How can modern, user-friendly and yet secure working environments for employees, customers and partners be realized on the Internet? Our 10 best practices show how every IT department can gain agility and provide flexible and secure access to information for customers and employees with web applications and portals.
Web applications and portals are an ongoing topic in many IT departments because they enable flexible and mobile working. Employees demand access to the information they need to complete their tasks, regardless of time and place. Customers and partners want to conduct their business directly via a web browser instead of by telephone, post or e-mail. Many business units want to automate their processes with web services.
Requirements for web applications in digital business processes
Given this wealth of expectations, it is clear that IT today must adapt to the requirements of the business. Only in this way can it support efficient collaboration and meaningful automation and increase the flexibility, user-friendliness and efficiency of the company.
When implementing digital business processes as described above, there are three key requirements: Security, user-friendliness and interoperability. Only then will companies achieve the necessary flexibility and keep the doors open for future business opportunities.
Nothing works without user-friendliness
Today’s society is strongly focused on commodity. For IT, this means that it will only be accepted by users if it offers them a high degree of user-friendliness. This means that digitalization must always focus on simplicity. Anyone who underestimates the credo of usability has a lot to lose in the age of the Internet. Stressed employees, overwhelmed customers or partners will all too quickly look around for a simpler alternative.
Interoperability is becoming increasingly important
Unfortunately, many manufacturers still assume that companies will adapt their processes to the technology provided. However, modern companies are no longer constrained by technology and rightly demand that the technology can be flexibly adapted to the current and future requirements of their business processes. The interoperability factor is crucial here and enables full flexibility despite the wide-ranging technology landscape.
IT security – the foundation for business success
The majority of companies have long been on the path to digitizing their business processes. They have made their core applications accessible via the Internet without letting IT security hold them back. But at the latest when audits are on the doorstep or hackers are playing their game, they have to take care of the security gaps in order to maintain their IT security goals.
It is not only large companies such as Ebay, RSA or Adobe that have already had to contend with security incidents that have caused immense damage. The current threat situation does not stop at SMEs and start-ups either, and it is precisely them who are hit much harder than large corporations when it comes to loss of assets or reputation.
Hackers use random attacks to exploit applications that are accessible via the internet without the necessary protection; studies by WhiteHat (2013) show that more than 86% of all web applications are affected. So-called “targets of choice” – well-known companies, valuable brand names – must also protect themselves against targeted attacks with a specific intention. This involves much greater effort and significantly increases the likelihood of a successful attack.
The following best practices show how every company can create effective protection for its web applications and portals while at the same time meeting the high requirements for user-friendliness and interoperability.
The 10 best practices
1. simplify your infrastructure, reduce complexity
A large number of different applications are typically used in digital business processes. In a complex application landscape, the effort required by internal IT to ensure the security of all applications can explode: Installing the latest security patches, ongoing maintenance and a functioning access management system for each application are just a few examples, along with proper documentation.
Centralize the security infrastructure
The most effective way to simplify security is to outsource access and access control to a specialized solution. In this way, the security of the applications used in the business processes is ensured centrally at a single point.
For IT, this means that security patches are only applied once, maintenance is simplified and user access management can be centralized for all applications. The concept of centralizing the security infrastructure simplifies application maintenance. This and the improved availability of your applications save you costs. In addition, the decoupling of the security infrastructure and the resulting increased level of security forms the basis for the simple fulfillment of many other best practices.
2. be better than average
Opportunity makes thieves, and this also applies to hackers. They quickly realize where they have an easy game and where they will bite their teeth out. It is therefore worth protecting applications that are accessible via the Internet reliably against attacks.
Protect web applications and other services accessible via the Internet
As usually not just one, but several applications are accessible via the web, the best way to protect the applications is with a web application firewall. This is centrally located in front of the applications and receives all requests from the clients and checks them. Invalid requests are recognized and filtered, attacks are blocked. Only valid requests are forwarded to the applications. In this way, they remain protected against common random attacks and have solid basic protection against targeted attacks.
3. communicate in encrypted form
The Internet stands between the web application and the user. The transmitted data can be read by anyone during transmission. Unless they are encrypted.
SSL encryption at the cutting edge
Protect all data from unauthorized access and modification by encrypting it during transmission between the application and the user.
Depending on the application and the confidentiality of the exchanged data, define minimum requirements for the encryption methods to be used. If the client’s browser does not support the required encryption, the connection will not even be established.
Encryption is the be-all and end-all and SSL is state-of-the-art. For particularly confidential data, Perfect Forward Secrecy should be used for encryption. In contrast to conventional encryption, information transmitted in encrypted form with Perfect Forward Secrecy remains protected even if the data traffic is intercepted and spies later come into possession of the server’s private keys – whether due to newly discovered security vulnerabilities such as Heartbleed recently.