New regulations are coming – Take control of your application portfolio
Colonial Pipeline. Solar winds. Hundreds of millions of people evacuated from Washington State’s unemployment system. The past year has highlighted the critical importance of application security and cybersecurity in general.
These high profile attacks have elevated the subject in our national and international political dialogue. We have become accustomed to attacks as part of a business subject to cost-benefit analysis and risk mitigation. But now they are the subject of a presidential decree and would have been a topic discussed at the US-Russia summit in June 2021 in Geneva.
For those of us in the industry, this growing global awareness of the gravity and extent of the threats we face seems to have taken time. And now we seem to be at a tipping point where governments are getting much more involved.
As part of this, we will see an increase in calls for legislation and regulations on cyber actions that businesses need to take. Governments will have a stronger hand not only in establishing but also in enforcing the standard for what public and private companies must do to maintain the security of their application environments.
It can lead to real progress. Consider the regulations that help ensure public health in many other industries. If you run a restaurant, for example, you are required to adhere to a certain level of hygiene. Likewise, we are on the edge of a world where companies with applications that deal with value or support critical infrastructure will be subject to a set of mandatory security requirements to stay in business.
In this environment, technological solutions such as web application firewalls, API security, anti-bot and anti-denial of service will be fundamental necessities to maintain a clean cybersecurity environment.
And these security solutions will not only be for the most important applications, but for all. After all, you are only as sure as your weakest app or API. If an attacker can enter a network or infrastructure through an unprotected element, then everything else on that same network or infrastructure is also at risk. Recent attacks on the software supply chain have shown how a vulnerability in one organization or system can affect many others downstream.
This process of building cyber hygiene across the application landscape will pose distinct challenges for customers, especially those with large or legacy application portfolios. A tough sale will be the need to keep systems up to date, and a big logistical challenge will be mapping entire application ecosystems not only across disparate locations and systems, but often over decades of technology investments.
After making substantial investments in physical infrastructure, companies want to get the most out of these assets before they retire. They may be reluctant to upgrade software and services because these newer versions will run slower on older equipment.
This is commonly referred to as “active sweating”. It’s like trying to go those last few miles with an empty gas tank. But as any computer geek can tell you, if you want to get things done, don’t try running Mac OS Catalina on a 1998 iMac, or Windows 11 on a Dell Latitude 2003.
Customers will need help with this challenge. Since the dawn of enterprise technology, advancements have been linked to innovations in technology stacks. It has moved from mainframes to a client-server model, from three-tiered applications to microservices, from on-premises systems to the public cloud. Every innovation that comes along introduces a new vertical architecture and a new technology stack to support and run applications.
But the sad reality is that most customers are never able to completely move all of their stuff into the next new pile. Most businesses deal with multiple stacks. And finally, each stack becomes an inheritance after a certain period of time.
To solve this problem, the paradigm must change. We need a new model in which users can effectively manage an application environment, regardless of the combination of technologies they have.
The other big challenge that customers will face is getting a lot more clarity on all the apps they have in their ecosystem. Where are these applications or APIs hosted? Which end users, humans or machines, have access to it? What data can be viewed or manipulated? How are they protected from breaches of their confidentiality, integrity and availability? Businesses need to be able to map all of their apps and APIs, what they’re doing, and how they’re protected.
In the Biden administration’s executive order in May, systems modernization was expressly identified as a must for federal agencies. It may not be long before a similar mandate is established for the private sector, especially for industries that touch critical infrastructure. Sweating assets may no longer be an option for many organizations. For others, solutions may soon be available to wrap new protections around older systems. And with the realization that any application could potentially be a gateway for a larger attack, there will be more pressure than ever before on businesses to fully map, understand, and protect their entire landscape. application.
Businesses in all industries should think about these important questions now, before being constrained by regulations and legislation.