Connect with us

Expert Speak

The Value of Business Risk Observability in Managing Modern Application



Written by Joe Byrne, CTO Advisor, Cisco AppDynamics

As the modern workforce has become distributed across offices and remote locations, so have the applications employees depend on to carry out their work. These distributed applications have drastically changed the security paradigm, drawing out the attack surface area of the digital enterprise. Attackers have been quick to exploit this trend, with research by Red Hat revealing that the majority (93%) of businesses experienced at least one security incident in their Kubernetes environments in the past 12 months.

In the Middle East, governments such as those in the UAE and Saudi Arabia have clearly laid out cloud-first strategies, and subsequently, cloud-native application development is gaining momentum. While this enables organizations to innovate at greater speed and scale, it is also exponentially raising complexity for application and security teams. In a recent Cisco study, ​​92% of global technologists admitted that the rush to rapidly innovate and respond to the changing needs of customers has come at the expense of robust application security during software development.

The UAE’s Head of Cyber Security Mohammed Hamad Al Kuwaiti recently said that the UAE Cyber Security Council cooperates with its partners in deterring over 50,000 cyber-attacks per day. Facing such numbers, it is easy to see how organizations are getting overwhelmed and why a solution must be found.

Application security is essential to the business
The Red Hat study showed that almost a third (31%) of organizations that faced a security incident consequently experienced financial or customer losses. IT teams need to act quickly and decisively in order to protect their customer data and the reputation of their organizations. This means ensuring they have the tools, insights and working practices to bring together applications and security teams to securely develop and deploy modern applications. Crucially, businesses need to apply business context to their security findings so that teams can rapidly locate, assess and prioritize risk, and then remediate issues based on potential business impact.

Applications are now the enabler of business — be it the digital services customers use to interact with organizations, or the enterprise applications employees rely on daily. As a result, brand trust and loyalty are now built upon application availability, security, and performance.

However, with the shift to cloud-native technologies, vulnerabilities can occur anytime and anywhere. This makes it incredibly difficult and time-consuming for application teams and security teams to assess risks and prioritize actions. What they need is clear visibility of each new security risk with real-time vulnerability analytics. But with so many new and constantly changing threats within Kubernetes environments, traditional vulnerability scanning solutions simply don’t provide adequate information.

Business risk observability is now a business imperative
To be as effective as possible, security teams need to be able to evaluate the business risks of potential attacks, align teams and triage threats. To do this, they need to rapidly pinpoint where vulnerabilities exist across application entities — business transactions, services, workload, pods and containers — so that they can quickly isolate them. They then need to assess the severity of these risks, the likelihood that they will be exploited and the risk to the business of each issue.

With ever-increasing numbers of threats, prioritization is key, and this type of business risk observability is essential for technologists to understand and prioritize risks. By combining application performance data and business impact context with vulnerability detection and security intelligence, IT teams can prioritize security issues with a business risk score. This will allow them to easily identify which business transactions present the greatest risk to their organization. For instance, they can assess the risk to sensitive customer data resulting from a particular business transaction, or calculate the potential for loss of revenue.

This approach reframes the cybersecurity threat in a more meaningful context. Instead of firefighting from one issue to the next, as they occur, security teams can act more strategically, based on real-time business transaction data. By prioritizing security issues with business context, they can improve key metrics such as mean time to detect (MTTD) and mean time to remediation (MTTR).

It is encouraging to see that technologists are recognizing the need for change — 93% state that it’s now important to be able to contextualize security so that they can correlate risk in relation to other key areas such as the application, user and business, and to prioritize vulnerability fixes based on potential impact. Perhaps most importantly, business risk observability helps application and security teams come together around a single source of truth for all application availability, performance and security data. In the era of zero-day threats, where vulnerabilities can remain unknown for long periods of time, such a framework enables all teams to work cross-functionally on secure deployments of modern applications.

Business risk observability provides a platform for IT departments to shift to an integrated DevSecOps approach. Teams are able to collaborate far more effectively and embed security into the application lifecycle from the outset, with development teams adhering to the organization’s most critical security priorities.

The benefits of business risk observability
Gartner predicts that 95% of new digital workloads will be deployed on cloud-native platforms by 2025.  Attackers will undoubtedly be taking note of this, and we can expect that Kubernetes within modern application environments will become an increasingly attractive target. For IT leaders, this represents a significant new threat that they simply haven’t had to consider before. Application security will need to become a major priority for IT departments in all sectors.

