Application Vulnerabilities Aren't What You Think
Timely security patching isn’t enough to defy application vulnerabilities that put companies at risk. In fact, at first blush when we hear the term “vulnerabilities,” and immediately assume its basis in security, we’re ignoring the iceberg hidden below the surface.
A few years ago, the court case U.S. v. Microsoft began and has recently come to a quiet end. The potentially major data privacy case hinged on a warrant for emails as part of a U.S. drug trafficking investigation and the reach of a decades-old Stored Communications Act. While Microsoft complied by handing over address book data stored on American servers, the location of the actual emails was in a data center in Dublin, Ireland, outside of the regulation borders.
When the Stored Communications Act was passed in 1986, no one had heard of cloud storage -- it didn’t exist. The current landscape and the Clarifying Lawful Overseas Use of Data Act (or CLOUD Act) has modernized how the U.S. government handles data sovereignty by requiring U.S.-based companies to turn over stored electronic data, regardless of where the data is stored, if served with a warrant. However, the act also provides ways for companies like Microsoft to challenge orders under certain circumstances.
The point being, this piece of recent American history is a lesson in application vulnerabilities to all of us. For example, when a Canadian bank uses the Microsoft Office 365 suite, they must ensure that private, customer data stays within the country borders, end-to-end, away from a government that can produce a warrant for the data in the name of national security.
Vulnerabilities Have to Start With the Basics
Security breaches are the flashy, headline-grabbing compromises that come and go daily. But to truly address the vulnerabilities of applications, IT must start with the basics of what could impact the confidentiality, integrity, and availability of resources.
Common vulnerability themes revolve around the following:
Unprepared when migrating to the cloud - In the digital transformation it is becoming a knee-jerk reaction to move resources to the cloud. Yet, organizations are doing so without the insight of what it takes for an application to be migrated to a cloud provider.
Holistic impact of moving from on-prem to cloud - Moving from on-prem to the cloud isn’t only a matter of where data hosted, but a slew of other factors. IT teams must ask:
What are the implications for performance?
How will it affect the licensing of software components -- can they even operate in the cloud?
Is my WAN interconnectivity also cloud-ready?
Security is vastly different in the cloud -- now employees will be able to access corporate applications outside of the business network, so how will that be handled?
How can we consistently measure availability and performance?
Staying in compliance with regulations - For organizations in regulated industries, application peering contracts could breach compliance. Data could flow from Canada to a node in Chicago, Illinois and then back to Canada. If there was a requirement for data to stay in the country, end-to-end, this might go unnoticed until a problem occurs. By moving to the cloud, companies have less control of data routing and overall visibility without third-party monitoring solutions.
Downtime and latency - Cloud applications are only as strong as the weakest link in the chain. With downtime and latency more important than ever, many are moving in parallel to cloud-ready platforms such as software-defined wide area networking (SD-WAN) for its intelligent use of application-aware routing, path optimization, and Quality of Service (QoS) monitoring. When adopting cloud applications, companies must revisit the path between business (user) and application instance/data. The days of entrusting service providers telling you again that the customer premises equipment caused the downtime are over. Applications remain vulnerable unless there is a robust WAN infrastructure (or SD-WAN), customer premises equipment to steer traffic and apply policies, solid cloud service level agreements (SLAs), and explicit guarantees and reports by service providers and monitoring solutions to validate service provider claims.
How to Fortify Applications for Better Business and End-User Experience
Without proactive steps, data sovereignty and performance are always at risk. Luckily, IT teams don’t have to accept that applications are susceptible to harm or attack. Instead, there are several ways to fill the vulnerability gaps:
Establish performance baselines so you know what is normal to be able to detect abnormalities.
Monitor the entire application path and collect detailed metrics about every hop along the network path to optimize performance and hold vendors accountable for SLAs. Constant monitoring allows for detection of inconsistencies like spikes in high latency and records it as proof for credit on application contracts.
Increase security with multi-factor authentication to ensure that the users accessing corporate applications are who they claim to be.
Use Visibility-as-a-Service (VaaS) to gather insights that allow businesses to get ahead of performance disrupting issues and act proactively for better business outcomes.
Application vulnerabilities don’t have to be the downfall of your business, instead try complementary solutions for security and performance monitoring. As a vendor agnostic solutions integrator, Edgeworx Solutions delivers the best mix of technologies to support the performance and security of today’s cloud applications. To learn more, visit our partner ecosystem page.