Today a business's IT network is at the heart of all of its operations and communications, so ensuring that data is secure and safe guarded against threats, attacks and vulnerabilities, is essential.
Every IT professional will know that it's much easier to secure an entire network than tackle disparate applications. You throw in a firewall, some strong authentication and a digital certificate for Secure Sockets Layer (SSL) and job done. However, dealing with network security alone is like picking the low hanging fruit from a tree. It might be straight forward, but it just tackles part of the problem - it only secures data as it travels across the wire and neglects both data-in-process; the intelligence being used in real time, and data in storage; which could include anything from vital corporate files stored on the hard drive of an employee's notebook computer, to files on the servers of an offsite backup service provider. Further challenges lie in the newest layer of the security stack; virtualisation.
SSL itself is actually useless against most of the attacks that exploit vulnerabilities and result in the loss of customer data today. Even a SSL encrypted Structured Query Language (SQL) injection attack is still an SQL injection attack. Wrapping up a non-secure web application with encryption doesn't change that, and in fact it may hinder the ability of traditional network security infrastructure to detect it.
No single solution can provide the security coverage necessary to ensure data will not be stolen or stop an application from being compromised in some way. Businesses must take a holistic approach to IT security that covers multiple layers including the network, host and application, if they are going to achieve hack-resilient applications. We need to learn from the cloud developers who have been focusing their propositions around security in the cloud from day one.
The technology industry is now in its second internet decade but there are still millions of businesses with unsupported, unsecure networks. Applications are becoming more frequently accessible over networks and as a result are vulnerable to a wide variety of threats, heightened by the growing Bring Your Own Device culture.
Application and content-centric networking offers a wide range of benefits such as content caching to reduce congestion and improve delivery speed, simplification of the configuration of network devices, and the flexibility to build security into the network at the data level. A content-centric network is also well suited to provision of mobile devices. When content is used, a connection does not need to follow the mobile device. What's more, application security deals with the entire data processing stack and can address un-trusted and extended networks which have emerged as a result of the death of perimeter networks, due to the growing availability of WIFI and use of wireless devices in the workplace. Once an afterthought, application and platform delivery hardening combined with stringent security guidelines and developer security awareness is meaning that application security is better placed to improve overall security and compliance than could ever be possible through network tools. It is essential that we re-train and re-focus every network-security focused IT professional in application security.
The industry still has a long way to go. Every single one of this year's notorious security attacks and data thefts were application targeted including the high profile Google, Sony and Citibank cases, which is alarming. If some of the world's largest global enterprises haven't cracked it, it tells us a lot about the likely situation with other less technically sophisticated businesses.
Application security such as database encryption, data loss prevention (DLP), web application security and secure web coding practices should be standard for any business, and not just for Payment Card Industry (PCI) compliance. We can't even rely on a network cable anymore to segment the network. WIFI has put an end to 'air gap' theory where the network was thought to be secured by keeping it separate from other networks. Next generation networks don't have perimeters, they are borderless.
Without a comprehensive security strategy that takes into consideration the entire ecosystem in which applications are deployed and exploited, businesses will continue to put themselves at risk of a security breaches, regardless of how much they invest in network security.