Surefire security fail: One. App. At. A. Time.

A centralized approach that governs how apps interact and what they are allowed to do is essential

No one questions anymore that app security is critical, but leaving security to the app makers is asking for trouble. You need a centralized approach that makes sure all apps on your network are governed by the same rules.

Think of it this way: If you concentrate your efforts on securing individual apps, your network will be as vulnerable as the weakest app in use at your company — and you don’t even know about all the apps in use at your company. In the age of BYOD, with your users accessing the network from their own tablets and smartphones, you can’t possibly know, no matter what policies you have drawn up spelling out what apps can be used.

And if that weren’t enough to undermine any strategy that approaches security on an app-by-app basis, the internet of things makes such a strategy utterly ludicrous.

Two items this week forced this thought to the surface of my dilapidated and overcharged brain. The first was an article on the battle of secure messaging apps. It’s a compelling and fair look at this segment, but the very idea of making messaging apps secure misses the point.

Sure, every element of the network — messaging apps absolutely included — should be as secure as possible. The security of individual apps is important. Ignore that — especially when it comes to leaky mobile apps — and the best centralized security strategy won’t protect you. But companies need to vigilantly deploy both. Focusing on security at the app level ignores the tremendous level of data integration today. Whether this involves backups, virus checks, firewall protections or even network load balancing between servers, the data that you might think of as moving from one app to another actually touches dozens of other pieces of software in the process.

Putting all of your security attention on first one app and then another is exactly the strategy that cyberthieves want you to take — and they, by the way, often have much better insight into the nuanced and interconnected ways that networks handle data than many IT teams do.

IT is used to buying apps one at a time, so it’s natural to think about security in the same way. Surely one secure app plus another secure app equals two secure apps. Alas, that’s not even close to being true.

The second thing that got me thinking about all of this came courtesy of BlackBerry. Yes, BlackBerry is a very thin shadow of what it once was, but it retains a reputation for being savvy about security. So its announcement about a product that claims to protect app data by monitoring outgoing email and applying policies to data in Salesforce and Microsoft Office Online was disappointing. It’s app-centric, and it’s the wrong approach.

Here’s the biggest problem with overly focusing on apps: Companies don’t control their networks nearly as much they think they do. Strategies that worked 10 to 20 years ago operated on the premise that IT approved all devices and that all data was centrally backed up and managed. That hasn’t been the case in years. Your users routinely add mobile devices to the network, and those devices feature any app that the users choose to add.

The IoT complicates this further, with every IoT thermostat, printer, door lock and sprinkler system able to independently reach out to its mothership — or someone it has been tricked into thinking is its mothership. Think you don’t have to worry about that because you control every message that tries to leave your network? Nice try, but you’re not nearly as successful at that as you think. Many IoT devices have their own tiny antennas and can send messages independent of your network. (So much for the BlackBerry approach of monitoring email programs.) And the chances that you even know about all of those tiny antennas is extremely small, since most of them were installed, not by IT, but by facilities or maintenance staff — who felt no need to notify you. As one CISO recently told me, “Why the heck would maintenance think that they need to check with IT before installing new light bulbs?”

In short, today’s networks are far more complex and unwieldy than those from the ’90s and they need an approach to security that factors this in. Every bit of inbound and outbound traffic has to be controlled and monitored.

You need to directly manage a security policy for all apps, a policy that your team controls using tools that your team controls. You need a systematic way of securing applications rather than an ad hoc approach. There is an awful lot in IT today that can be outsourced. App security execution is not one of them.

Join the CSO newsletter!

Error: Please check your email address.

More about BlackBerryMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Evan Schuman

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts