The COVID-19 pandemic — the single most disruptive event in human history — has caused seismic shifts in how we engage with each other and the world. One of its most significant and, most likely, permanent impacts has been the acceleration of digitization in every industry, with technology becoming critical to everything we do, build and consume. The last few months have given us a glimpse into the future. Technology has enabled borderless enterprises, allowing decentralization of employment and equal opportunity for gig workers, especially women. These changes have increased democratic digital access to health care, banking, education, other essential citizen services, effective infrastructure management, and public safety, offering wider reach, and efficient implementation of benefit programs.
By Vishak Raman, Director of Security Business, Cisco India & SAARC
However, with the low-touch/no-touch economy fast becoming a reality, millions of devices and people are connected virtually. The preference for applications across the web and mobile for the delivery of all kinds of individual, corporate, and citizen services is rising. As a result, Application Security has emerged as the most urgent challenge in ensuring individuals’ and organizations’ safety and security in a new remote world, given that the threat landscape has not only widened but become far more complex.
Application Security: A Core to the New, Distributed Enterprise
and software gets deployed across new fronts such as cloud, mobile, and IoT, hackers will also have more avenues to target organizations. Therefore, putting the organization’s applications first will become a strategic move to safeguard the business’s most valued assets. There will be increased awareness and commitment to ensuring security early within the application development cycle.
DevOps has thus far been preoccupied with creating synergy between app developers and operational teams, who are often responsible for the smooth running of the business. This essentially means that security teams have little or no clarity of the app development process and come in once test cycles are already rolled out to build security layers on top of existing infrastructure. The focus on integrating security into the development and operations processes from the outset is deepening, thus shaping the DevSecOps model. Going forward, as application security programs mature, security testing during the development stage will be mandated to weed out bugs and glitches as early as possible.
As DevSecOps makes security a core aspect of building software in the development phase, there will be an organizational transformation where development and security teams understand each other’s roles better and begin to work together. Developers will be expected to have basic training in application security — basic understanding in input validation, error handling, and secure data handling when they write code.
The trend of “serverless” architectures, wherein a third-party provides the backend services as the application, which exists as programming code in the cloud, will see sustained growth. While these services are easy to use, it may be a point of concern for large organizations because their security and IT teams may not know how they operate (like unapproved storing of company data). Yet, the adaptability offered by these concepts does help to reduce the complexity of backend infrastructure for developers to a great extent.
Significant alterations are taking place in how organizations deploy and access applications, due to which we will see a subsequent change and expansion in how application security is conceptualized. Greater importance will be laid on application-level security monitoring as the application base grows, making it tougher to detect vulnerabilities in real-time. Further, visibility, segmentation, and access control will continue to gain traction. Concepts that typically come into play at the network level will be applied to applications directly.
Emerging Challenges in Application Security
So far, the focus has been on on-premise and perimeter security. The traditional approach to security, which assumed a static application environment is no longer adequate in distributed, remote environments with users accessing corporate applications from multiple devices, public and private networks, from dispersed locations. As more and more organizations switch to cloud models to enhance the agility and resilience of their core processes and workflows, next-generation applications will be in a state of constant flux, as new functions are added, and existing ones are transformed.
This is introducing complexities in the current application security infrastructure. A Cisco study shows that 39% of surveyed organizations find that they are struggling to secure applications. The most troublesome aspect is data stored in the cloud, with 52% finding it extremely challenging to secure. According to a McKinsey survey, over 70% of security leaders believe that their budgets for FY21 will shrink.
To address these challenges, security leaders are assuming a much larger and more strategic role in identifying security priorities that align with overall business goals and allow for conscious spending, while ensuring end-to-end security of corporate applications. The shift is already taking place — while security budgets are expected to reduce overall, Gartner predicts that spending in application security will witness a growth of 6.2% in 2020, making it the third-highest segment after cloud security and data security.
This is primarily because security leaders are reimagining their blueprints for off-premise application security in preparation of operations post-COVID-19, for which building these capabilities is critical:
1. Simplifying Security Through Integrated Cloud Platforms
Application updates and evolution are crucial to success in a digital-first world. Still, they are capable of taking down the business if not prevented from malicious entities. To keep pace with expanding workplace boundaries, firms need simplified application security that offers visibility on a single integrated, cloud-native platform. This platform should be able to detect hard-to-find threats and policy violations through security analytics to drive more informed actions and automate security functions, including threat investigation and remediation, for more efficient operations.
