Want to know what to do about application security? Look no further than recent policy responses to TikTok.
In April, Montana passed a bill to ban the widely popular, Chinese-owned social-media app starting on January 1, 2024. The bill is a reaction to what Montana legislators describe as "stealing" "significant information" from TikTok users and sharing it with the Chinese government and the Chinese Communist Party while featuring "dangerous content that directs minors to engage in dangerous activities."
This is not an isolated incident. In 2020, the Indian government hit the brakes on at least 177 Chinese applications, including TikTok, over data-privacy and national-security concerns. Other nations, too, have imposed or are considering restrictions on TikTok for similar reasons.
Meanwhile, in the private sector, businesses have reinvented their policies and programs to lean in to the current work-from-home trend and bring-your-own-device (BYOD) culture. It is problematic, however, when especially voluminous or especially sensitive data is being autonomously handled by any single third-party entity. Therefore, businesses need to take a cue from these kind of app bans (whether right or wrong in the context of governmental policy) when it comes to proactively managing app security within their organizations.
A Proactive Approach to Securing Apps
Being proactive means taking matters into one's own hands. Business leaders should not wait on the public sector to tell them what is and isn't safe. Look at your business apps, investigate the companies behind them, and decide which are necessary. Having insights into the applications running on your network will allow IT teams to block the ones they deem untrustworthy.
Alternatively, if your business is particular about which applications should be used in your environment, whitelisting only those apps you want to allow while blocking the rest—instead of blocking several individual apps—would be a more comprehensive measure.
Considering the vast ocean of applications available today, blocking applications should not be your only app-security measure. It is always the wise first move.
Endpoint management solutions are the next part of the answer. Unified endpoint management (UEM), for instance, lets admins impose limitations on app use (turning off certain functionalities, for example). This way, it is simpler for organizations to ensure that employees are using applications securely.
Furthermore, for businesses with hundreds or thousands of endpoint devices, UEM offers a single platform through which apps can be remotely allowed or blocked while managing other device-security measures.
Contain the BYOD Conundrum
The idea of BYOD is not new, and its popularity needs no reiteration. However, when employees bring their own devices, securing them gets more complicated—especially when combined with shadow IT. Many employees use apps for work without the IT department's knowledge. In most cases, they do so to improve their productivity or to streamline work. Keeping IT in the dark, however, broadens the threat landscape. At the same time, because these are personal devices, admins cannot use the same policies they use for corporate endpoints as a matter of respecting employee privacy.
The best course of action in these circumstances is containerization—creating and managing separate containers for business apps and sensitive data. With these containers in place, administrators can distinguish between private and company data. With full access to these containers, admins are able to take appropriate actions to prohibit unnecessary or dangerous apps. At the same time, neither admins nor the organization in general becomes aware of any personal employee data or actions outside of these containers.
Nurturing a Culture of Continuous Learning
Employees are your first line of defense. So, in addition to response strategies and security tools, educate your workforce.
Keep staff members informed of the most recent attack patterns. Conduct regular security-awareness sessions to show them safe and cyber-hygienic practices. With the prominence of remote work and BYOD, the traditional perimeters of the workplace are coming undone. As such, the notion that each device, app, or website is a possible gateway for attackers must be communicated effectively.
As a consequence of a continuously changing threat environment, no security architecture is totally safe. A strong proactive approach, however, can be quite helpful in safeguarding your organization.
Keep learning
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed fast on the state of app sec testing with TechBeacon's Guide. Plus: Get Gartner's 2021 Magic Quadrant for AST.
Get a handle on the app sec tools landscape with TechBeacon's Guide to Application Security Tools 2021.
Download the free The Forrester Wave for Static Application Security Testing. Plus: Learn how a SAST-DAST combo can boost your security in this Webinar.
Understand the five reasons why API security needs access management.
Learn how to build an app sec strategy for the next decade, and spend a day in the life of an application security developer.
Build a modern app sec foundation with TechBeacon's Guide.
