The Case for Securing Your Apps
In my last Zero Trust article I talked about devices and why they need to be secured. You must secure your apps for some of the same reasons.
- Your organization’s apps, like your devices, are “in the wild” now. They are not sitting safely behind a VPN and firewall. They are in your users’ pockets.
- Users have apps that you do not even know about. Or you do know about them but rooting them out has been… tough.
- Your users have the “consumer” version of an app, not the “enterprise” version. Unfortunately, some app makers consider security to be a “premium” feature available only in their “enterprise” version. This means your users have the least secure version of an otherwise acceptable app.
I get it. You do not want to be the Grinch who takes a user’s favorite app away from them. Yes, you certainly have enough other responsibilities and do not need to add “app gatekeeper” to the list. Still, you can still a reasonable amount of security without getting uninvited to your organization’s next Zoom wellness break.
Start with APIs
If you’re using Microsoft 365 (remember when we encouraged you to upgrade to their E5 plan?) you can employ Microsoft’s Cloud App Security service. If your apps support connecting to Cloud App Security via an API (Application Programming Interface), take advantage of that. You will get more visibility into how the app is being used and what data is moving through it. Welcome to the Knowledge is Power club!
Develop a Picture of Your App Landscape
Between Cloud App Security and your network firewall, you can develop a picture of what apps are accessing organizational resources. Your first step in securing your apps is discovering which ones are in use.
The Cloud App Security service will show you a list of what apps it found, together with data on their use and a security score it calculated. You can use this information in a couple of ways to secure your apps.
- If you see an app that seems sketchy but has little use, you can talk to the user and see if they are willing to swap that app out for something more secure. Maybe they tried the app once and abandoned using it for some reason.
- You can see which apps rate poorly in security due to issues with the app itself. Maybe the app uses a software stack know to have security issues. Maybe the app does not regularly apply security updates. These apps can go on your “purge when possible” list.
- Next, you can look at apps which receive low security scores due to lack of security information on the app provider’s website. These apps may be fine; it’s just that the app maker is not saying much about its compliance with security standards such as ISO 27001. You can decide that these are OK, or just put them on a watch list.
Once you have triaged your apps, you can apply security policies to limit the potential damage from risky apps. For instance, you could enact a policy that limits what file types an app can upload to your network.
Secure Your Apps by Applying Adaptive Access
Allowing an app on your network is not a richer-or-poorer/in-sickness-and-in health proposition. You can allow the app to run, but limit what the app can do depending on relevant risk factors. For instance, if the app is running on an unmanaged device, you could restrict what it can access or disable it from downloading any data.
I Am Watching You
When we were preparing a “care package” to send to my niece in Uganda, she told us to draw pairs of eyes on the package with notes saying that God would be watching the people handling the package. My niece explained that people there were quite religious and taking this step would reduce the chances of someone opening the package and stealing the contents.
The equivalent in the world of security is connecting your apps to a Security Incident and Event Management (SIEM) tool. The SIEM can look at the app activity log files and alert you if it sees strange behavior (why is this user connecting to the network at 2 AM?). You can even program the SIEM to take action for behaviors you’re confident are sketchy. Now you are preventing problems, not just reacting to them.
Take these steps to secure your apps. Give yourself a treat for improving your organization’s security posture.