Secure Your Apps with Zero Trust in Mind

secure your apps image

Written by Dan Callahan

I am a Senior Technical Advisor to CGNET. Formerly, I managed our Cybersecurity and Cloud Services businesses, and provided consulting to many clients over the years. I wear a lot of hats. Professionally, I'm a builder of businesses. Outside of work, I'm a hobby farmer, chef, skier, dog walker, jokester, woodworker, structuralist, husband and father.

December 17, 2020

I have been writing about the Zero Trust security model and how to apply it in your organization. We tackled the first two steps here and here. Today we move forward: let’s secure your apps.

 

The Case for Securing Your Apps

 

In my last Zero Trust article I talked about devices and why they need to be secured. You must secure your apps for some of the same reasons.

  • Your organization’s apps, like your devices, are “in the wild” now. They are not sitting safely behind a VPN and firewall. They are in your users’ pockets.
  • Users have apps that you do not even know about. Or you do know about them but rooting them out has been… tough.
  • Your users have the “consumer” version of an app, not the “enterprise” version. Unfortunately, some app makers consider security to be a “premium” feature available only in their “enterprise” version. This means your users have the least secure version of an otherwise acceptable app.

I get it. You do not want to be the Grinch who takes a user’s favorite app away from them. Yes, you certainly have enough other responsibilities and do not need to add “app gatekeeper” to the list. Still, you can still a reasonable amount of security without getting uninvited to your organization’s next Zoom wellness break.

 

Start with APIs

 

If you’re using Microsoft 365 (remember when we encouraged you to upgrade to their E5 plan?) you can employ Microsoft’s Cloud App Security service. If your apps support connecting to Cloud App Security via an API (Application Programming Interface), take advantage of that. You will get more visibility into how the app is being used and what data is moving through it. Welcome to the Knowledge is Power club!

 

Develop a Picture of Your App Landscape

 

Between Cloud App Security and your network firewall, you can develop a picture of what apps are accessing organizational resources. Your first step in securing your apps is discovering which ones are in use.

The Cloud App Security service will show you a list of what apps it found, together with data on their use and a security score it calculated. You can use this information in a couple of ways to secure your apps.

  • If you see an app that seems sketchy but has little use, you can talk to the user and see if they are willing to swap that app out for something more secure. Maybe they tried the app once and abandoned using it for some reason.
  • You can see which apps rate poorly in security due to issues with the app itself. Maybe the app uses a software stack know to have security issues. Maybe the app does not regularly apply security updates. These apps can go on your “purge when possible” list.
  • Next, you can look at apps which receive low security scores due to lack of security information on the app provider’s website. These apps may be fine; it’s just that the app maker is not saying much about its compliance with security standards such as ISO 27001. You can decide that these are OK, or just put them on a watch list.

Once you have triaged your apps, you can apply security policies to limit the potential damage from risky apps. For instance, you could enact a policy that limits what file types an app can upload to your network.

 

Secure Your Apps by Applying Adaptive Access

 

Allowing an app on your network is not a richer-or-poorer/in-sickness-and-in health proposition. You can allow the app to run, but limit what the app can do depending on relevant risk factors. For instance, if the app is running on an unmanaged device, you could restrict what it can access or disable it from downloading any data.

 

I Am Watching You

 

When we were preparing a “care package” to send to my niece in Uganda, she told us to draw pairs of eyes on the package with notes saying that God would be watching the people handling the package. My niece explained that people there were quite religious and taking this step would reduce the chances of someone opening the package and stealing the contents.

The equivalent in the world of security is connecting your apps to a Security Incident and Event Management (SIEM) tool. The SIEM can look at the app activity log files and alert you if it sees strange behavior (why is this user connecting to the network at 2 AM?). You can even program the SIEM to take action for behaviors you’re confident are sketchy. Now you are preventing problems, not just reacting to them.

Take these steps to secure your apps. Give yourself a treat for improving your organization’s security posture.

Written by Dan Callahan

I am a Senior Technical Advisor to CGNET. Formerly, I managed our Cybersecurity and Cloud Services businesses, and provided consulting to many clients over the years. I wear a lot of hats. Professionally, I'm a builder of businesses. Outside of work, I'm a hobby farmer, chef, skier, dog walker, jokester, woodworker, structuralist, husband and father.

You May Also Like…

Demystifying the Dark Web

Demystifying the Dark Web

The Dark Web. A virtual space with an ominous-sounding label. In my mind, it has always been a cryptic, shadowy place...

You May Also Like…

Demystifying the Dark Web

Demystifying the Dark Web

The Dark Web. A virtual space with an ominous-sounding label. In my mind, it has always been a cryptic, shadowy place...

0 Comments

Trackbacks/Pingbacks

  1. Plan to Secure Your Data with Zero Trust - CGNET - […] of a Zero Trust security implementation. So far, I have covered how to secure your devices and applications in…
  2. Five Best Practices for Cloud Security - CGNET % % - […] colleague Dan Callahan has written a series of useful posts about securing your apps and data utilizing the zero-trust…
Translate »
Share This
Subscribe