Application security redux: It’s All about the Apps (Part 8)

by [Published on 14 Sept. 2016 / Last Updated on 14 Sept. 2016]

In this, Part 8 and the last installment of our series, we will continue the application data protection story as we delve a little deeper into the challenges inherent in developing an effective data security strategy and particularly the problems of securing mobile device data and securing data that’s stored in the cloud.

If you would like to read the other parts in this article series please go to:

Introduction

In this article series, we started in Part 1 with a broad overview of application security. In Part 2, we began with a look at how to protect applications from tampering or access and also take a closer look at the special case of mobile applications. In Part 3, we discussed how you can block undesirable applications and restrict what users are able to do with the apps that you do allow them to use. In Part 4, we started to explore Microsoft’s AppLocker, and in Part 5, we delved into the use of PowerShell to configure and manage AppLocker. In Part 6, we discussed the new ability to control apps in Windows 10 mobile devices. Last time, in Part 7, we started to address encryption and protection of the data that is created, gathered or stored by applications.

Mobile data is different

Once upon a time, securing the data created by our business applications was relatively easy. That data was usually kept on a file server or Network Attached Storage device in the company’s locked and manned server room or data center (depending on the size of the organization). It was accessed by employees who were sitting at desks on the company premises. The IT department had control over both physical and logical access to the data.

Then the world went mobile. Laptop systems became popular, allowing workers to pack up their computers at the end of the day and take them home, or take them along when they travel on business (or even on vacation) in order to catch up on work during “off” time or be ready to instantly respond to “pop up” job requests, answer email and stay in touch with the office no matter where they are. This is more convenient for the employees as well as more productive for the company; it seems like a win/win situation.

The only problem is that data security got a little more complicated. Now employees were creating data on machines that were outside of the company’s premises, and accessing company data from many different locations over different home and public networks that might or might have security measures in place. In order for those workers to download data files from the company network to their remote computers or to upload work documents they created remotely to the company’s file storage locations, the data has to travel across the very public and very insecure Internet.

And that’s not all. The Bring Your Own Device (BYOD) trend – which many employees love because it allows them to use the brands/models of hardware that they prefer and companies like because those devices are paid for by the employees rather than out of the corporate budget – took away the ironclad control that IT had over company-owned computers, even when employees allowed them to be taken off premises. Employees (rightly) feel that since they shell out the money for the computer, they should be able to use it for personal purposes as well as for work. Unfortunately, some of those personal uses can pose a security risk and that includes the threat that the work-related data may be exposed.

Laptop computers, of course, were only the beginning of the mobility movement. Now we have data moving across a multiplicity of devices, including tablets, smart phones and even wearable devices as users set up their smart watches and other “smart” gadgets to notify them of company phone calls, email messages, text messages and so forth. These very special purpose computing devices are part of the growing Internet of Things (IoT), that is expected to explode in the next few years, with Gartner predicting 6.4 billion connected “things” this year (2016) and more than 20 billion by 2020.

This impending mobile madness means much more data flowing from devices to servers, servers to devices, sensors to devices and devices to devices. A good deal of that data will be business-generated information and a significant portion of that will be information that needs to be kept confidential or have restricted access. Mobile devices generally connect over wireless networks rather than wired Ethernet, which presents additional security vulnerability and exposure. And if that weren’t enough, then there’s the cloud.

Where, oh where has my data gone?

When data is stored on company servers, we still have tight control of it while it’s at rest, since it’s traversed the dangerous route from the remote device through the “bad neighborhoods” of the Internet. More and more companies, however, are moving their data (as well as their applications) to cloud services providers, in which case you may not know exactly what security measures are being implemented to protect that data and you most likely will have no idea what the physical location of the data is.

From a security point of view, it makes sense for the cloud provider to keep that information under wraps, but it also makes us feel as if we’re no longer in control – and that feeling is legitimate because we’re not. Making the move to the cloud requires placing our data in the hands of the cloud services provider, which means it involves trusting that the CSP will protect it. The good news is that the large CSPs have more means to keep our data safe, in most cases, than we do. They have the resources to implement high level, high tech physical security as well as the best encryption, monitoring and incident response strategies.

