting cloud infrastructure. The shared security model adopted by all cloud providers puts the onus on its customers to ensure that cloud services are properly configured.
Ensuring developers and IT security teams work together to proactively remediate misconfigurations in an application or infrastructure can help to reduce the impact from an incident or breach. Data analytics will be increasingly important for both teams when pinpointing application and cloud misconfigurations as well as malicious activity.
Monitoring solutions that leverage machine learning and behavioural modelling can provide visibility of activity not only on the network but also within the development environment and across cloud resources – which can act as an early warning of a potential security breach on an app or within the broader ecosystem.
For example, Cisco Stealthwatch collects and analyses network and cloud telemetry and correlates threat behaviours seen locally within the enterprise with those seen globally to detect anomalies that might be malicious.
To trust or not to trust?
Advanced threat detection solutions can also help to identify policy violations and misconfigured cloud assets that could compromise the future security of an app. But visibility into potential app vulnerabilities needs to go one step further.
With internal and external developers increasingly using internet-based open source elements, such as software libraries, to accelerate time-to-market, apps have become a patchwork of unseen – and often unknown – components. All of which could introduce unexpected risks and dependencies.
Around 80% of an enterprise application is created using open source software libraries downloaded from the internet. Organisations often have very limited understanding of the risks inherent in these libraries or lack the policies needed to remediate known vulnerabilities.
Adopting a Zero Trust approach to app development
By adopting a Zero Trust approach (where everything must be validated before it can be trusted) to app development, organisations will be able to identify potential security flaws much earlier. This will not only save time and money but also avoid reputational damage.
A Zero Trust approach can also be extended beyond the development stage to the entire lifecycle of the app. Users and devices accessing apps also need to be regularly validated to ensure they are not trying to launch an attack or steal data.
By getting smarter about how they provision and develop apps from the cloud, organisations will be able to protect thousands of employees and customers and provide a richer and safer app experience.