Skip to main content

Why is App-Level Security Essential in Today s Mobile Climate?

Alena Davis, Appian
May 30, 2018

The enterprise cybersecurity world is facing a shakeup. Traditional methods, such as firewalls and anti-malware, are proving insufficient to the task of today's configurations. With mobile devices, varied network connection points and cloud services all in play, companies can't simply create a border and expect to keep it closed against attacks.

Instead, organizations need adaptable security that can be built into every layer of the IT setup. This sounds like a lot to deal with, especially as mobile devices and corresponding apps explode into widespread use. However, mobile application development platforms can create data protection opportunities that weren't readily present in the past.

The Scope of the Cybersecurity Problem

The number of tracked data breaches last year climbed to 1,579.

Each year, the Identity Theft Resource Center releases a summary of the previous year's data breach. It recently released the 2017 year-end review and found that the number of tracked data breaches last year climbed to 1,579. That doesn't cover unreported incidents - or breaches that haven't been discovered yet. This figure represented a 44.7 percent year-over-year increase, and a variety of sectors were impacted, with the general business vertical facing a particularly sharp rise.

Responding with New Methodologies

There are a variety of ways to handle cybersecurity in today's climate, and most businesses will need to mix and match different options to adequately keep up with the threats that are out there. However, focusing on the applications themselves, not the closed-off enterprise system, is increasingly important. An App Developer Magazine report explained that increased mobility makes it extremely difficult for organizations to keep up with all the security issues that come up across both apps and devices. Think about it, organizations must:

    • Ensure mobile devices that are owned and managed by employees get necessary operating system updates to protect against exploits.

    • Mandate and enforce policies about updating applications to avoid vulnerabilities.

    • Control which apps and services employees can use on devices containing or interacting with enterprise data.

    • Provide adequate user authentication and access control - including putting password best practices into place - to safeguard entry points.

    • Train employees to identify phishing and similar scams.

    • Update policies and innovate as new attack vectors emerge.

Keeping up with these demands is incredibly complex, and the App Development Magazine report suggests companies focus on securing the apps themselves to make it easier. The logic is simple - if you can't control the device or the user, you can at least take ownership of the app. From there, the news source expands on complex coding functionality that can make apps more adaptable and secure, but that kind of solution isn't an option for every company - manually writing complex code is not only extremely time-consuming and expensive, it also can take key resources away from IT teams.

Application development platforms can offer opportunities for app-level security that don't require the complicated backend work, and Appian is leading the way in driving innovation in the space.

Using a Platform to Establish Security

Imagine the architectural makeup of a cloud platform. The system resides within a secure cloud environment and connects out to the various systems needed to deliver services to users. Within the platform, the infrastructure, virtual machine configurations and similar parts of the configuration can all be tightly controlled and governed by overarching rules and policies. What's more, most of the enforcement of those measures can be automated. As such, when users create an app within the platform, it is already designed to reside securely in your environment. If an update needs to be made for a mobile operating system, you only update the platform, not each app in the platform. The overhead is limited.

With the core architecture providing a vital layer of data protection, organizations can then set up checks and balances to ensure that the actual applications operate in secure ways. Within the Appian platform, organizations can:

    • Take advantage of single sign-on functionality to enable IT to establish strict user authentication rules without excessively inconveniencing users.

    • Leverage pre-built, pre-tested code to make sure app vulnerabilities don't arise due to human error or unexpected vulnerabilities.

    • Establish data workflow guidelines that tightly control what data can go where.

    • Create role management profiles to manage authorizations down to individual users without excess complexity.

    • Automate policy enforcement through built-in checks that prevent users from taking certain actions within the system without following scripted best practices.

    • Remove the security burden from the device and the user to instead place it on the platform, which can be controlled by IT.

These features add up to provide security that is built into the application itself, making it easier for IT teams to manage protocols and stay ahead of threats. What's more, our platform is constructed with business process management functionality in place, meaning it doesn't just let you build and control apps, it also enables users to establish process frameworks and automate many elements of regulatory compliance.

Holistic security in one place

Consider a scenario where you create a secure app. The code is excellent, users are trained effectively and backend databases are secure. However, a user decides to dig into some old private records and replicates sensitive data that was originally stored in a legacy app. The problem is that somebody with shared access to the project being worked on doesn't have access to that old record and ends up seeing private data that is meant to be protected. You suddenly have a regulatory breach.

The Appian Records system lets you incorporate robust records management functionality - including integration with legacy systems - into the controlled platform. The same can be done for data that is normally siloed within business units. These capabilities combine with process management tools to make our platform a regulatory compliance powerhouse. We regularly audit our systems and are in line with a variety of industry standards, including:

    • SOC 2 and 3

    • PCI DSS

    • HIPAA

    • FISMA

    • FEDRAMP

    • GxP

    • UK G-Cloud

Here's a full list of the regulations we comply with and some details on how we achieve the goal. However, the key takeaway isn't that we handle one standard or another, it is that our platform is built with security in mind and it extends data protection through the apps, workflows and processes to drive data protection without getting in the way of innovation.