In 2019, IBM reported that the average cost of a data breach in America had climbed to $8+ million dollars. It’s important to have a comprehensive security strategy to avoid both a breach and its costly repercussions, as well as keeping maintenance dynamic and supportable. Here are five tips to help ensure that your application security strategy is on the right path.
1) Plan Thoroughly
One of my favorite quotes of all time is “measure twice, cut once.”
With proper planning, you can mitigate security issues down the road.
All elements of the application solution and impacts to your network/perimeter security should be considered in your plan, especially if you have a high number of users (hundreds +). Translation: this could take weeks to plan out in advance.
In addition, if you are moving to Cloud, you’ll want to engage your security team to fully understand how to properly access and secure data, as well as data movement in your environment. This will be different for every organization and is largely driven by existing (and evolving) protocols. Build in extra time for this education, as it can take longer than expected for customers new to Cloud.
In short, don’t wait until the last minute.
2) Create Security Governance
Governance is a set of policies and actions, with monitoring by a designated organizational group. It is a necessary practice to ensure that your organization’s goals and protocols are being met. Security processes that might be considered for this scope:
- Security integration into the organization’s network (yes, you should do this)
- Password policy
- New user application requests
- Employee promotions
- Employee transfers
- Employee departures
- Impacts when application components change
- Mergers and acquisitions
- Security audits
3) Be Dynamic
Your application could have up to hundreds and even thousands of users. Therefore, keeping it dynamic will save you precious time when it comes to maintaining that security. Some tips:
- Design intuitively and logically
- Steer clear of hard-coding
- Avoid user-specific security – use groups!
- Minimize low-level object security (i.e. take advantage of inherited permissions from parent level objects whenever possible)
- Create automated maintenance processes
4) Backup Your Security Knowledge
I’ve been to one too many customers where the original administrator created the security design, managed it, and then eventually left, and no one knew how to maintain it. To back up your security strategy, you’ll want documentation as well as a backup administrator.
A document outlining the basic security guidelines for each application, each security group, and each group’s design and purpose is a good starting point. This task may sound daunting, but it becomes imperative in an emergency. This is one time when the exception outweighs the amount of effort required upfront.
In addition, the backup security administrator should know the security design intimately. It’s recommended that both the main security administrator and backup maintain security regularly together and be involved in the design.
5) Test and Audit Your Security Implementation (and Regularly)
And test it well. You’ll want to test each major security group against all functions of the application. This testing should occur before the application goes live and whenever anything impacting security is changed.
In addition, turnover is a common organizational event. You’ll want a strategy for auditing your security regularly. There are methods for implementing fluid and automated audits, and some products are more flexible than others. For instance, I know customers who have automated a nightly comparison of their application user list against the network user list, which then swiftly deletes expired user ID’s.
Don’t make your security an afterthought! Feel confident with a strong foundation!
About the Author
Opal Alapat is the Vision Team Practice Lead at interRel Consulting. She’s an Oracle ACE Director with 20 years of EPM and Analytics experience. Opal is active with user groups and a regular speaker at COLLABORATE. She blogs at: https://womaninepm.com.