Tackling app security to safeguard the future enterprise

Security Asia, a property of Network World Asia, recently interviewed three IT leaders to gather their thoughts and expert opinions on prevailing cyber security challenges and trends. The interviews were conducted in conjunction with the F5 Anticipate 2016 event in Singapore, which was themed ‘Secure Your Apps Today to Safeguard Your Future’.

 

Kenny Sim is head of IT Infrastructure at Six Capital, which has been described as “a data analytics fintech firm with a contrarian philosophy”.

Sim believes that cyber security poses the biggest challenge for enterprises, especially with initiatives such as Bring-Your-Own-Device (BYOD). When the majority of users access personal and social media apps as well as company resources via a single mobile device, it indirectly opens a backdoor into the enterprise network and becomes a nightmare to support.   

On mobility and IoT 

“Mobility is and will be the trend that enterprises embrace,” Sim says. “It brings a whole new ball game to the enterprise. CIOs will need to address a broad set of mobile requirements such as data mobility, application architecture, identity and security, wireless communication, management and governance.”

The burgeoning Internet of Things (IoT) will also have a very big role to play. Enterprises will base their enterprise security design on IoT. “They will need to spend more on security to up their game. However the results, be they negative or positive, will very much depend on how effective the enterprise security can address those points mentioned above.” 

While many have questioned the effectiveness of traditional solutions against today’s advanced persistent threats and zero-day attacks, Sim warns that these solutions are still must-haves for basic prevention.

Yet, recalling the Bangladesh Bank heist earlier this year, Sim says, “Unfortunately, enterprises are unable to effectively deal with today’s advanced attacks. Hence it is important that we would need to be proactive and vigilant in dealing with threats and zero-days attack.”

On the use of SSL and encryption

Amid the growth of cloud apps, mobile apps, social media and big data, “secure sockets Layer (SSL) and encryption are commonly in use,” Sim says. “In this new era, the recommendation would be to innovate solutions using SSL and encryption to ensure data security. For example, enterprises can choose to let service providers handle the keys instead of the in-house IT team.”

On the truth of “apps being the new web browser” and its implications for security

“With the current trend, this is definitely true,” Sim adds. “There will be a lot more risk, security and compliance involvement on all bank applications. Risk governance will play a big part in the next six to 18 months to define the framework on how the applications will be developed.”

In combating evolving cyber threats, Sim suggests the following ways through which organizations can manage the expanded attack surface created by cloud computing and mobile access:

  • Create greater awareness of cyber security risks within executive and board ranks
  • Deploy advanced and evolving technologies, including machine-to-machine communication of indicators of compromise, and artificial intelligence through deep learning, to more quickly prevent, detect and respond to attacks.
  • Eliminate passwords as the final arbiter of identity, using multifactor authentication
  • Reengineer networks, enhancing security controls with advanced tools and focusing on the inner layers and key organizational assets

 

Eka Darmayanti is the deputy director of Information System Analysis and Evaluation at the ICT Transformation Directorate under the Directorate General of Taxes (DGT) at Indonesia’s Ministry of Finance.

Darmayanti cites data protection as the biggest security challenge for enterprises, highlighting the popular industry axiom, “data is the new currency”.

“Since we are developing more web applications to be connected with more devices, external threats can now potentially come through the web apps,” she says. For this reason, traditional solutions such as network firewalls, anti-malware, et cetera, no longer offer adequate protection against today’s advanced persistent threats and zero-day attacks. Instead, web application firewalls (WAFs) have become a necessary security appliance in the enterprise.

On mobility and IoT 

“Mobility and BYOD have been changing the way we work,” Darmayanti says. “We have to consider this technology because they are increasing enterprise productivity. However, security should be the main concern when we think about mobility strategy.”

The enterprise security challenge will be compounded by the Internet of Things, which has expanded mobility with more and diverse connected devices. “More devices connected with the Internet means increasing risk on security,” she cautions.

On the use of SSL and encryption

The challenges spawned by the era of cloud apps, mobile apps, social media and big data has meant that SSL and encryption are still mandatory to ensure data security. Darmayanti believes that SSL technology has evolved and continues to be developed to mitigate new threats.

