Improve Your Enterprise App Security Using Zero Trust

Applications are the foundation of user productivity and business insight. Whether hosted on-premise or delivered to the user as a service from the cloud, they are often left vulnerable by traditional, perimeter-based security approaches.

Front-end applications are one entry point for attackers to breach back-end databases. In fact, the massive Equifax data breach that exposed the personally identifiable information (PII) of about 143 million Americans was traced back to an unpatched piece of software used internally to create web applications. Once the attackers exploited that application's application’s vulnerability to enter Equifax’s servers, they gained access to the entire Equifax network—and the most sensitive customer data the credit giant possessed.

That’s why standard security practices must be applied to all enterprise applications, whether or not the application itself contains particularly sensitive or valuable data.

Companies can strengthen application security by applying protections at two distinct application levels: the application platform and application software.

1. Securing application platforms and devices

The following measures must be applied to secure the platform used to host and access the application, regardless of the business-criticality of the application. 

• Servers: Application and database hosts must be hardened by blocking unnecessary ports and disabling unused services.
• Databases: The application’s data repositories must be protected with adequate monitoring and auditing of privileged access.
• Devices: Incorporating device identity into application access control can minimize the threat from new attack surfaces. 
• Patching: Companies must be diligent about monitoring software security bulletins and applying patches regularly and in a timely manner. (A patch for its web application vulnerability was available to Equifax for two months prior to the company’s breach.) 

2. Securing application software

Security measures on an application’s underlying software must be applied proportionate to the application’s business value and importance. These include: 

• Software Assurance: Understand and implement best practices in software assurance, defined by the U.S. Committee on National Security Systems as a “level of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at any time during its lifecycle and that the software functions in the intended manner.”
• Threat Modeling: Use threat modeling in the design and testing phases to identify vulnerabilities and define countermeasures to prevent or mitigate risks.
• Vulnerability Assessment: Conduct regular vulnerability assessments to define, identify, classify, and prioritize application vulnerabilities.  

Applying these security practices at the application level, however, does not necessarily protect all or even most of the data within an enterprise. One of the biggest issues for any enterprise is unstructured data, data in files and folders both on-premise and in the cloud. Learn more about securing unstructured data following Zero Trust principles here.