Business critical applications are the powerhouse that keep firms running efficiently. But companies are putting themselves at increased risk by failing to secure the applications at the very heart of their business operations. Maintaining focus on security has become especially challenging with the adoption of a cloud-based infrastructure and SaaS, which has brought many advantages, such as reduced development cost and improved scalability. These benefits, together with an ability for key applications to be accessed remotely, have demanded a major shift in thinking - distracting companies from the need to keep on top of security.
Digital transformation has only made the ability to focus on security harder as hungry start-ups move into established industries such as finance and healthcare. These start-ups have been making the most of new cloud, virtualisation and containerisation technologies to gain competitive advantage. Indeed the speed, flexibility and resilience afforded by these technologies are facilitating new markets for services. In response, larger and more established companies are trying to play ‘catch-up’ - often rushing to adopt new technologies to bolster their own leadership position. Technological advances of course bring many advantages, but often prioritise user experience over security. But the writing is on the wall: it’s time for companies to address application security.
Protecting critical applications
Let’s look at why applications have become so critical to business. Organisations collect and implement vast quantities of information and industry-specific applications across the business. There is an increasing dependency on these, with web-based, cloud-based, and third-party applications at the core of today’s business processes. Such applications might include financial transaction apps and their related sensitive customer data; enterprise resource planning (ERP) apps that help manage crucial inventory for retailers or hospitals; and critical electronic health record (EHR) applications storing vital electronic personal health information (ePHI) for health care providers, hospitals and insurers.
The loss or compromising of the data held by these applications, can result in disrupted services, or put the business at a complete stand-still - threatening its reputation and survival. A recent CyberArk Business Critical Application survey of 1,450 business and IT decision makers conducted across eight EMEA countries showed that 61 per cent of respondent indicated that even the slightest downtime affecting their business-critical applications would be massively disruptive and severely impact the business. Yet, 70 per cent of these enterprises fail to prioritise the security of business-critical applications.
Building a healthy security culture
So, what’s behind this lack of focus on securing applications? Although companies face a variety of distractions, including cloud and scalability issues, it could be down to an organisation’s security culture not keeping pace with the threat landscape. A security culture requires care and feeding to make it ‘sustainable’. When a security culture is ‘sustainable’, it transforms security from a one-time event into a lifecycle that generates ongoing security returns.
Without the right security culture and protection in place, many business and IT stakeholders are putting their applications and organisations at risk. While they’re busy successfully curating the right applications for the business, they’re failing to protect the costly investments that run their enterprises and keep customers coming back.
As cloud-based infrastructures become mainstream, it’s essential to understand the associated security vulnerabilities and how best to secure company data and the applications that house and manage it. Let’s consider what can be done to smooth the ‘journey’:
- Fully understanding the business
leaders and heads of key functions such as finance, human resources and marketing is vital. Understanding the important business initiatives makes it far easier to identify the critical business apps. These could be SaaS applications or custom applications built using DevOps tools and methodologies.
- Feeling comfortable with the cloud
While moving on-premise applications to the cloud, or adopting new cloud native apps, it’s important to understand the strategy, migration plan and timelines. Partnering with cross-functional stakeholders will ensure security is prioritised.
- Securing access to those managing business-critical applications
Once business critical applications are identified, all administrative access associated with these apps needs to be controlled and managed, including the underlying infrastructure. It’s also worth isolating sessions to prevent credential theft and lateral movement, whilst at the same time providing a full audit trail of all privileged activity involving business-critical applications and admin access. On top of this, it’s crucial to remember that admins for these apps tend to sit outside IT - as part of a line of business or within a functional organisation such as Finance, HR or Marketing.
- Remember the machines
Application-to-application privileged credentials must be secured alongside interactive human access, together with the service accounts used by business-critical on-premises applications, SaaS applications and cloud-native applications built using DevOps tools and methodologies. The use of hard-coded credentials represents a significant security risk to business-critical applications and should be removed.
- Limit the risk from unmanaged end user workstations
Attacks against business-critical apps that start life on Windows and Mac workstations can be prevented by removing local admin rights to prevent the download of malware. It’s also important to invest in anti-phishing protection and promote security awareness to educate end users so they can spot phishing attacks.
Companies will always face the challenge of monitoring and controlling data security threats while operating efficiently and productively, with a constant stream of distractions threatening to divert security leaders’ attention. Taking a holistic approach to protecting business-critical applications should be the priority, no matter where the apps run. Whether on-premise or in the cloud, it’s crucial to prioritise and protect your most valuable applications and data.
David Higgins, EMEA Technical Director, CyberArk
Image Credit: Wright Studio / Shutterstock