Maksim Kabakou - Fotolia

Security Think Tank: Web security down to good risk management

What are the main web security challenges for organisations and how are they best addressed?

Organisations today focus on being fast, flexible and fit for business in the digitally enabled world. They have to meet the needs of customers, whose expectations grow higher as technology advances, as well as find optimum ways to work with multiple partners and suppliers.

But while the internet, mobile and cloud technologies have transformed the way in which most of us are able to operate, they have also increased the attack surface of previously restricted internal networks; in other words, they have opened up corporate systems to outside threats.

The porous perimeter

To be competitive, businesses need their applications to talk to the world outside the enterprise perimeter, so battening down the hatches completely is no longer an option. As a result, they are redefining the balance between acceptable enterprise risk and adoption of technologies that facilitate business operations.

Operating in this connected environment requires organisations to understand how much of their critical application infrastructure is externally exposed or directly accessible. From there, the right security architecture can be defined and baked into networks, applications and business culture so that external users can communicate with the internal applications as required without compromising enterprise security.

Firewalls should be configured to filter inputs so that required traffic is differentiated from unwanted or suspicious traffic, while advanced and specific rules for firewalls keep out unwanted visitors. Simple steps such as allowing access only to specific ports from external sources can help to reduce inappropriate network traffic.

Setting up a DMZ [demilitarised ] is almost a prerequisite for contemporary business operations, thus putting a firewall between the server and outside network and another firewall between the server and the internal network. This allows the organisation’s critical, internal-only facing apps to be protected, while external communications with the relevant apps are enabled.

Encrypting data, both when it is in transit and being stored, is key, and its importance will grow with the adoption of GDPR in 2018. Similarly, encrypting the hard drives of corporate laptops minimises breaches if they are lost or stolen.

However, it is not just the external threat landscape that is changing. Having robust internal controls, including access management strategies can also minimise threats. Many security fails are down to providing users with more system access than is needed to undertake the task they are required to do.

Outlining the inputs that an application needs to work and then engaging in role management and access control to ensure that no more than that is available prevents this – and is particularly important where external attacks attempt to take control of an existing user in the target application. If that user’s access is limited, then the potential exposure is also capped.

Cloud checks

Cloud computing has also changed the face of business, opening up access to many applications for enterprises of all sizes. But in doing so, another incremental layer of risk is added. An externally hosted cloud server opens up the corporate network to external connections; it also means organisations have to entrust their data to outsourced providers, as well as share a platform with other third parties when using public cloud offerings, some of whom may be competitors.

Companies providing cloud-based technologies understand that security is a major concern and that to operate successfully they need to be watertight. However, it is critical that any organisation considering adopting cloud services adds this business process to its risk management checklist, undertaking due diligence to ensure the contract offers the required level of protection, and then following the procedures outlined above (correct port and network configuration, firewalls, encryption, etc) to minimise risk in practice.

Prepare for a breach

The data honeypot has grown. Not only is more and more available, but the nature of today’s connected businesses means it is more accessible.

Organisations need to take all reasonable measures to protect data, including two-factor authentication for anyone accessing the network, regular system patching, spam filters, enforcing password requirements and end-user training.

But an enterprise also needs to assume it will be breached at some point in time. Adopting this mindset ensures that appropriate measures to mitigate an attack are routine business processes. Backups should take place on a regular basis while security analytics will identify when a breach has taken place and how critical it is so that the appropriate, pre-defined solution strategy can be rolled out.

Good enterprise risk management

There is no silver bullet for tackling web security challenges. It requires a combination of tools and activities such as network hardening, encryption, advanced and specific firewall rules, filtering network traffic and user training. 

In summary, it comes down to good enterprise risk management – something that should already be an integral part of day-to-day business operations. 

Read more on Hackers and cybercrime prevention