CYBER RESILIENCE
RISE TO THE CHALLENGE OF
APPLICATION SECURITY
Long treated as an afterthought, application security is now a key
component of an enterF
prise security strategy.
OR MANY organizations, application security has long been a hidden vulnerability—one often overlooked in cyber-planning even though it poses
First: The best policy is zero trust. Trust no application, no user and no traffic flow. Instead, rely on strong, multi-factor authentication to provide access to all applications and related resources. At the same time, don’t make it overly complicated. A user should be able to sign on to the network once, with the backend system managing access control.
Second: You can’t secure what you can’t
see. For a long time, encryption has been the key. Developers rely on Secure Socket Layer (SSL) technology to protect data in transit. That has proven to be a double-edged sword. In some high-profile data breach cases, hackers used SSL to mask data they were exfiltrating, making it difficult for agencies to understand what was happening until it was too late. In the case of outbound traffic, it’s important to provide an “air gap” in which security teams can view encrypted data as clear text; then re- encrypt it as it continues on its path. However, they must do this in a way that doesn’t tax performance too heavily.
Third: Don’t treat all applications the same.
No application should be left behind, but some applications clearly require a higher level of security than others. An agency should have
a comprehensive set of security policies and services tailored to address the risk level of a given application, based on the nature of the data, the service it is supporting, the context in which end-users are working, and so on.
Application security is clearly a complex challenge, and the stakes are high. But today more than ever, the tools and understanding are available to meet this challenge and strengthen the overall security of the federal enterprise.
Randy Wood is Vice President, Federal, F5 Networks.
SPONSORED CONTENT
RANDY WOOD
VICE PRESIDENT, FEDERAL, F5 NETWORKS
a significant and growing threat. Government agencies have come a long way in recognizing that it’s not enough to defend the perimeter of the enterprise. Many are
just beginning to realize the enormity of
the security challenge presented by their enterprise applications. Left unprotected, these applications can serve as a back door to the enterprise, leaving mission-critical data dangerously exposed.
The challenge can seem overwhelming. In many agencies, IT managers can’t even say
how many applications they have. Also, the application environment has grown increasingly complex. As agencies use cloud and mobility to extend applications to users wherever they are and whatever device they might be using—they are further exposing their data.
Unfortunately, application security defies an easy fix. Many legacy applications were developed at a time when application security was an afterthought at best. Retrofitting a security solution might be a necessity, but it’s far from ideal. This will become less of an issue over time as new applications are being architected with security in mind.
In developing any solution, agencies
must keep in mind the end-user application experience. Solutions that restrict access or impede performance won’t succeed. As we’ve seen in the past, when users get frustrated, they often look for work-arounds that compromise security.
Still, as daunting as it seems, application security is achievable. Here are three thoughts to keep in mind when developing a strategy:
S-18