Secure Application Enablement
Lets CSOs Say Yes Instead of No
As Canadians, it’s in our DNA to be helpful and to avoid saying “no.” So why is it that “no” is the typical response from a security-minded IT organization when asked to enable a new application on the network? While it may not be the case everywhere, it is certainly widespread enough that in many organizations the CSO is often referred to as the CS-NO. That said, the CSO should certainly have our sympathies because he/she is confronted with a nearly impossible choice when it comes to balancing network productivity and network security. When asked to implement a new application, it’s either say “yes” and have potentially hazardous applications running alongside mission critical applications or say “no” and block entire application families, reduce productivity and drive a wedge between users and IT.
For example, in a distributed workplace it’s not uncommon for employees to utilize remote presentation applications such as Microsoft Lync or Cisco Webex to collaborate with external partners or to deliver remote presentations. The productivity benefits of these applications are obvious, yet many desktop-sharing and file-transfer options can compromise an organization’s security posture. And as lines between personal life and work continue to blur, IT organizations are also struggling with how to handle applications not traditionally associated with business use. Facebook, Twitter and iCloud, while primarily used for personal reasons, either have legitimate business uses or are commonly accessed by employees while at work. The challenge is that most of these applications include sync or file sharing functions that could allow users to upload sensitive company data to servers outside of the organization – either intentionally or by accident. These concerns mean little to the typical employee, but not allowing users to take advantage of applications that make their jobs easier is a sure way for the CIO/CSO to get an inbox full of complaint email.
Fortunately, a development in network security policy and technology, known as secure application enablement, has made it easier for IT to control access to applications and data in a way that doesn’t interfere with day-to-day business operations.
Unlike legacy approaches to security that simply blocked certain ports on the network typically exploited by hackers (an approach any competent hacker can easily work around), secure application enablement is a process in which all applications and users on the network are classified regardless of the network port they use.
Once classified, IT can assign what policies and inspections are performed on an application based on who is using it and what kind of data they are accessing. Secure application enablement also gives IT the ability to implement least privilege controls on users. In other words, access to data can be restricted to only those users with a legitimate need to see or edit it.
Let’s examine a real-world implementation of secure application enablement. File sharing applications are a great way for team members in different locations to share data, and most departments in government have at least one Open Data Initiative (ODI) in place so they can safely disseminate information to various consumers. Because it’s familiar to most users, and free, Google Drive is being used in many government agencies for file sharing.
While Google Drive offers very compelling budgetary and productivity benefits, from a security point of view it can be problematic. What’s to keep a government employee, either deliberately or accidentally, from sharing confidential data with an unauthorized user? Secure application enablement would, by putting certain security policies in place. For example, it could enforce document posting policies that only permitting authorized users operating on the right device at the right time to post only unclassified CSV and PDF documents.
IT could also control how users outside the organization can access that data (business partners, for example) and give them a different level of access (give them download privileges, but no uploading).
So don’t be a CS-NO. Explore how secure application enablement can let your network’s users take advantage of all the benefits that new applications provide without having to make compromises on network security.
Dale O’Grady is a Security Engineer at Palo Alto Networks.
© FrontLine Security 2015