“Moreover, users also need to consider security software in their mobile devices,” she points out. After all, emerging mobile device capabilities for accessing cloud services offer attractive opportunities for attackers who seek to compromise these devices.

On the truth of “apps being the new web browser” and its implications for security

“This is true because most of our apps now are web applications, and vulnerability will be coming from this side,” says Darmayanti.

And as cyber threats evolve and cloud computing, mobile access and IoT expand the attack surface for cyber criminals targeting an organization, the approach to IT security can no longer be the same. “We have to make sure the application can be accessed only by an authorized user,” Darmayanti adds. “We have to protect data and application either in the data center, or in the private or public cloud.”

The DGT currently provides many web applications and web services for taxpayers and other agencies, which must be available in 24 hours 7 days a week. To protect these apps and services, the organization requires a comprehensive solution in app performance management, availability and security.

To improve user experience and the security, the DGT deployed F5 solutions for load balancing and application performance in 2013. Then, in 2015, it deployed other F5 products to support increased performance capacity and global traffic management.

“F5 has managed traffic to our apps server to ensure continuous availability; provide security, mitigate DDoS and application-based attacks, and of course, to increase our customer experience,” says Darmayanti.

 

Ma. Salvacion M. Axalan is a senior computer programmer at Information and Communication Technology Systems Service of the Philippine’s Department of Budget and Management

For Axalan, the security posture for every company today is inevitably linked to business objectives.  And no company, big or small, is immune from a potential cyber security threat or network breach. 

“At some point, information such as a client’s data, email, credit card, and other key information could fall into someone else’s hand,” says Axalan.

And that’s a daunting challenge. “Security in the IT world is an ever-changing war zone even to financial institutions, corporations, and most of all, government institutions,” she says. “The opponent changes faster than we can ever imagine. For some, learning some strategy from the art of war might do wonders.  ‘Know thy enemy,’ they said.  Deploying layers of security such as firewall, anti-virus, anti-spyware, and encryption might mitigate threats but not everything, despite security measures.”

In the war against advanced cyber threats, “the traditional network zoning approach is no longer effective these days,” she observes. “Advanced cyber attacks are designed to prevaricate traditional network security. Having said that, I believe a paradigm shift is essential. A well-built defense strategy to shelter endpoints from advanced persistent threats and zero-day vulnerabilities should be implemented to reduce risks and compromised networks.”

On mobility and IoT 

The upside of mobility and BYOD in an enterprise is that employees can be productive wherever they need to be. 

“On the other hand, rising prevalence of BYOD in an enterprise also means that if an employee’s device were to be stolen, the data residing on that device is vulnerable,” Axalan says. “That eventually could lead to unauthorized access of corporate data from the device.” 

Axalan is also wary of malware-infected devices that IT personnel has no control over and that might open the door to vector attacks on the network and increases the risk of enterprise data theft.

However, Axalan points out that the IoT is not as foreign as everyone thinks. “The automated teller machine is one example of an IoT device because it gathers and transmits data using the Internet,” she says. “We just don’t know how to address such technology. But today, we have gone to the next level of using IoT devices such as wearables, tablets, mobiles, laptops and many more.”

Hence, if corporate employees were to have at least two devices each, Axalan imagines that an organization serving 500 employees, for instance, would a face horrendous task of securing every endpoint, especially if the IT policies and security are not integrated. 

On the use of SSL and encryption

Axalan believes that companies that value their customers, especially in online transactions, would do anything to protect their data. To this end, several IT companies offer a robust range of SSL capabilities to secure web-based transaction systems worldwide whether it resides internally or on external networks. 

On protection against evolving threats

Axalan notes that any web application connected to the Internet has always been a potential point of vulnerability to external threat actors. “The most common attack today takes the form of cross-site scripting or SQL injection, which executes malicious code in a data-driven application, retrieves sensitive database content and finally defaces or closes the application,” she says. “And let’s not forget the massive vector attacks that paralyze networks behind the firewall.”

In protecting against evolving threats, Axalan identifies access management as the key element for critical security for cloud computing and mobile access.  “Whether the application is uploaded to the cloud or resides in data center, it still poses a risk to enterprise data protection.”  

Axalan’s organization currently uses Microsoft Azure and it is looking forward to using F5 technologies in the near future.