Домой United States USA — software Modern Application Security Requires Defense in Depth

Modern Application Security Requires Defense in Depth

194
0
ПОДЕЛИТЬСЯ

Application security is no longer an all-or-nothing proposition: a defense-in-depth approach is far more effective at mitigating access and data breach risks.
Join the DZone community and get the full member experience. Perimeter security has been dying a slow death over the better part of a decade, as breaches of the corporate network have become commonplace. Most organizations now find it obvious that trusting devices and users merely for being «on the corpnet» is insufficient to maintain security in the face of evolving threats. At the same time, the re-platforming of business applications to a SaaS model, coupled with a more mobile and distributed workforce, has made the need to «VPN into a corpnet» feel archaic and cumbersome. The pandemic created the perfect storm around these two long-term trends, accelerating this slow death into a fast one. Adopting a zero-trust architecture is no longer negotiable for any organization that wants to stay alive. One of the most important principles of security (real-world and digital alike) is defense in depth: rather than relying on a single control into your world to maintain all security (or, “one lock on the front door»), you implement a set of measures that compose together to offer more security than each could in isolation. This goes hand-in-hand with the principle of least privilege: every layer uses the information at its disposal to make access control decisions. There are many places you could put in doors and locks that contribute to a zero-trust architecture. They fall under the general categories of coarse-grained and fine-grained access controls. Over the last decade, most of the security industry’s attention has been focused on the former, but in the last two years, a wave of innovation has transformed the latter. A defense-in-depth approach requires at least one solution (and possibly more) at each layer. Let’s dive into a few examples of each. These types of locks know something about the user and device that is accessing a protected resource but don’t have the full context about the user, operation, and resource. Examples include access proxies, enterprise single sign-on/identity providers, and API gateways/routers. As Google popularized in its BeyondCorp technical notes, a modern Access Proxy is the first line of defense when it comes to users gaining access to corporate applications and resources. An admission control policy that can use attributes about the user, device, network, location, and even date/time can help ensure that only requests that are allowed by that policy are routed to the application. Large vendors such as Zscaler and Cisco cover this use case as a modern replacement for traditional VPNs. Your identity provider (IDP) is used to authenticate every user as they sign in to the set of applications they can access. While this is not technically an authorization layer, the IDP can make coarse-grained decisions on whether a user has access to certain applications based on a set of attributes.

Continue reading...