Surefire security fail: One. App. At. A. Time.
Think of it this way: If you concentrate your efforts on securing individual apps, your network will be as vulnerable as the weakest app in use at your company — and you don’t even know about all the apps in use at your company. In the age of BYOD, with your users accessing the network from their own tablets and smartphones, you can’t possibly know, no matter what policies you have drawn up spelling out what apps can be used.
And if that weren’t enough to undermine any strategy that approaches security on an app-by-app basis, the internet of things makes such a strategy utterly ludicrous.
Two items this week forced this thought to the surface of my dilapidated and overcharged brain. The first was an article on the battle of secure messaging apps. It’s a compelling and fair look at this segment, but the very idea of making messaging apps secure misses the point.
Sure, every element of the network — messaging apps absolutely included — should be as secure as possible. The security of individual apps is important. Ignore that — especially when it comes to leaky mobile apps — and the best centralized security strategy won’t protect you. But companies need to vigilantly deploy both. Focusing on security at the app level ignores the tremendous level of data integration today. Whether this involves backups, virus checks, firewall protections or even network load balancing between servers, the data that you might think of as moving from one app to another actually touches dozens of other pieces of software in the process.
Putting all of your security attention on first one app and then another is exactly the strategy that cyberthieves want you to take — and they, by the way, often have much better insight into the nuanced and interconnected ways that networks handle data than many IT teams do.
IT is used to buying apps one at a time, so it’s natural to think about security in the same way. Surely one secure app plus another secure app equals two secure apps. Alas, that’s not even close to being true.
The second thing that got me thinking about all of this came courtesy of BlackBerry. Yes, BlackBerry is a very thin shadow of what it once was, but it retains a reputation for being savvy about security. So its announcement about a product that claims to protect app data by monitoring outgoing email and applying policies to data in Salesforce and Microsoft Office Online was disappointing. It’s app-centric, and it’s the wrong approach.
Here’s the biggest problem with overly focusing on apps: Companies don’t control their networks nearly as much they think they do. Strategies that worked 10 to 20 years ago operated on the premise that IT approved all devices and that all data was centrally backed up and managed. That hasn’t been the case in years. Your users routinely add mobile devices to the network, and those devices feature any app that the users choose to add.
The IoT complicates this further, with every IoT thermostat, printer, door lock and sprinkler system able to independently reach out to its mothership — or someone it has been tricked into thinking is its mothership. Think you don’t have to worry about that because you control every message that tries to leave your network Nice try, but you’re not nearly as successful at that as you think. Many IoT devices have their own tiny antennas and can send messages independent of your network. (So much for the BlackBerry approach of monitoring email programs.) And the chances that you even know about all of those tiny antennas is extremely small, since most of them were installed, not by IT, but by facilities or maintenance staff — who felt no need to notify you. As one CISO recently told me, “Why the heck would maintenance think that they need to check with IT before installing new light bulbs”
In short, today’s networks are far more complex and unwieldy than those from the ’90s and they need an approach to security that factors this in. Every bit of inbound and outbound traffic has to be controlled and monitored.
You need to directly manage a security policy for all apps, a policy that your team controls using tools that your team controls. You need a systematic way of securing applications rather than an ad hoc approach. There is an awful lot in IT today that can be outsourced. App security execution is not one of them.