How to secure your enterprise systems without compromising user experience
Enterprise software systems mainly consist of applications, data, users (people), and infrastructure. Out of these main aspects, infrastructure security is an area that involves physical components such as people, buildings, and devices. The securing of applications, data and users is something that enterprise software teams need to take care of on top of the security provided by the infrastructure teams. In this article, we are going to discuss the best practices we can follow to secure the applications, data, and users. Out of these 3, we can consider users as the consumers who interact with applications and data over secure access that is implemented with best practices. That brings our focus to 2 main components which are
Data is the value of any business in the modern world. Securing data is critical to the success of any company. We can identify 3 main aspects of data security in enterprise software systems.
- Securing data at rest
- Securing data in transit
- data privacy
Securing data at rest
Business-critical data is typically stored in a database or a file system. To prevent anyone else from accessing this data, we can use techniques such as encryption to secure data at rest. In encryption, we transform the content to a form that is unreadable without a secret key to decrypt the content. Another technique used to secure data at rest is tokenization in which the actual data is represented as a token that is unusable without context. As an example, you can represent a credit card number with a token so that other people cannot recognize the credit card number other than the system which is capable of detokenizing the data. Additionally, the database system or the file server can be protected with advanced security measures such as strong authentication.
Securing data in transit
The data stored in the storage systems need to be retrieved by the user via the applications or systems. Usually, data transmits through the network and we need to prevent network-based attacks such as man-in-the-middle attacks. The solution for securing data in transit is to use transport layers security protocols such as SSL and TLS for the communication of data from the data store to the consumer. By implementing a proper secure key and certificate management system, we can implement transport layer security and encrypt the data while in transit.
Another critical aspect of data security is privacy. What this means is that the data that we collect from the users (eg customers, partners) needs to be used according to the data privacy laws applicable to the specific region that these users are pertaining to. As an example, for European countries, there is a data protection law called GDPR (General Data Protection Regulation) which all organizations need to follow when dealing with data related to users from that region.
Enterprise software systems consist of 10s, 100s, or even 1000s of different applications that are developed by entirely different vendors including in-house development teams. The users who access these applications need to be provided with the best possible user experience without compromising security. To achieve that level of security for applications, we can follow the approaches mentioned below.
- Build a strong identity foundation
- Adhere to security best practices and automate them
- Follow zero-trust architecture for application security
- Prepare for security events
Build a strong identity foundation
A typical enterprise may have applications that involve interactions with different types of users including
We need to implement proper security measures depending on the category of users. There are different types of security approaches that we can follow based on these user profiles. Some common aspects are
- Business to Customer (B2C)
- Business to Employee (B2E)
- Business to Business (B2B)
It is important to implement the proper security measures on the applications depending on these use cases.
Another key aspect here is to understand the requirements for authentication, authorization, and user management within the enterprise and adhere to standard practices for implementing these aspects so that you don’t need to worry about vendor locking or technical debt in the future.
Adhere to security best practices and automate them
Enterprise security needs to be considered as a highest priority job function and it is good to have a dedicated security team to overlook the overall security best practices and implementations. If you are an organization that has a considerable software development process that impacts your business operations, you can implement the above-mentioned processes within your enterprise.
- Secure software engineering process
- Vulnerability and risk management process
- Security reward and acknowledgment process
The figure below depicts a secure software development process that you can follow within your organization.
The preceding figure depicts how the different phases of the software development process can be secured with checkpoints to make sure the code being released minimizes the security risk and captures as many vulnerabilities as possible prior to the release.
Follow zero-trust architecture
The security teams recommend using the “zero-trust architecture” where no system is considered trustworthy when communicating with another system for enterprise applications. It eliminates the implicit trust that was there in the trusted subsystems model and continuously validates every interaction within the system. It uses the mantra of “never trust, always verify” in communication between systems in an enterprise. There are 3 main principles of zero-trust architecture that need to be considered when implementing it. Those are
- All entities are untrusted by default
- Least privilege access is enforced
- Comprehensive security monitoring is implemented
Following these standards make your enterprise software system more secure and less vulnerable.
Prepare for security events
Even with the best security models and best practices implemented within your enterprise, there can be situations where the systems become vulnerable and pose risks to the system. In such a situation, you need to have a mechanism to respond to these events to control the damage that could otherwise occur. It is important to prepare for such incidents with proper planning and resources in place. This requires having the following aspects in place.
- Identify the responsible persons and their roles
- Develop incident management process
- Deploy the necessary tools for monitoring and reporting
- Provide necessary access to the responsible persons ahead of time
- Prepare forensic capabilities and processes
The next step is to implement these best practices with the industry-accepted standards. You can learn more about these patterns by reading the book “Solution Architecture Patterns for Enterprise”.
If you are interested in learning the specifics of implementing security best practices, you can refer to the chapter “Securing Enterprise Software Systems” in the book.