View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
November 5, 2013

Guest blog: User and App centric security

Nick Bowman, F5 Networks, on the new set of challenges in the security landscape.

By Cbr Rolling Blog

There is no longer any point in thinking of security in terms of a static corporate perimeter accessed by known, controlled devices. Now, we must be user and app centric in our thinking.

The shifting corporate perimeter has come about for a number of reasons. One is the drive to deploy applications in the cloud, and have them be fast, available and also secure.

Another is that users are more in control of their destiny than ever before; the consumerisation of IT that has given choice to the user. Choice of OS. Choice of device. Where to access from.

The user also has access to more applications. Think about how many applications you have now, over your (probably) multiple devices, versus the single corporate desktop you had access to a decade ago).

We also access these apps from many locations. We have access to apps served from Google Docs and from Salesforce.com as well as from our company’s data centre.

So the user has more power than they have had before. And as a result of that, there are a new set of challenges in the security landscape.

Everything between the user and the application has traditionally been the concern of IT; still is, to an extent. But the shifts described above mean IT now has a much greater area of jurisdiction. The network is no longer private. Apps are no longer just in company data centres.

Content from our partners
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape
Green for go: Transforming trade in the UK

Users work from home. Users work from coffee shops. Users work from aeroplanes. Quite often, they work from all those locations in a given day, likely over a non-corporate provided device.

This creates a lot of risk. What adds to this risk is the fact that apps have moved outside their walled garden, and are thus less easy to control. A survey by RightScale in May 2013 found that 77% of all large organisations – those with greater than 1,000 employees – are choosing hybrid, multi-cloud deployments.

This means that workloads are moving to the cloud at an ever-increasing rate. Most web applications have been built on Web 2.0 frameworks, meaning that they create HTTP and HTTPS traffic. The latter is encrypted, so the sessions that are flowing from the user all the way to the app are very difficult for network devices to analyse.

The complexities of what is described above means IT departments have a lot to deal with. They have a lot of new complexity that needs protection in place. And they are not short of threats to deal with, from denial of service attacks, identity extraction, DNS poisoning, SQL Injection – the entire gamut of Layer 2 – 7 security.

In a recent survey that we saw of 12,000 IT professionals, 69% said that the number one vulnerability is application attacks inside the environment. Cenzic and WhiteHat, who do penetration testing, claim that 86% to 89% of all web applications have serious vulnerabilities.

This complexity, unsurprisingly, has led to challenges. Organisations are not adopting the cloud-based services or the productivity and mobility services at the speed that they would like to.

What’s really needed is more contextualisation or, to put it another way, more understanding of the user and the apps they connect to.

Today’s typical user, when inside the perimeter, has access to the corporate network. When they leave it, they usually get VPN access, which is almost identical to being on the corporate network. But in the latter case, you may be connecting in from locations or devices that may not be secure.

IT, therefore, may want to modulate the kind of access users are allowed. Perhaps they have a personal Android device and they are connecting from an unsecure location. A ‘safe’ response might be to only allow them email access or a VDI desktop. The same user, connecting in a few hours later from a corporate laptop and a trusted location might be deemed safe enough to for full VPN access.

The key to allowing this modulation is endpoint inspection, geographical awareness, one-time passwords and other things of that nature.

The second piece of the puzzle concerns applications. The advent of cloud has resulted in companies, in effect, been given a choice about where their apps are run from. It might make sense for some to be cloud-based.

This added complexity also creates issues for IT. Policies that applied to the app in the corporate data centre might be difficult to apply to an app served up by a third party cloud provider.

This is another great example of how organisations attempting to be agile can create enough issues in protection, availability and access that they could conceivably end up worse off. Apps in the cloud must have security and access services bound to them in order to meet IT app delivery standards.

Tying user understanding with the ability to apply policy to individual applications in the data centre or the cloud – wherever they are – will be key as how we think about and apply security alters focus.


Nick Bowman is the manager of EMEA Corporate Communications at F5 Networks. Check out his blog post on ‘bring your own network’ here.

 

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU