SearchEnterpriseWAN.com spent some time with Kevin Beaver discussing WAN application security and the impact that both cloud services and mobile devices have had on the enterprise network. Beaver is an independent information security consultant, expert witness, professional speaker and author with more than 21 years of experience in IT—the last 15 years of which he has dedicated to information security. Now the founder and principal information security consultant at Principle Logic LLC, Beaver is an independent information security expert who advises customers on information security and compliance in order to protect an organization's network, computers and information assets from rogue employees and criminal hackers.
In this second part of a two-part series, the focus shifts to a couple of the latest technology trends and their impact to WAN security. In the first part, WAN security and application threats, we discuss the common threats to the enterprise WAN and common mistakes WAN engineers make when protecting their networks.
With the push towards public and private cloud services, what advice can you give to WAN managers to help maintain application security?
Kevin Beaver: The reality of cloud security is that the problems, challenges and solutions are no different from those of in-house applications or systems. The difference is that you are pushing it out to an environment that you have much less control over. An organization has to be prepared to hold cloud vendors accountable. Corporate lawyers can write up contracts that define service-level agreements, privacy, etc., but at the end of the day, these applications are insecure. They have the same vulnerabilities; they have the same problems as any other application. Ultimately, it does not matter that they are in the cloud.
The first step is to really question your vendors. Find out what they are doing to secure their applications. A SAS-70 type 2 audit report is only scratching the surface of the overall security of any given application. Are they doing penetration testing? Are they doing ongoing scanning? Have they gotten an independent look at their environment? It’s one thing for their own staff to do scans and penetration tests, but quite another to bring someone in from the outside with a new perspective and a fresh look at the application. The organization needs to know what the cloud vendor is doing to secure the environment beyond the checklist audit.
From there, IT has to be prepared to have a fallback plan if something does go wrong. Vendor contracts and service-level agreements go only so far. An organization can try to defer the risk by outsourcing to the cloud; but, ultimately, the only company name that people will hear in the event of a breach is yours. “You’re still responsible” should be the mantra for anyone dealing with cloud vendors and security.
With smartphones gaining so much traction in the enterprise, are there particular recommendations for securing mobile devices connecting to the enterprise WAN?
Beaver: Probably the biggest problem that businesses face today is mobile device management and trying to get their arms around all of that. At first, it was about mobile security in general. IT staff would take a one-off approach, saying: “I have some sensitive data on this mobile device, so password protect it, encrypt it and keep it secure.” But now it is extending to mobile applications going across the WAN and the Internet, and this is opening up a new can of worms that I don’t think people have thought about. Even some of the security vendors are just starting to understand that they need to think about application security beyond the desktop or server and include enterprise mobile devices. I think it’s not much different from some of the principles that I recommend for general information security: Know what you have, know what’s at risk, and do something about it.
The reality is that most businesses have no clue what they have because they have all of these mobile devices, running all sorts of applications, some of which are accessing their enterprise data, while others are storing sensitive data in other cloud applications. It’s almost a big mesh of applications and data going everywhere, and nobody knows where anything is. That is a big, big problem. Any given organization doesn’t have a clue exactly what all of its mobile devices are, where they are, what’s stored on them, or what the vulnerabilities are, because it’s too much. With the influx of devices and platforms, it’s a next-to-impossible situation for IT to keep up with, and it has spun out of control. Network engineers are also in a catch-22: They can attempt to lock down the number of mobile devices they will support, but they are not allowed to tell the CEO of the company that he can’t use his new iPad on the corporate network. Ultimately, engineers will have to step back, look at the bigger picture, see that these things are coming and put some enterprise tools in place to secure and manage them. Solutions from companies like MobileIron, McAfee’s Trust Digital, and Zenprise are just a few of the options available to get a handle on mobile device security.
Information complexity is the enemy of information security. The mobile device space is rapidly evolving and more complex, and things get more out of control. This will be an area with a lot of growth, with everyone from network engineers to security vendors trying to get their arms around mobile security challenges.
Where do you go (websites, conferences, etc.) to stay on top of the latest WAN application security threats?
Beaver: That is something I struggle with. Being an information security guy, I have to stay on top of stuff. There are so many resources. I read IT and security magazines, as well as a lot of information on Twitter. People will link to stories, I’ll read them, and that helps me stay fresh. Email newsletters, from sites like TechTarget, are great for just scanning through the headlines and digging further into ones of interest. Even simply going to the bookstore and browsing through the shelves can be helpful. There’s no single, definitive source. I get information from a lot of different sources and hope I can keep up. I follow a lot of information security folks on Twitter, but I’ve also learned a lot from the networking and application people on Twitter as well. I’m convinced that if you don’t know the essentials from applications, operating systems and networks, you won’t be able to get your arms around the security of anything. You have to know the underpinnings. Keeping up with the foundations of IT is the best way to understand the risks involved. In the end, you simply can’t keep track of it all. You can only put good risk-mitigation techniques in place, and fill in the gaps on things you may have missed.
This was first published in September 2010