There is no abating the flood of applications in the modern enterprise. They have become an essential part of how businesses operate, and in many cases, offer the decisive competitive edge. Recognizing this, organizations must strive to protect their most valuable assets. Business risk observability provides them with an effective means to do so, ensuring applications effectively serve their end purpose of boosting customer loyalty and driving revenues.

Expert Speak

Hidden Champions: Behind These Popular Applications Are Hard Drives



Written by Rainer W. Kaese, Senior Manager of Business Development Storage Products at Toshiba Electronics Europe

Continue Reading

Expert Speak

How to Secure MSP Success Brick by Brick



Written by Roman Cuprik, content writer at ESET (more…)

Continue Reading

Cyber Security

Is Consent the Gateway to Ethical Data Usage Practices?



Every tech company under the sun is grappling with data privacy and protection policies and laws. However, consent is crucial when it comes to data collection and processing. Having the user’s consent to use their data is imperative. While securing the data after collection is also important, using customer data without their consent causes more serious issues. Without obtaining consent from the user, any data that you use for your business falls under the unlawful use of data regulations.

Users of the well-known platform Glassdoor, which allows individuals to anonymously review their employers, allege that the site collected and linked their names to their profiles without their permission. Glassdoor users have expressed alarm, and the issue has been widely featured on social media and news-sharing sites. They fear that their anonymity could be compromised if data about them is collected and added to their profiles.

The issue here boils down to a single word: consent.

The gray area of obtaining consent
Organizations can knowingly or unknowingly exploit users’ personal data without proper knowledge of data privacy. It is not enough just to get consent from users; explicit consent is required. This includes ensuring the user selects checkboxes during the signup process, enters their email address, authorizes receiving marketing emails and newsletters, and grants the app permission to track user data in specific situations.

But when it comes to verbal consent, there is ambiguity. The GDPR accepts verbal consent but requires written or recorded proof of the consent given. The GDPR states that, “when requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.” Therefore, it is better to record or have written proof of verbal consent; one must not assume or misunderstand that verbal consent only includes oral consent.

Often, there is less visibility of data usage for customers. More often than not, customers do not know what they are giving consent for or how their data will be used. Let’s take the case of location data sharing.

Location data can show if someone visited an abortion clinic or a cancer treatment center. People usually want to keep this type of information private and not share it with companies or third parties. When consent is given without knowing what it is for, the act of giving or obtaining consent becomes meaningless.

Why consent is important in ethical data practices
Although you are legally required to obtain the user’s consent to process their data, there is also such a thing as the ethical use of data. When you take measures to protect your customers’ data beyond what the law requires, it promotes trust among your customers.

People value privacy and appreciate brands that prioritize data privacy. Let’s say a consumer is given the option to choose between two brands: one with no privacy features and another that advocates for privacy with built-in privacy features. Which do you think the customer will choose? Obviously, the latter.

Understanding a company’s data privacy policy is crucial to 85% of consumers—even before they make a purchase, a global study determined. Equally as important, 40% of individuals have changed brands after discovering that a company failed to protect customer data adequately, according to the McKinsey Global Survey on Digital Trust.

This is why tech companies go out of their way to demonstrate the privacy features they offer and how user consent is prioritized in these features.

In a way, customers prioritizing consent compels companies to integrate ethical data privacy policies into their systems. But it’s time companies realize that consent is the backbone of data privacy regulations and take customer consent seriously, not just to avoid hefty fines, but to also value the customer’s choice and their right to privacy.

A final word
Organizations worldwide are facing issues with data privacy. What is important when trying to protect your customers’ data is to realize the role customer consent plays. This helps organizations develop features and draft policies with the customer’s consent in mind and to effectively communicate to the customers why they are seeking consent. Without this step, data privacy becomes compromised. So, both organizations and customers need to grasp why consent matters and advocate for the ethical processing of data.

ManageEngine is a division of Zoho Corporation that provides comprehensive on-premises and cloud-native IT and security operations management solutions for global organizations and managed service providers. ManageEngine strongly believes in privacy by design and continuously advocates for user privacy. Established and emerging enterprises—including nine of every 10 Fortune 100 organizations—rely on ManageEngine’s real-time IT management tools to ensure the optimal performance of their IT infrastructure. Learn more about ManageEngine’s comprehensive suite of IT management solutions here.

Continue Reading

Follow Us


Copyright © 2021 Security Review Magazine. Rysha Media LLC. All Rights Reserved.