In this blog, we look at how taking a Zero Trust approach to developing and provisioning apps can help to prevent security breaches.
Guest blog from Simon Minton, Global Cyber Security Advisor at Cisco
The security threat of using apps
Sharing meeting notes. Processing customer transactions. Logging expenses. Signing contracts. More and more business processes are getting the app treatment. And that means more and more data is being exposed to potential security threats.
How businesses are using the cloud
To ensure apps deliver on stakeholders’ agility and efficiency expectations, organisations are increasingly using the cloud to provision functionality to users both in the workplace and beyond. Apps aren’t just being provisioned via the cloud; they are being developed in the cloud too – and that introduces another layer of complexity and risk.
Cloud-native development enables organisations to build and update apps quickly. But the speed at which apps evolve can result in security being overlooked – especially as organisations increasingly bring application development back in-house due to its strategic and competitive importance.
Join the DevSecOps revolution
The need to balance security with agility has given rise to a new operating model in the app development world. DevSecOps isn’t just about adopting new processes and tools; it’s about adopting a new mindset in which everyone in the app lifecycle is responsible for security – whether they are a developer, a business stakeholder or a user.
What is DevSecOps?
DevSecOps shifts security from a bolt-on activity late in the process of application development, when much of the architecture has already been defined, to a fundamental part of the design, build and continuous delivery.
In order for DevSecOps principles to take root in an organisation, developers need to be encouraged to take ownership of security, much like they are incentivised to develop metrics around application availability and performance.
Reducing the impact of data breaches when using apps
Most data breaches occur from two interlinking scenarios; an exploitation of either the application itself and/or exploitation of the infrastructure hosting the application. Several recent high profile breaches occurred because of a misconfiguration of the supporting cloud infrastructure. The shared security model adopted by all cloud providers puts the onus on its customers to ensure that cloud services are properly configured.
Ensuring developers and IT security teams work together to proactively remediate misconfigurations in an application or infrastructure can help to reduce the impact from an incident or breach. Data analytics will be increasingly important for both teams when pinpointing application and cloud misconfigurations as well as malicious activity.
Monitoring solutions that leverage machine learning and behavioural modelling can provide visibility of activity not only on the network but also within the development environment and across cloud resources – which can act as an early warning of a potential security breach on an app or within the broader ecosystem.
For example, Cisco Stealthwatch collects and analyses network and cloud telemetry and correlates threat behaviours seen locally within the enterprise with those seen globally to detect anomalies that might be malicious.
To trust or not to trust?
Advanced threat detection solutions can also help to identify policy violations and misconfigured cloud assets that could compromise the future security of an app. But visibility into potential app vulnerabilities needs to go one step further.
With internal and external developers increasingly using internet-based open source elements, such as software libraries, to accelerate time-to-market, apps have become a patchwork of unseen – and often unknown – components. All of which could introduce unexpected risks and dependencies.
Around 80% of an enterprise application is created using open source software libraries downloaded from the internet. Organisations often have very limited understanding of the risks inherent in these libraries or lack the policies needed to remediate known vulnerabilities.
Adopting a Zero Trust approach to app development
By adopting a Zero Trust approach (where everything must be validated before it can be trusted) to app development, organisations will be able to identify potential security flaws much earlier. This will not only save time and money but also avoid reputational damage.
A Zero Trust approach can also be extended beyond the development stage to the entire lifecycle of the app. Users and devices accessing apps also need to be regularly validated to ensure they are not trying to launch an attack or steal data.
By getting smarter about how they provision and develop apps from the cloud, organisations will be able to protect thousands of employees and customers and provide a richer and safer app experience.
Well it’s that time of the year and no well-meaning blog would be complete without some predictions for the coming year. I canvassed some of my team for their views so that we can look back next year and see if they have potential parallel careers as fortune tellers!
First up is Paul who thinks we will see lots of continued uncertainty in the Mobile OS market, with a surprising upswing in Windows Phone and fight back by Blackberry to maintain adoption in Enterprise – that won’t be matched in the consumer world. Somewhat polar to market commentary and headlines – so something to keep an eye on!
Next up is Pete who believes SSD (Solid State Disk) will become standard, across all traditional PC client devices. The cost difference for spindle and solid state has reached such a small difference that the performance benefits and reduced failure rates will outweigh this small price difference. Hmmm, could be good news for Samsung and Kingston!
Pete also thinks we’ll see the death of the docking station (again 🙂 ) – as we move towards more choice and more mobile devices, the desire and ability for a consistent docking experience will be surpassed by wireless peripherals and connected screens.
Next one up from the team is not necessarily good news for the industry and somewhat inevitable in the climate but there is the expectation that at least one major ‘pure play’ reseller (read no services division) will either go under or get swallowed up in 2014.
David in Services also suggests that we might see a short-fall in available UK resources to tackle the backlog of Enterprise Windows XP users that still haven’t migrated – caused by the product formally going ‘end of life’ in April 2014. Not sure if this is a prediction or wishful thinking!!
Finally, we move to Tina and Software. First prediction is that we will see Big Data move into the mainstream as people stop talking about it and start to use information to underpin their business models. Whilst 2014 will also be the year that we see the number of software vendors used within Enterprise estates increase as a result of the users opting for smaller ‘app like’ line-of- business tools and not the over specified and under-utilised tools they have today.
Personally, I think that we will continue to be ‘S.M.A.C.ked’ (Social, Mobile, Analytics and Cloud) as a major theme and as the “nexus of forces” continues to empower users through technology and information it will make 2014 disruptive and stimulating for everybody involved in Workplace IT.
So there you have it, down in black and white for judgement next year. I’d be really interested to hear your own predictions for the coming year (related to Workplace IT of course!)?
I hope you have a great Christmas break, and see you all in 2014!