Cyber Security Education Series – Part 2: Securing the Applications You Work With
By Tony Evans
At Evans Consulting Services, we take cyber security very seriously. One of the greatest challenges for IT leaders in today’s world of COVID-19 is securing a remote workforce. In Part 1 of our Cyber Security Series, we talked about the importance of starting at home with security. Putting your organization on the right path to enhanced security begins with empowering employees through education, securing connections using a VPN and setting a firewall perimeter at home.
In part II of our series, we will be discussing application security. In conjunction with the remote workforce explosion, the IT landscape has also seen a vast rise of cloud-based applications accessed through the Internet. Many organizations still have legacy on-premises systems creating a hybrid environment that requires both physical and digital security protections. We are going to cover both the security of online applications and on-premises systems.
Click here to view Cyber Security Series Part I: Security Starts at Home.
Securing SaaS Web Applications
The last 10 years has seen an explosion of software-as-a-service, or SaaS. Industry giants such as Microsoft, Salesforce, Amazon and Oracle have amassed hundreds of applications integrated and accessed through their cloud networks. In addition, there are many niche industry solutions also running through the cloud that offer tremendous benefits and features.
For anything security-related, the first step to take is assessing exactly what your workforce is using. Common systems in the cloud include Finance and Accounting, HR, Document Storage, and management platforms, such as a Construction Management System. Depending on the sensitivity of the data and functionality in these platforms, you will need to identify and select the most appropriate level of security.
We recommend making sure all employees are using strong passwords and a password management system. Every unique application should have a different password – never re-using passwords! – with a minimum of 16 characters and variation such as capital letters, numbers, and special characters. If remembering these complex passwords causes any concern, consider leveraging a subscription to a password management system such as 1Password or LastPass.
- Example of a bad password: “LedZeppelin1975”
- Example of a good password: “hJ3jSrMTGq=mnv>S”
Once you have ensured strong password protection, for more sensitive systems the next level of security is using Multi-Factor Authentication or MFA. An MFA system involves a code being sent to the user to confirm their identity as they are logging onto the system in addition to the password. MFA can rely on a registered cell-phone number, an application, or even a hardware dongle that generates a new key every minute. Utilizing the hardware option is the most secure, but it is also the most expensive.
Lastly, secure the SaaS applications you are using through administrator controls. While this statement is broad, you will want to check with industry experts on the best practice for securing your application. This process is also known as hardening in a traditional IT environment, and there are independent associations such as the Center for Internet Security (CIS) that provide application-specific recommendations and guidelines.
Example hardening actions:
- Preventing unwanted access from specific geographies. This is perfect if your workforce is not global.
- Locking accounts after a specified number of failed login attempts
- Setting administrator approval for new account creation
- Disabling custom scripts and custom code
Securing On-Premises Systems
The typical configuration in a modern IT department will be a hybrid network. While most organizations are migrating and moving functionality to the cloud, you likely still have on-premises systems that need to be secured. We discussed basic connection security in Part I and many of the same principles will apply to your corporate network, only at a larger scale.
Every organization should be using some firewall capability to protect the perimeter of the on-premises network and actively monitoring that firewall for intrusions or threats on a constant basis. Employees should be authenticating to the network using a VPN with secure passwords and MFA for employees that have access to sensitive business information that is available on that network.
For the highest data sensitivity, your organization should consider using a point-to-point connection that physically connects your users to the application. These options will be limited by the application provider, but larger systems such as Microsoft 365 do provide this option.
How would you rate your application security?
Assess Your Organization
A common theme in our Cyber Security Education Series is self-assessment. To secure your workforce, you must understand where your gaps and weaknesses lie. The goal of our Cyber Security Education Series is to equip you to assess your current situation and provide strategies for improving your overall security footprint. If your organization is struggling or needs more specific guidance, Evans Consulting Services has the cyber security expertise to help. Contact us today for a free consultation.
Look out for Part 3 of our Cyber Security Education Series: Securing the Enterprise and Facilities. Signup for our mailing list below to receive updates on new content and information.
About the Author
I created Evans Consulting Services after running another start up business with partners. We ran the business like a corporation. Over the years, I have learned that entrepreneurship was a unique challenge. I learned that each member of a small organization is extremely important and must carry their own weight, earn their compensation and produce results. The negative impact of sub-par performance is devastating and cannot be sustained by an emerging business.
I’ve been in business as an entrepreneur for 22 years. Through ECS, we have continually demonstrated the ability to successfully partner with a variety of entities. ECS is a team player. For example, ECS entered a joint venture with Albert Kahn Associates, a 100+ old architectural firm, on a million-dollar project to design and install the cabling infrastructure for Motor City Casino Hotel. We also have maintained a managed contract customer relationship with KIRCO Management Services LLC, a multi million-dollar development, property management, and construction company that has grown nationally over the last 19 years. KIRCO is our flagship, cornerstone customer since 2001. In the future, our relationship will continue to strengthen as both companies grow.
Free White Paper Offer
We are excited to announce that Evans Consulting Services, LLC has been selected as a Diversity Focused Company honoree for the 13th Annual Corp! Magazine’s Michigan’s Salute to Diversity Conference and Awards – Communities United, happening October 5 – 8, 2020. From...
ECS signed a new customer late last year, Metro Solutions lead by Ms. Rose Khalifa. Metro Solutions had a EDI claims processing project that ran into issues and called ECS. We quickly mobilized and worked with Metro Solutions, Pro EDI, Emdeon, and Molina to...
ECS was awarded a nine year certification by the Small Business Association called 8(a) Certification. This designation allows ECS to compete more competitively for Federal, State, and Local, government contracts. ECS will be eligible for sole source, set aside,...