Applications: The Final Security Frontier

When security controls are discussed, the focus of the discussion is often around intrusion detection and prevention platforms, firewalls or other, similar technologies.  These are solutions which have been in the IT and Security Department’s bag of tricks for some time and their role in enterprise infrastructure and security are generally well understood.

Applications are not often part of that discussion; although they should be. Firewalls and applications which enforce role- based access to data have a lot in common from an archetype perspective.  This basic security model is shown in the diagram below. 

A requester seeking to interact with some resource must traverse through a control point who’s role is to enforce the risk decisions of the enterprise.  To do this, the policy control point must be designed, developed and tested to ensure that no technical shortfalls exist (or at least go unidentified) which might allow a requester to engage in actions contrary to the policy.

Figure 1: Policy Enforcement Archetype

We can see this archetype implemented frequently in enterprise network architectures.  Multiple layers of defensive and detective controls are built into the infrastructure to ensure the security of enterprise resources.

Multiple layers of technical controls are designed to minimize the risk of successful attack from external entities or at least allow security staff to quickly identify when a breach has occurred.

Figure 2: Basic Firewall Architecture

So how do applications fit into all of this?  Applications are the method by which users interact with and perform transformative operations on enterprise data. For applications which support role based access, it is the application which provides the tools and methods to act upon a dataset to individual users.  The application must be able to allow or disallow particular actions or requests from users based on the identity of that user.  An event that impacts security will occur if the applications are unable to technically enforce these limitations on submitted user requests.  They can also be triggered by attempts to tamper with resistance.

Figure 3:  Application as Policy Enforcement Point in the Enterprise

While other solutions which are part of the fully architected, layered security model can mitigate a number of attack vectors, the ability for the application itself to withstand attack and enforce enterprise risk policy is the organizations last line of defense.  The organization’s last line of defense is the application itself.  Other solutions can help mitigate the possibility of attacks, but the application is critical.  Organizationally, this is a concept that must be communicated and championed from executive management, reflected in application security requirements to third party application vendors.  It should also be incorporated into the day to day activities of the development organizations within the enterprise.

The enterprise can significantly limit its exposure to application security flaws by understanding the application’s role in the enterprise security model.  It is most important to have standards and procedures throughout the development, procurement and deployment of applications.

With these types of protocols in place, security in the enterprise is further enhanced.

Mike Klepper Consulting Application Security Practice Director AT&T About Mike