Building an Enterprise Application Security Program [New Series]By Adrian Lane
Over the last couple months I have had many similar conversations on enterprise application security: customers identify gaps in their security program, are unaware of the availability of certain types of solutions, or simply don’t believe that certain solutions deliver their advertised value. But I expect issues when speaking to a company who wants to implement advanced security on a Hadoop database, where technology simply may not exist to deliver the security and performance required. It is altogether different when talking about SAP or Oracle financials. These are mature platforms, often in place for more than a decade, so you would expect every aspect to be covered. Surprisingly that is often not the case.
There are many reasons for these security gaps. Companies often invest in generic assessment or configuration analysis tools, which don’t actually provide an in-depth view of application configuration settings or best practices. Perhaps they were told their SIEM would collect all application logs but they don’t contain the necessary information to evaluate user actions, or they are simply too verbose to collect. The application vendors all provide lists of security best practices, but don’t list anything they do not sell, nor advise customers to uninstall unneeded components to reduce attack surface. Security teams know little about how application platforms work so they cannot independently identify which deployment models would work, and IT staff is not likely to volunteer suggestions that will require them to do more work. Finally, the largest issue is that many approaches are simply unsuitable for large enterprise applications because they will break the application, limit usability, or degrade performance, none of which are acceptable. These issues contribute to security and compliance gaps at most firms.
Supply chain management, customer relationship management, enterprise resource management, business analytics, and financial transaction management, are all multi-billion dollar application platforms unto themselves. We are beyond explaining why enterprise applications need security to protect these investments – it is well established that insiders and persistent adversaries target these applications. Companies invest heavily in these applications, hardware to run them, and teams to keep them up and running. They perform extensive risk analysis on their business implications and the costs of downtime. And in many cases their security investments are a byproduct of these risk profiles. Application security trends in the 1-2% range of total application investment, but I cannot say large enterprises don’t take security seriously – they spend millions and hire dedicate staff to protect these platforms. That said, their investments are not always optimal – enterprises may bet on solutions with limited effectiveness, without a complete understanding of the available options. It is time for a fresh look.
To fill some of these gaps we are starting a new series on Building an Enterprise Application Security program. We spend a lot of time on advanced technologies on the Securosis blog: variants of monitoring, auditing, assessment, threat management, application security, and so on – but we have never pulled all these facets together for companies to assemble into an enterprise application security program. Or goal is to discuss specific security and compliance use cases for large enterprise applications, highlight gaps, and explain some application-specific tools to address these issues. This will not be an exhaustive examination of enterprise application security controls, nor an examination of generic security platforms – instead we will offer a focused summary of the most common deficiencies, with suggestions for what to do about them. The remainder of this series will cover the following:
Needs: Use Cases
- Compliance (SOX, PCI, etc.) and internal audit reporting
- Transaction verification
- Use of sensitive information
- Security (insider and external threats)
- Change management & policy enforcement
Gaps: What Works and What Doesn’t
- Why enterprise applications are different
- SAP: special issues with this poster child for enterprise applications
- Security and compliance gaps with IAM, encryption, and data encryption
- Inventory, discovery, and assessment
- Network monitoring deficiencies
- Conventional application and database layer protection
- Skills and priorities
- Assessment: discovery and configuration analysis
- Patching and configuration management (environment, application, database, & modules)
- Application and database monitoring
- Management frameworks and policy enforcement
- Logging, auditing, and compliance reports
- Additional recommendations
Our next post will discuss use cases and problems firms need to address, which we will use to frame our subsequent discussion of security gaps.