By Barry Semple, Director of Technology
Many layers of security are needed to build a solid IT foundation for your organization. In our last blog post, we discussed the Perimeter Layer — kind of like the moat of your IT castle. Today we will be looking at the application layer.
The application layer includes all software that runs your IT environment, as well as how your users interact with those applications. Collecting this information was a suggestion in an earlier post on the Endpoint Layer (endpoint refers to any device within your network, connected via either cable or wireless). There are many areas that need to be looked at with respect to application security and all can be discussed in terms of “what” and “how”. If you are able to accurately state what applications are within your environment and how they are being used, then you will be able to efficiently meet compliancy requirements such as HIPAA, PCI or SOC2, and ensure you are reducing the attack surface that is targeted by cybercriminals.
Within the Endpoint layer, we determined the associated firmware, operating systems and/or applications across the environment – ensuring they are up to date to protect against vulnerabilities that cybercriminals take advantage of. Hence, we have already answered the “what”, and now need to answer the “how”.
How each application is accessed is critical to understand how secure each one is. With our list of software applications in hand, we can now add a list of people who have access, what level of access they have. This is relevant to applications used by everyday team members, such as Microsoft Office Suite, to ensure software licensing is accurate and compliant. Keeping track of software licensing purchased and issued is important to reduce the risk of failing to meet licensing agreements – which can have negative financial implications.
For applications that have security context, such as those used to configure network firewalls, to ensure the environment remains protected and secure, it is even more critical to know who has access to your environment and more importantly, why. Access to any environment should always follow the Principle of Least Privilege (POLP): the idea that any person, program or process should be given the bare minimum access to any information or system that is necessary to complete the required task.
By following a process to document the applications your organization uses, how access is provisioned, and adhering to POLP, you will be a) completing the hardest portion of most compliancy standards and b) ensuring your environment is properly secured. With access to critical and sensitive information and systems reduced to minimum levels, the attack surface for cybercriminals is also reduced.
Getting the Application Layer to the point of knowing “what” and “how” is only part of the challenge however, as the resulting information is only pertinent to the specific point in time you gathered that info. The finishing touch achieving Application Layer security is documenting and implementing internal processes to ensure:
- that access to existing applications always holds to the Principle of Least Privilege,
- that new applications are introduced in a controlled manner, and
- that documentation covering the entire Application Layer is regularly maintained accurately to provide both compliance and security.
Read more in this Series: