Recent events have heightened public awareness of threats, vulnerabilities and risks.
"Apps" have become the users' front door to business, information and IT services using mobile, wireless and wired devices. User confidence and trust are increasingly critical to service success.
While the App is perceived to be the functionality on the access device, we need to manage the "application" as the end to end set of business transactions, system transactions and component interactions between the user and the target service. For example, mobile banking, web banking, ATMs and payment card devices are access devices that provide apps to connect me to my bank services. While they are separate access channels (using different devices, Apps and connections) they will share some enterprise application infrastructure (connections, workflow, application components and data) and update my bank accounts. They are all part of the set of banking applications I use to debit and credit my bank account. Multi-channel access presents new risks to enterprise applications and data by potentially exposing cross channel vulnerabilities.
Application management, security and privacy need to be designed and built into the App. Design needs to consider the end to end context, behaviour and security of both the application and the underlying infrastructure (Application Service Platform, Application Infrastructure Services, Infrastructure Services, and Network Services).
Security requirements overlap with application management requirements. For example,
- Timely alerts that an application component service has failed or been compromised is essential to managing incidents and meeting service level targets, but also could be instrumental in early detection of Denial of Service Attacks.
- Transaction performance and integrity are key application management components, but are now critical to maintaining customer trust and satisfaction.
- The ability to start and stop a service based on alert triggers is critical to both application management and security
Application design needs to integrate services (apps, devices, connections, transactions, component interactions, workflow and data), and layer protection and management mechanisms (controls, audit, reporting, monitoring, alerts and incident management) into an effective end to end security and management solution for the application and the Apps which access it.
For this reason, we continue to recommend assessing security threats, vulnerabilities and risks from a defense in depth perspective for information management and flow based on user context and authenticaton across all services used to provide the target application.
416 580 7857
Fred Nagy, CMC, PMP, ITIL
Solutions in Context – “Strategic Design and Risk Management