Current Filter: Security>>>>>Feature>

   

"Given the escalation in the number of serious breaches over the past couple of years, it is clearly time for new thinking," states Paul German, VP EMEA, Certes Networks. "With proven failures occurring when businesses attempt to double up on the role of network devices, or by trusting security to the inbuilt controls provided by the application vendor, it is now clear that effective encryption requires a dedicated technology layer."

The key, he continues, is to utilise application isolation and segmentation technologies in a highly focused and targeted way to create a cryptographically protected flows between each user and each application. "Building on the identity and access control technologies widely deployed, a cryptographic relationship creates a clean and unbreakable link between each user and the permitted data and applications."

German believes security officers are losing sight of the boundaries of their enterprises as both applications and users become equally mobile. "Mobility and cloud strategies are increasing productivity, driving down costs and enabling businesses to become increasing agile; spinning up on-demand resources or moving applications to cloud environments, as and when required, is fast becoming the norm. This increased mobility of both applications and users results in security controls and policies built around network-based attributes being not fit for purpose, as one cannot guarantee that the end-to-end network can be controlled.

"The only aspects of a security policy now fully in control of the CISO are their users and the applications they deploy. Therefore controls implemented will only be successful, if they are built around users and applications, by treating the network as, and just as, an untrusted transport layer."

Architectures need to quickly adapt to the new world of user and application mobility by ensuring that network segmentation and application isolation can be applied across all environments, irrespective of network level control, he says. "User access control policies must be applied and enforced in real-time, across all users and all applications, both inside and outside the traditional firewalled perimeter.

"The time for the industry to recognise that a fresh approach is needed is now. We must ask how many more high-profile breaches are required before clear and concise action is taken by the businesses most at risk."

SELF-PROTECTING APPS
Amit Sethi, senior principal consultant at Cigital, also stresses the need to build applications that protect themselves and limit the damage that can be caused by attackers. "Ultimately, most applications need to communicate with untrusted users and systems that can cause them to behave in unexpected ways," he points out. "Separating what's normal from what's malicious is difficult, even when we're dealing with the more obvious injection attacks. An input into the application may get transformed in many different ways before it becomes part of some code that gets executed.

"Attempting to analyse an application's inputs without knowing how the inputs will be transformed and used is very difficult. Then, we also have inputs that are potentially malicious only within the context of the application's business logic. Users may attempt to access data and functionality using requests that they are not authorised to execute, but that somebody else might be authorised to execute. Only the application can determine that the requests are unauthorised; something outside the application does not have the context to figure that out," Sethi continues.

If security software cannot protect us, then what can? he asks "The only way to prevent many security problems is to build applications that protect themselves. This is not something that can be left as an afterthought. Security is an emergent property of software and building secure software requires several security-related activities during the software development lifecycle.

Page   1  2  3