Security Think Tank: Web-based app security needs data-centric, risk-based approach

What are the security pitfalls of web-based applications and how are they best avoided?

These web-based applications provide IT with a new approach to supporting the business, especially in small to medium-sized enterprises (SMEs). For large organisations with IT and information security departments, adopting these applications is best handled as an outsourcing or major procurement programme. However, for an SME, there may not be the experience – or the people – to do this.

When deciding how to benefit from these applications, there are several issues that must be addressed:

  • Access to the applications for your organisation, its suppliers and its customers. If you can’t connect, how can you benefit?
  • Logical and physical access to the application and the information associated with it. Who sees what and when?
  • Ownership. Once you start using the applications, and storing your information on the provider’s infrastructure, who actually owns the information?
  • Secure exit, termination and the secure transfer of information. When the contract ends – for whatever reason – can you get your information back or can it be transferred to another provider?

From an ISF perspective, we advise that any organisation thinking about using these applications should adopt an information-centric, risk-based, approach – such as that described in the ISF Supply Chain Information Risk Assurance Process.

The key here is to understand what information is going to be used and stored in these web applications. Once your organisation knows what is being used and stored, the information security arrangements required to protect that information can be drawn up, as can the expected terms and conditions.

Recent research shows that the position on contracts is changing, as both buyers and providers have become more sophisticated and the services and applications provided more differentiation. The key is to follow the information and information risk to set information security arrangements to be agreed between the organisation and the supplier.

Adrian Davis is principal research analyst at the Information Security Forum (ISF)

Read more on Privacy and data protection