On the other hand, large and well-known CSPs may be the favorite targets of hackers and attackers for the same reason often credited to Willie Sutton as to why he robbed banks: that’s where the money (or in this class, the most valuable digital information) is. As with most decisions, in business and in life, the decision to put your data in the cloud has tradeoffs. Your data protection plan has to take that into account.

Protecting mobile and cloudified data

In many ways, protecting data that has “gone mobile” or is stored in the cloud is the same as protecting data in an on-premises data center. Authentication, authorization, access controls and encryption are the four pillars on which all data security relies. We discussed these in Part 7 but here’s a quick recap:

  • Authentication. The first step in protecting data is to verify the identity of the person who is attempting to access it. Authentication is the means by which the person (or computer) proves his/her/its identity. With sensitive mobile data, traditional username and password authentication isn’t enough. Multi-factor authentication provides stronger protection and today’s mobile devices support many forms of authentication, including fingerprint scanners, facial recognition software such as Windows Hello, pattern recognition and more.
  • Authorization and access controls. Once identity has been established, the system must be able to determine which data files that user is allowed to open and what level of access he/she can have (read only, modify, delete, etc.). This is done by setting permissions, privileges and user rights. Windows supports different types of permissions, such as file level and share level permissions.
  • Encryption. Encrypting the data adds another level of protection and is the best way to protect data. Mobile data needs to be protected while at rest on the device and while in transit across the Internet, using methods we discussed in Part 7.

Some other security mechanisms that are especially appropriate for mobile and/or cloud-based data include:

  • Containerized applications. Containerization is a big trend these days and goes hand-in-hand with cloud computing, as well as offering benefits for remote mobile users. I’ve written in detail about containers in other articles on this and the WindowsNetworking.com sites. Containerized applications can create a private corporate workspace on a user’s personally owned device so they get access to the corporate data and apps with enterprise-grade security.
  • Virtual private networks. VPN protocols such as SSL or IPsec encrypt the transmission of data between the remote user and the corporate network, and most companies support VPN connections. However, not all VPN protocols are created equal and it’s important to regularly evaluate and update your VPN practices when necessary.
  • Mobile Device Management (MDM) and Mobile Application Management (MAM). An MDM system allows you to create and apply policy-based security to all of the mobile devices that access your company network, manage certificates and keys, monitoring device health and security status, track usage and access, control access to data, and even lock or wipe a device if it’s lost or stolen. MDM can be used with BYOD devices as well as corporate-owned ones. MAM helps you keep mobile apps updated and configured correctly for best security, which makes the data they generate and store more secure.
  • User education. Remote mobile users sometimes don’t get the same level of security awareness training as on-premises employees, and yet they are often the ones who need it most due to the more vulnerable nature of their devices and usage. Ensure that mobile users are aware of your best security practices and understood how to apply them.
  • Educate yourself. When selecting a cloud services provider, be sure to read the user agreement regarding the storage of your data and ask questions of you have concerns or don’t understand something. Ensure that your CSP encrypts stored data.
  • Data classification. We discussed in a previous article the importance of classifying data as to its security level. Such classification allows you to evaluate whether some of your data may not be appropriate for cloud storage because of its sensitivity or because of regulatory requirements.
  • Back it up. And then back it up again. A redundant backup plan can save you a lot of grief, so whether data is stored on a mobile device, on a company server or in the cloud, always have multiple backups and make sure they can actually be used to restore your data if needed by doing a test restore on a regular basis.

Final thoughts

Application security is a many-faceted topic and even in this eight-part series of articles, we have only touched the surface of the many aspects involved in protecting the apps, protecting the rest of the system from threats related to those apps, and protecting the data that is generated by the apps. To complicate matters further, the application security landscape is always changing as attackers find new ways to exploit the applications in order to infiltrate our networks, bring down our systems, or steal or expose our data. I hope this article series has at least given you some starting points for assessing and shoring up your application security strategy in a mobile and cloud-centric world.

If you would like to read the other parts in this article series please go to:

See Also


The Author — Deb Shinder

Deb Shinder avatar

Debra Littlejohn Shinder, MCSE, MVP (Security) is a technology consultant, trainer and writer who has authored a number of books on computer operating systems, networking, and security.