2. Assuming Zero Trust Always, Everywhere
Most importantly, the platform should be anchored in a zero-trust framework, which can support the maintenance of software-defined access control over connections within applications and across a multi-cloud ecosystem based on users, devices, and applications, not on location.
Zero Trust assumes that all environments are hostile and breached. Therefore it proactively identifies and prevents attacks, protecting data at all endpoints through multi-factor authentication, DNS-based security, EDR (Endpoint Detection and Response), data leak prevention, and enhanced SecOps. For applications, this means workload and application protection through group-level and micro-segmentation, along with the implementation of behavioral analytics for detection and response to anomalies.
3. Securing User Identity with Comprehensive User Authentication Policies
Businesses need to have the ability to first verify trustworthiness before granting access to corporate applications so that they can prevent unauthorized access, contain breaches, and reduce the risk of lateral movement through the network. For this, identifying and deploying the appropriate user authentication policies is essential. These policies help ensure that only the intended audience is accessing certain assets in an organization. The person requesting sensitive information and data is the right person to access that information. This can be achieved by implementing VPNcontrolled access to certain apps, multi-factor authentication, single sign-on, and other tools.
4. Managing Dispersed Devices and Distributed Workloads
A certain level of access control must be applied to devices as well. Until now, most organizations had employees working on devices owned and managed by the company, permitting a greater level of control. With devices owned and operated by the user coming into play, access policies must be adapted to contain access to essential applications while limiting access to the more information-sensitive ones.
Additionally, protecting cloud-based and on-premise workloads require comprehensive security policies for applications that render them invisible, effectively reducing the attack surface. These policies can also help companies gain insight into their security posture across work settings and bring in an extra level of threat intelligence by identifying and addressing vulnerabilities before an incident occurs.
5. Protecting Cloud Assets and Private Networks
As more and more company assets migrate to the cloud, increasingly accessed through private networks, security leaders are turning their attention to cloud-delivered, SaaS (software-as-a-service) security to protect their applications. This will not only help them with the incident response across the distributed network, detect threats in real-time and reduce complexities and costs, but can also provide actionable security insights and intelligence to their security teams. Furthermore, it will automatically and preemptively detect early signs of a breach, including malware, multi-staged attacks, wrongly configured cloud assets, policy violations, and misuse, and send alerts in real-time.
Leadership in Enabling Our Secure Future
Security leaders are quickly rebalancing their budgets to prioritize application security, implementing measures that will aid in saving costs and improving efficiencies in managing remote environments. In the new world post-COVID-19, as application security and privacy become indispensable necessities for organizations, security leaders will serve as the bridge between business leaders, functional leaders, and their own operations teams. They will be instrumental in accelerating their organization’s recovery and shaping its new phase of growth, with security at the center of and foundational to all business imperatives.
About the Author
Vishak Raman is the Director of Security Business, Cisco India & SAARC. He has over 20 years of experience in the Information Security Services space with stints in product management, sales, marketing, and business development.
Prior to joining Cisco, Raman was the Sr. Regional Director – India & SAARC at FireEye. He was also the Global Head of Content Delivery Network (CDN) & Managed Security Services (MSS) business at Tata Communications, for three years.
Raman was the Sr. Regional Director for Fortinet (India/SAARC region) and is credited with having built Fortinet’s Unified Threat Management success story in India/SAARC. He was also instrumental in setting up the first-of-its-kind Global Technical Assistance Center at Bangalore for providing support to Fortinet’s customers worldwide. He has worked at WatchGuard, Sify, and HCL Technologies too.
Raman holds an engineering degree in Computer Science and a Post Graduate Diploma in Business Management (PGDBM) from IIM Ahmedabad.
Disclaimer
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.
This story first appeared in the October issue of CISO MAG.
Get your preview here.
Subscribe now!
EC-Council’s CISO MAG brings to you a webinar on “The Current State of Application Security.” Register now!
