Enterprise Application Acccess Controls Sorely Lacking
Despite widespread and highly publicized security breaches, most companies still fail to require necessary security controls for accessing enterprise applications, including those applications behind the corporate firewall.
According to the Enterprise Application Security Market Research Report from King Research, survey respondents ranked a number of solutions as “highly useful,” including those that: enforce multifactor authentication (MFA) across all users at all times; hide app servers from all devices and unauthenticated users; ensure end-to-end encryption and integrity; and give complete control of who can connect to what, independent of app location, device type and user affiliation.
The highest-ranked solution is of course one that does all of the above, according to respondents.
Even so, those surveyed said that 60% of their organizations do not require MFA for non-employees to access enterprise applications. In addition, while 57% of respondents’ organizations allow bring-your-own-device (BYOD) for access to enterprise applications, 42% do not require non-employees to adhere to the corporate BYOD policies.
“This survey is unique in gathering information around enterprise application access, stringent controls, and the usefulness of solutions InfoSec professionals believe would best protect their organizations from becoming tomorrow’s headline,” said Ross King, principal analyst of King Research. “For example, we found that more than half of respondents (57%) said they have long-term contractors who need access to company information, and these contractors may or may not reside on-premise. But when asked which authentication type is typically used when providing non-employees access to enterprise applications, nearly half (42%) responded that simple passwords are used.”
The survey also found that 63% of respondents said that 10% or more of their enterprise applications are behind the corporate firewall and are accessed by non-employees. Top security concerns, on a scale of 1 to 10, are server vulnerabilities (7.6), phishing (7.3), server misconfigurations (7.3) and denial of service attacks (6.9).
When asked to score criteria importance for selecting enterprise security products and services on a scale of 1 to 10, respondents scored “compliance” the highest with a near 7.6 score. The second most important criterion was “security advantage by using superior technology,” with a score of 7.5.
“Executed properly, multifactor authentication is very secure,” said Anna Luo, senior director of marketing at Vidder, which sponsored the survey. “But highly stringent controls have proven to be too complex for users to adopt. This complexity is likely the reason why so many organizations do not have the controls needed in place, and why the research findings reveal that characteristics of software defined perimeter are seen as ’highly useful‘ in these areas.”
Source: Information Security Magazine