Data is the target: protect it
When it comes to creating an effective application security strategy, data protection is crucial.
In my two previous Industry Insights, I covered the vulnerabilities created by users' ongoing addiction to apps, and the challenges of creating a culture that integrates security into the way apps are designed, developed and used.
It must be recognised, though, that the app itself is not the target - it's simply a vulnerability that hackers have identified as an entry point into a company's systems to access its data.
In this Industry Insight, let's consider how to extend an integrated security approach to cover how apps make data more vulnerable.
The first thing to understand is that apps have an intimate relationship with data. Apps generate much of the data; they help to organise it in the database or databases, ordering it in ways that make it accessible to other apps. Apps also sift through the mass of information that comes into the company, identifying what is business-critical, cleaning it up and then categorising it.
Apps, it might be said, are what use and govern the structured data within the company. It thus follows that they signpost the most important data a company has, and present it in an accessible form. They do this for the company, of course, but hackers know this, and that's why apps are such an attractive way into corporate data - they offer a highway right to the Crown Jewels.
Thanks to the app, which is likely to be highly vulnerable itself, the hacker is spared the difficult and time-consuming task of sifting through a mass of corporate data to identify the nuggets of value.
So it makes excellent sense not only to make the app itself more secure, but also to look at ways of securing the data to which the app is a gateway.
One of the key vulnerabilities is that there is typically no real interaction between the database administrator and the multiple apps that use the data within the database. Consequently, the database administrator would not have any insight into the business logic that underlies the app, and so would have no way of identifying suspicious or anomalous activity.
Centralising the business-critical data into a single set of master data doesn't really help, because this data is vulnerable to change by hackers who build up an understanding of how the logic of the database works.
Every database will have certain rules for how information within the master data repository can be changed; for example, when a certain app registers the closing of an account or the purchase of a new property, it may be able to change the master data to a new address. Hackers can find out how the master data is orchestrated quite easily because the orchestration software is public. They can then use apps to change the master data.
Apps have an intimate relationship with data.
In addition, the pace of business is fast and getting faster, so companies have an inbuilt predisposition against delaying changes to master data by putting too many checks and balances in place.
Solving the challenges
The most important principle here is to realise that separation between the developers and the database administrator - and the production team, for that matter - creates a critical vulnerability. Integrating the three into a single team is critical. Collaboration can ensure the security strategy integrated into the app is in sync with the database logic.
Just as security has to be integrated into the way the app is conceived, designed and developed, so the team needs to look beyond whether the database is designed to meet the business needs of the app, such as performance, availability and recoverability: it must also be secure.
Part of ensuring the database security will mean encrypting the most important data, or using tokenisation instead.
If three men live on three different islands, a vaccine must be provided to each of them. If they are on the same island, then only one vaccine needs to be provided. In the same way, seeing security as a part of the end-to-end process of creating and using an app, including its data, everything will be much more secure - and costs will be greatly reduced.
Next time, we will consider the issue of APIs, particularly in the context of the mobile economy and the Internet of Things.
Godfrey Kutumela has over 16 yearsâ experience in security consulting and engineering, having conducted high-end security consulting engagements, and designed and delivered technical solutions on three continents. Driven by his passion for securing online and mobile applications in this new era of the Internet of things, he made a strategic move to join the newly formed IBM Security Systems Division in 2012. His role at IBM was as leader and evangelist of IBMâs application security, security and threat intelligence portfolio for the Middle East and Africa market. Kutumela joined IndigoCube in June 2015 as the leader of the cyber crime and security division. His responsibilities include bringing application security integration practices to the local market and helping organisations protect their critical applications and generated data. He has also served as membership chair for the (ISC) 2 Gauteng Chapter since May 2015.