IBM, Ponemon Say App Security Still Lags in the Enterprise
Compounding the issue of the sheer volume of applications being deployed is that 69 percent of respondents said their organization doesn't even know all of the applications that are currently active within their company—perhaps the most alarming statistic to emerge from the study. Kelley, a 25-plus year IT industry veteran, said she started out as a network and firewall security expert, and also was a system administrator. “About 10 years into my career I realized that no matter what I did at the network level, the bad guys were getting through because of what was happening at layer 7 and all the crazy applications I was putting on my network,” she said. Layer 7, the Application Layer of the Open Systems Interconnection (OSI) communication model, provides common services used by applications to establish communication with each other, as well as specific services. Today, there are all kinds of apps being introduced to enterprise networks that IT departments have to confront, including applications and services introduced by shadow IT elements, Kelley said.The study also indicated that visibility and allocation of resources to deal with the most likely data breaches are considered critical control activities. Thus, one of the first steps that need to be taken is to get an assessment of what apps are on an organization’s network. “One thing we wanted to get across is that people should really get an inventory,” Kelley said. “You need to get a handle on what applications you have, what applications you’re building, and if there’s an option to do some optimizations or keep it simple, make sure you need all those applications. Do you have multiple apps running that perform similar roles? You need to get better awareness of what you’ve got and what you’re using. Number one: get a handle on what you have.” According to Jones, after getting a full picture of what their application environment looks like, organizations should unify their security practices, staff up and tool themselves to deal with security issues, and then get a handle on the security vulnerabilities that exist in their organization.
“When I was an admin I had a pretty small network and we had static IPs assigned to everybody,” she said. “And even then I would see activity on my firewall log or on my network monitor that would indicate that people were going to applications and services outside the network that I didn’t expect them to, and also that things were running on my network that I didn’t have control over. But it was a much smaller problem. What we’re dealing with now is exponentially larger, especially when you start adding in different kinds of platforms--not just a desktop, but we’ve got mobile devices, Internet of Things and the cloud.”