Irrespective of where your application lies, and what security provisions are made by service providers, you as application owner are still ultimately responsible for its protection.
That was one of the key messages from the recent TechFire event on application security.
Tristan Liverpool, director of systems engineering Ireland and UK, F5 Networks, said that while the security providers do provide high levels of reliable security, it is still up to application owners to ensure that policies and the specific needs of any given application or service are met, regardless of where or how they are hosted.
Exploring this point, the attendees were asked if they agreed that service providers generally provided a higher level of security than most organisations would be able to manage internally, and around 10% agreed.
“While the username and password are still the most visible elements to the user, in reality, there were many more parameters under consideration, each one weighted appropriately”
Liverpool expanded on this point, and said no one point of security should be relied upon over others, and that a layered approach was best practice, for on-premises, hybrid or publicly hosted applications.
A question from the floor asked how close the industry was to moving beyond passwords for authentication.
Multiple parameters
Mark Ward-Bopp, systems engineer, F5 Networks Ireland, said that with measures such as OAuth, identity federation and interrogation of request sources and other parameters, a username and password can be merely an element of the wider parameters used to authenticate users. As such, while the username and password are still the most visible elements to the user, in reality, there were many more parameters under consideration, each one weighted appropriately.
David Cahill, security strategy and architecture manager, AIB, added that banks must be aware of the changing needs of users and keep up with developments.
Cahill cited a UK survey by Accenture which found that around 40% of respondents said they would open a bank account with PayPal if offered that service. As such, banks must be aware of users’ willingness to accept certain services as potential identity brokers and cannot ignore such changes for fear of being left behind.
The attendees were then asked for show of hands for who used two factor authentication (TFA) for services such as Gmail. Around half indicated they did.
A further show of hands was conducted for those who considered their organisation to be using hybrid cloud services, with around a third indicated they were. When asked to comment as to whether any difficulties were encountered in ensuring that organisation security policies could be applied across such infrastructures, there were no specifics reported, however, one attendee clarified a previous response with regard to service provider security provisions. He said that while he agreed they did provide a higher general level of security than most organisations would be capable of, he thought that they could and should do better, especially in helping users to best exploit such measures.
Skills coordination
A question was asked if attendees had encountered problems in coordinating the internal skills and tools with what the providers have to offer in an holistic and integrated fashion. Again, no specific issues were report.
AIB’s Cahill said that even having a security operations centre (SOC), there is still a significant security overhead, with all the different feeds and sources of intelligence coming in.
He said that they use a SaaS-based service that downsizes the vast amount of data to what is worthy of note and that comes back to the SOC for deeper analysis, significantly reducing overheads. However, he acknowledged that even this model for processing takes a lot of orchestration, but once established works well to cope with the volumes.
A question was asked about Shadow IT, and whether the kinds of protections being discussed for application protection could take this into account.
Liverpool said that this was not really the way to approach this issue. He said it is now possible to appropriately provide all of the capabilities that people look for in Shadow IT. It is more about making people aware that they do not have to leave the proper channels to achieve what they want to do, said Liverpool, rather than trying to look for control over things that are outside of your domain.
Tackle the cause of Shadow IT, not the symptoms, he argued, and then these services will fall within the scope of the usual application protections to the benefit if all.
Security in applications
Another question asked if there was a move away from baking security directly into applications, and relying more on these layered services to compensate.
The panel more or less agreed that while there should be an over reliance on the inherent security measures in any application, it was still an important feature to think about security as early as possible in development.
Liverpool reiterated his earlier point about layered security, so that even if security is baked into the application, there should be other protections too. You should never have to solely rely on the app or the web application firewall (WAF) or any one component, rather on layers of security, he said.
An attendee from a service provider added that security should not be an option, it should be woven into the fabric of the service provided.
TechCentral Reporters
Subscribers 0
Fans 0
Followers 0
Followers