April 29, 2020 By BlueAlly
By Brian Schwarz
As organizations suddenly find themselves responding to a massive increase in remote workers, immediate attention has necessarily been focused on maintaining and enhancing VPN infrastructure. We should also keep in mind, however, that VPNs are not the only way to enable remote workers to access critical line-of-business functions. Web applications have a vital role to play in our business resiliency plans as well.
The benefits of web applications for enabling a remote workforce have been clear for some time. By making line-of-business applications accessible from any device with an internet connection and a modern web browser, these applications enable users to file expense reports, fill in timecards, check inventory levels, manage shipping and receiving, as well as manage a wide array of other critical tasks. Tasks that once would have required a visit to the office (or at least use of a corporate-issued device with the right VPN client installed) can now be completed just as easily from an array of personal devices that many folks already possess that are connected to any available internet connection.
Web applications are also a great fit for a BYOD world. Web applications are inherently multi-platform, eliminating the need to develop separate applications for every user platform. While organizations in some industries routinely provide every worker with a corporate-owned laptop, other organizations without an effective BYOD plan in place may find that a significant portion of their workforce is cut-off from important resources in the event that they can no longer physically come into the workplace.
Business Continuity is Not a New Challenge
The business continuity challenge presented by the recent social distancing requirements most of us are operating under has some similarity to recent events, except for its scale. Other regional disasters – like Hurricane Harvey, a storm that devastated Houston in 2017, and Hurricane Katrina, that impacted the Gulf Coast of the US in 2005 – have challenged businesses with “How do I keep my business running when workers can’t come into the office?”
I remember speaking to at least one business during the Harvey recovery that had lost both their primary and backup data centers, and as a result ended migrating most of their infrastructure to the cloud following that disaster. They realized that a major cloud provider was better able to ensure the continuity of their infrastructure. They also saw that adopting tools such as Microsoft Office 365 significantly enhanced the ability of their end users to access critical information from their own devices in the event that corporate devices were unavailable. For that organization, the benefit of leveraging the robust business continuity capabilities of cloud providers drove the shift towards adopting web applications for critical functions.
And while it’s true that public cloud providers – such as AWS, Azure and Google Cloud – or SaaS providers, like Salesforce, can face the same operational challenges as the rest of us when disaster strikes, the flexibility of their cloud environments brings significant advantages both in terms of survivability and scale.
How Web Applications Can Enhance Business Continuity Posture
Here are a few examples of how web applications can enhance BCDR (business continuity/disaster recovery) plans:
- When employees are unable to physically access the office, they should be able to use any internet-connected device with an SSL-enabled browser to securely access critical business systems. This could include inventory management, internal ticketing systems, content management systems (CMS), expense reporting, etc.
- There are instances when employee’s corporate-provided endpoint has issues and organizations can’t quickly ship them a replacement device due to disaster-related shipping challenges. In these cases, web applications enable BYOD, keeping the employee productive while awaiting their new device.
- Facing radical changes in your supply chain? Use web applications and or web APIs to establish connections with new vendors for inventory and shipping management.
Security for Business-Critical Web Applications
As organizations look to deploy their own web applications for critical line-of-business functions, they can’t let security be an afterthought. Internet-facing web applications require robust protection. The solutions and strategies required for securing internet-facing web applications can be different from those that they deploy to protect other kinds of workloads. VPNs, for example, clearly establish who is “inside” and who is “outside” the network. But internet-facing applications leave a door open to the outside world, and that door needs to be protected. In addition to authenticating users (typically with a combination of tools and solutions that may include 2FA, SAML, RADIUS, and other technologies), organizations need a strategy for web application and API protection that can both keep an eye on that door, as well as make sure that applications are both secure and highly available.
What kind of threats does an internet facing web application face?
- Denial of Service
- Malicious Bots
- Zero day and unknown attacks
- API based attacks
- OWASP Top 10
The OWASP Top 10 is especially critical as it defines a “broad consensus about the most critical security risks to web applications.” Its goal, in part, is to change coding practices to produce more secure applications. However, the reality is that achieving 100% secure software is an aspirational goal at best, and the OWASP Top 10 has been adopted as a guideline for basic security issues that any Web Application Firewalls (WAF) should be able to defend against. SQL injection attacks and cross site scripting attacks, for example, are included as part of the OWASP Top 10.
A Real World Example: Fortinet’s Global Training and Enablement
As an example of how this works in practice, we recently published a case study showing how Fortinet’s Global Training and Enablement team design, develop, and manage custom web applications underlying the Fortinet NSE Institute’s training and certification programs. The team uses a combination of open-source and commercial-off-the-shelf (COTS) web applications to enable their distributed team to focus on delivering cost-effective and highly scalable training applications. And they secure their web applications using Fortinet’s FortiWeb. In addition to the cost savings described in the case study, this approach also enabled that team to work from any location using that set of web applications leveraging the public cloud to prevent redundancy and risks.
The Path Forward
As organizations evaluate their BCDR plans following this most recent global stress test, they should consider how web applications, and especially cloud-hosted web applications, can be part of their strategy going forward. Not all organizations may be ready to move all line-of-business functions to web applications, but for those functions where they can, web applications provide multiple benefits that enhance the resiliency of business. Perhaps most importantly, they enable users to securely access those business functions they need to get their work done from any device on any network. This enables organizations to reduce the disruption that an emergency transition to remote work can otherwise bring.