We’re pretty mission-driven here at Absio. We believe there is a real problem (or problems) in cybersecurity that reaches back to the first computers. We’re eager to help organizations resolve the issues that arise when sensitive data created or processed by software doesn’t enjoy full-lifecycle protection.
A big part of the solution to today’s seemingly endless cybersecurity breaches and privacy infringements is to reengineer applications to adequately, reliably, and automatically protect data, by default and by design.
We are among those in the industry using the term “application-level data security” to refer to such a model. Other thought leaders prefer “application-level data protection” or “data-centric security.”
When we employ this language with enterprise information security leaders, whether at a conference or in a conversation, we often get the reply, “Sure, but we already have that.” Unfortunately, most of these interlocutors have ignored parts of the phrase. They indeed have application security measures in place but they typically lack application-level data security.
Here’s what the linguistic gap leaves out.
From an application development perspective, application security involves securing an application throughout its lifecyle, and applies to the features of software itself. Common types of application security include authentication, authorization, logging, and the use of firewalls for web apps. Application security can incorporate application-level data security but, in practice, these methods remain something of a rarity.
Application security testing performed by software developers strives to identify vulnerabilities within application code or the environments where the applications are hosted, which programmerss then work to remedy. Incorporating application security as part of DevSecOps helps ensure that rapid, iterative software development cycles don’t lead to ever larger security holes.
That’s application security for software developers. But within the enterprise, application security frequently refers to a much narrower set of cybersecurity behaviors, primarily such tasks as installing security patches and possibly participating in “bug hunts” to find post-release vulnerabilities. These tasks are essential to an organization’s overall cybersecurity stance but they are not sufficient to provide the level of protection companies and consumers need. Consider that:
- 83% of 85,000 applications tested had at least one security flaw, and often many more.
Veracode, State of Software Security Volume 10
- 42% of external attacks exploit software or web application vulnerabilities.
Forrester, The State of Application Security, 2021
Application-Level Data Security
This is where application-level data security, or data-centric security, comes in. As part of software architects’ and developers’ application security measures, they can enable applications to build self-defending, self-directing data.
What does that mean? Data objects created or processed by the software are automatically encrypted and cryptographically bound metadata is attached, dictating what can happen to that data throughout its lifecycle. The cryptographically bound rules then are then a part of the data object everywhere it goes, from the moment of initial creation or processing to the instant of final, permanent deletion.
Application-level data security offers a higher level of protection because it builds data-use policies into the data itself. The data can only be “used as directed,” to steal a phrase from the pharmaceutical industry.
An application-level data security model makes privacy policies, such as user consent requirements, enforceable and unavoidable. It also ensures that controls restricting data access, use, alteration, copying, dissemination, and destruction are automatically applied by the software applications processing the data, making it all but impossible to circumvent—which protects data from theft, snooping, misuse, and abuse, even from individuals inside perimeter defenses.
Application-level data security can be added to greenfield or brownfield development projects. What’s more, technologies exist that eliminate the need for cryptographic expertise, so organizations can instead focus on defining policies and translating them into application-based rules.
The remaining barrier is market demand. As more enterprises and organizations begin to understand that existing application security isn’t enough, they will insist on strong application-level data security in the software they purchase. Only then will we witness a rapid, meaningful transformation in cybersecurity and privacy outcomes.