This post was originally published here by OLIVER LAVERY.
Securing an enterprise information system is no trivial task. That is because today’s systems are complex and need to be viewed holistically. No longer can IT security only think of a network as a combination of components that can be protected by compartmentalizing them. Today’s networks are much more expansive and holistic.
Typical enterprise information assets go beyond a main brand website and internal systems. They include many (sometimes hundreds) of web applications—some designed in-house, some designed by third parties; some brand new with sophisticated security controls, and some legacy applications, interfaces, or outdated architecture that never had to consider any of the modern threats or use cases.
In addition, these assets are spread on networks that span multiple time zones and political borders, and that support desktop users, mobile devices, B2B web services, IP telecommunications, and services in the cloud. When left unsecured, any of these applications has the potential to compromise information assets anywhere on the network.
Moreover, the growth of web services and service oriented architecture (SOA) has fundamentally changed the application threat environment. Your assets may seem secure in a trusted and controlled area of the network, but if those assets are served up to applications facing the Internet via web services and SOA, are they really secure?
Vulnerabilities and threats lurk around every corner. So, how do you deal with threats to such a system?
First and foremost, it is critical to understand your entire enterprise network, including all possible entry points and applications on your system. However, according to SANS 2015 survey of developers and information security professionals, IT security teams are not yet on top of this:
- More than 25% of their respondents “didn’t know how many applications their organization used or managed.”
- Identifying all apps in the portfolio was the second biggest challenge cited by security professionals, following a fear of breaking an app while fixing security vulnerabilities
- Only 26% of IT security professionals perform risk assessment on all of their applications all of the time
- Only 32% assess risks most of the time (based on the criticality of the application)
- About a quarter rarely or never run a risk assessment, even on new web applications
When information assets could be protected by firewalls, information security was network security. Today, information security means much more than protecting the computer that runs your applications. Security aware enterprises know that the most effective defense is comprehensive and flexible. They also know that a comprehensive strategy includes application defense in depth. To learn more about this download the e-book: Application Defense in Depth—Making Your Applications First-Class Citizens.