Cloud, virtualisation and containerisation are becoming mainstream in the era of digital transformation
New and hungry startups are entering established industries such as finance and healthcare. They use these new technologies to gain competitive advantage with speed to market, flexibility and resilience, allowing them to create markets for services where none existed before. As a result, these larger more established companies are turning to these technologies to bolster their leadership positions. This is an exciting time in B2B technology, but while all these technological advances are no doubt bringing advantages to businesses, it’s important to keep an eye on their security, just as much as their user experience.
Business critical applications are the engine that keep firms running. While the adoption of cloud and SaaS means a shift in thinking is needed as these key applications are delivered or accessed from elsewhere, advantages such as reduced development costs and improved scalability must not distract from the need to keep security front and centre.
Why are these apps critical to business?
Organisations gather and implement a significant amount of information and applications across the business. Depending on the line of work and industry, they are likely to have their own specific list of applications that are critical to business operations, not to mention the related data. These can include applications like financial transaction apps and their related sensitive customer data; enterprise resource planning (ERP) applications that help manage crucial inventory for retailers or hospitals or critical electronic health record (EHR) applications storing vital electronic personal health information (ePHI) for health care providers, hospitals and insurers. The data they harbour, if compromised or lost, can put the business at a stand-still and, similarly, if services are disrupted.
So how do organisations secure all this sensitive information and the applications that store and manage it? Unfortunately, many business and IT stakeholders are finding themselves in a risky position. While they are doing a great job curating the right applications for their needs, they are missing the boat on protecting these costly investments that run their enterprises – and drive customer relationships.
According to a recent CyberArk Business Critical Application survey of 1,450 business and IT decision makers conducted across eight EMEA countries, 61% indicated that even the slightest downtime affecting their business-critical applications would be massively disruptive and severely impact the business. Yet, 70% of these enterprises do not prioritise the security of business-critical applications. So what can you do to help bridge this gap? Here are a few pieces of advice that can help you move in the right direction.
Identify what apps are truly business critical
As a security leader, it goes without saying that you need to be one with the business. Get to know your line of business leaders and the leaders of key functions such as finance, human resources and marketing. Once you have a handle on important business initiatives, you will be in a better place to identify the business apps that are truly critical. These could be SaaS applications or even custom applications built using DevOps tools and methodologies.
Get comfortable with the cloud (and securing it)
Understand what your cloud strategy, migration plan and timelines are for on-premises applications that are moving to the cloud or new cloud-native applications. Partner with cross-functional stakeholders to ensure privileged access security is a front-and-centre consideration when you’re looking to migrate applications to the cloud or to adopt new cloud applications.
Secure the access to the admins who manage your business-critical applications
Once business critical applications are identified, vault and rotate all admin credentials associated with these apps, including the underlying infrastructure. On top of this, isolate sessions to prevent credential theft and provide a full audit trail of all privileged activity involving business-critical applications. Bear in mind that in many cases, the admins for these apps will sit outside IT as a part of a line of business or within a functional organisation such as Finance, HR or Marketing.
Don’t forget the machines
Secure the human and application-to-application privileged credentials and service accounts used by your business-critical on-premises applications, SaaS applications as well as your cloud-native applications built using DevOps tools and methodologies. The use of hard-coded credentials represents a significant security risk to your business-critical applications and should be eliminated.
Limit the risk to your business-critical applications from unmanaged end user workstations
Prevent attacks against your business-critical apps that start on Windows and Mac workstations by removing local admin rights to prevent the download of malware. Also invest in anti-phishing protection and security education and awareness to educate end users so they can recognise phishing attacks as well.
Taking a holistic approach to protecting the applications your business runs on should ultimately be the priority, no matter where the apps run. Whether on-premise or in the cloud, it’s crucial to prioritise and protect your most valuable applications and data.
About the Author
Rich Turner is VP of EMEA at CyberArk. CyberArk stops attacks before they stop you. We are the only security software company focused on eliminating cyber threats using insider privileges to attack the heart of the enterprise.