Despite the persistent onslaught of widespread and high-profile security breaches over the past several years, an alarming number of companies and government agencies still lack sufficient security controls for access to enterprise applications.
Vidder Inc., the inventor of precision application access, recently announced the results of the Enterprise Application Security Market Research Report, a study conducted by King Research to understand the current state of controls for enterprise application access, which stringent access controls are deemed useful and to what extent these access controls are being implemented.
The study is based on a survey of 408 respondents in IT Security across more than 20 vertical markets, the majority being in technology, financial services, government and medical/healthcare/life sciences.
Ross King, principal analyst of King Research, and Anna Luo, senior director of Marketing at Vidder, told Homeland Security Today the costs, complexity and inadequacy of traditional solutions are the major obstacles standing in the way of companies securing their enterprise applications.
“Locking down access using traditional methods is cumbersome for users, and creates overhead and management headaches for IT staff,” King and Luo said. “We know that if something is too complex to use, and gets in the way of doing business, it won’t be adopted. As a research organization focused exclusively on the business of technology and innovation, we see a need for improved user authentication and enterprise application access controls.”
“And that need is only going to increase as millions, and then billions, of machines are connected to the new, high-value, IoT-based, enterprise applications,” they emphasized.
An increasing number of users need access to enterprise applications, prompting a growing need for controls. Two-thirds of respondents said they have over 10 percent of enterprise applications needing access by non-employees. In addition, another two-thirds said that 10 percent or more enterprise applications accessed by non-employees are behind corporate firewall.
The security vulnerabilities that most concerned the survey respondents were server vulnerabilities, phishing, server misconfigurations and denial of service. The report asserted that InfoSec professionals are well aware of these vulnerabilities and threats and are concerned about how to adequately protect their enterprise applications and data.
Recognizing the need for more stringent control to address these vulnerabilities, those who responded to the survey pointed to multi-factor authentication as a “highly useful” solution. However, 60 percent of organizations do not require authentication.
“Creating robust authentication processes for users of enterprise applications today will lay a solid foundation for safe and secure authentication of billions of machines in the future,” King and Luo said.
The study indicated simple passwords are the most frequently used authentication method to provide access to enterprise applications. King and Luo said this is the most surprising finding of the survey, since simple passwords are “inherently insecure” given that they can be easily guessed by a hacker and used across multiple login accounts.
“Multi-factor authentication relies on something you have and something you know,” they said. “It is much more secure than simple passwords because you need the combination of these different authentication methods working simultaneously, or access is not granted.”
Although the survey respondents rated multi-factor authentication as a “highly useful” solution, many organizations have not implemented it. On the user side, multi-factor authentication is often view as “inconvenient.” And on the IT side, they experience the complexity of having to manage MFA not just for their employees’ access, but also for every kind of external partner, contractor, etc.
One solution that attracted many of the respondents is the Software Defined Perimeter (SDP) model. One-third of respondents said they’ve heard of it.
Neil MacDonald, Gartner vice president and fellow, defined SDP as "a logical set of disparate, network connected participants within a computing enclave. The resources are typically hidden from public discovery, and access is provided via a trust broker to the enclave, reducing the surface area for attack.”
“SDP is an intersection of software-defined security and software-defined networking concepts, targeting controlled access to resources to a defined community," he added.
For example, Vidder offers an SDP solution that stops cyberattacks by “shrinking” the perimeter and creating a new layer of defense around every application an organization chooses to protect. This architecture significantly reduces the attack surface by hiding servers from everyone—attackers and legitimate users alike—and every device.
Secure application-specific connectivity is then made available to only users who are members of the virtual community of interest, running on trusted devices. This secure connectivity is achieved via a 3-step process:
Device authentication and authorization: a controller assesses a unique Single Packet Authorization (SPA) signature generated by the device, performs mutual TLS authentication, and then examines other device and software information to determine trust.
User authentication and authorization: Using SAML and IdP, the controller requests user authentication and authorization verification from the enterprise identity management system and matches that to device ownership.
Dynamically provisioned connections: the controller dynamically provisions an encrypted connection from the user to the application, configuring a TCP Gateway protecting the server to allow application data to pass between the client and the server.
“This groundbreaking architecture gives enterprises complete control over who can connect to which application, regardless of who the users are, where the users are, and where the protected enterprise applications are,” said King and Luo.
As security incidents continue to put organizations at risk, addressing enterprise application vulnerabilities will be critical, with the ability to enforce multifactor authentication across all users at all times; hide app servers from all devices and unauthenticated users; ensure end-to-end encryption and integrity; and give complete control of who can connect to what, independent of app location, device type and user affiliation.
SDP may be the solution to enterprise application security.