You are on page 1of 7

Security by Design:

Building Defense in Depth with an Application Network

1
Executive Summary Enterprise challenges the CIO faces
Challenges Before considering how the needs of the CIO and the needs
of the CISO can be combined, let’s consider each separately.
• CIOs must increase the clockspeed of their business
The CIO, of course, is facing numerous challenges to
with a limited number of resources, and with the
achieving her goals. The pace of development she must
demands of the business for technology solutions
achieve is daunting and is rising all the time. To match that
growing ever more quickly, have to figure out how to
pace, the IT deployment infrastructure must increase, though
make IT scale to match.
the resourcing often cannot keep up with demand. Many IT
• CISOs need to prevent against bad actors gaining
teams spend the majority of their time maintaining existing
control of systems, but are hampered by poor
systems and attempting to drive down technical debt in the
visibility, shadow IT, and the reputation as the
face of a growing need from the business for new systems,
blocker to innovation.
applications, and innovations. This is creating an impossible-
• CIOs and CISOs must partner to develop security
to-fill capacity gap.
and agility together, but often their goals seem
misaligned.

Recommendations
• Create a better understanding of what is happening
in the business by corralling and analyzing projects
in progress.
• Take an API-led approach to connectivity and
securely expose critical assets while enabling
visibility and governance.
• Create an organizational discipline of secure self-
service and reuse.

Introduction
If a CIO expects IT to be a sole enabler and expects the
No matter what size company you are or what industry you’re central IT organization to solve the capacity gap, she will be
in, because of the dramatic and extraordinary changes disappointed. Software itself is not going to be a solution. The
brought about by the advent of the digital world, you want to CIO needs to get away from project-based thinking and move
move faster and innovate more. However, your ambitions are towards having a comprehensive strategy.
checked by two things. First, most IT leaders are working in a
world where 78% of your collective effort is spent just
i
maintaining your existing IT landscape. And secondly, 60% of Why connectivity is the key business strategy
digital businesses will suffer major service failures due to the
inability of the IT security team to manage digital risk in new The pressure to incorporate all of these systems into the
technology and use cases.
ii enterprise technology stack is really a pressure to connect all
of these systems. Many of these systems and applications
Moving faster and staying secure are often at odds in the don’t make sense on their own. In order for everything to
enterprise technology landscape. But they don’t have to be. It work and actually produce business value, they must be
is possible to create a corporate culture of innovation while integrated together in some way.
weaving security principles into the design of every
application, data access point, and integration. Don’t expect The tempting way to do this is to pull things together in an as-
this to come from the software you buy, however. You need needed fashion. In this type of scenario, as a new system is
to think differently about how to change the clockspeed of added, a new integration is added as well. This type of point-
your business. You can create a framework for faster to-point integration is extremely common, and can appear to
innovation — and build in security by design — by building an solve the problem, at least in the short term. The IT team sees
application network. the integration needs, quickly writes some custom code to
solve it, and congratulates itself on dealing with the problem
on time and on budget.

2
build frameworks for best practice and build partnerships
But over time, as this type of work keeps happening, the IT with the rest of the business.
organization ends up with a huge mess — a mess that
eventually stops the business from being able to go forward. Interestingly, the principles behind the formation of shadow
When everything is hard-wired to everything, nothing can IT aren’t necessarily negative. The business needs all of its
move without breaking everything else. This is why parts to be thinking in an agile and innovative way. A strategic
businesses often end up with risk aversion and ultimately a integration discipline, like an application network, harnesses
misalignment with what IT needs and where the business the impulses behind the creation of shadow IT and turns
wants to go. The business wants to continue to innovate and them into business assets.
create value, while IT is saying, "wait a minute, I have to
somehow keep everything running."

In order for systems to work together properly, and for


connectivity to not become an obstacle to moving at the pace It is possible to create a corporate
the business desires, connectivity must become a strategic
business discipline, not driven project-by-project but culture of innovation while weaving
informed by a broader vision. A well-designed integration
strategy becomes the cornerstone of the application network. security principles into the design

The rise of shadow IT


of every application, data access
point, and integration.
Some organizations compound this problem through
“shadow IT.” The term “shadow IT” emerged when there was
a well-accepted practice that all information technology
needs were handled through the central IT group. All other
parts of the business had to wait their turn in line to get their Enterprise challenges a CISO faces
technology projects solved by IT, and thanks to the
proliferation of point-to-point integrations or heavyweight For the modern-day CISO, the proliferation of cloud-based
SOA obligations, the pace was too slow. So departments like mobile apps has dramatically increased the exposed surface
marketing, sales, finance, etc. had their own technologists area of the business. Each new app requires and enables
produce or procure their own solutions outside the central IT access to organizational data and assets, and unless the
department, creating the rise of shadow IT. security team was explicitly involved in the app’s creation,
acquisition, and delivery, users inside and outside the
organization may have access to data and the ability to
Shadow IT presents challenges for both the
expose it without the CISO even being aware.
CIO and CISO
This challenge of visibility is compounded by the lack of
Central IT doesn’t like to be supplanted; when they're not part standards by which organizational data and assets are shared
of the process in the beginning, they often come on at the and exposed. Different business units may adopt their own
end and act as a blocker. Yet the business still needs to keep approach to security, or perhaps not take one at all, making
going forward. If IT comes in and blocks innovation, these the CISO’s job of propagating security best practices
parts of the business will be even more motivated to go unwieldy. As a result, standardization and visibility have
around IT. The same is true of security. emerged as extremely important traits of any kind of security
structure. This can be done by providing well-defined entry
By not partnering with the business, and not helping to create points and exit points to organizational data and assets and
frameworks and methods in order to make things more ensuring that standards are documented and shared broadly
efficient, there’s no way for IT or security to introduce best across teams.
practices. It therefore often happens that IT and security both
are firefighting problems that arise from shadow IT. They find Another challenge is that the security team often has to fight
one, they run their vulnerability scanner, and then they go about these problems right when they're about to go into
put that fire out. Then there’s another fire, and then another. production. It often occurs when IT is about to roll something
They're so busy putting out fires that they don't have time to out to solve a business problem and they didn't secure it. It's

3
full of vulnerabilities. The security team becomes a blocker When architecture is developed this way, it’s necessary to
rather than a partner, and as outlined above with shadow IT, build in mechanisms for visibility and security into each part.
the business works around it and creates opportunities for It can’t be imposed top-down like a SOA initiative; every group
new threats to emerge. To solve this problem, security has to that is developing a service is actually doing it in a
be designed into the IT architecture, and not just at the standardized, well-defined way that allows security to actually
perimeter. happen. When any group is building a project, when they’re
connecting services or building new ones and creating
It’s tempting to approach security by creating a centralized business value, they should always be thinking about "how do
defense on the outside and having one or more tightly I actually create new assets as a result of this thing?" It should
controlled number of entry points that the CISO is in charge be an organizational discipline and later natural in the
of. Recent events across a number of organizations have development methodology every new service creates assets
proven this approach is not reliable, scalable, or adaptable. to be reused later. That means that the next project can make
use of those aspects again and again.
A better way to think about security is in a
compartmentalized way — as fortified units with common Each node or service has to add value to the whole network.
and distinct security requirements. In this case, you’re not That's actually the engine that makes this turn on; it creates
really increasing the surface area of what needs to be the network effect and makes people want to participate in it.
secured, even though there are more things that require People start to see value in the network, and they
security. What you are actually doing is providing a automatically contribute more nodes to this to ensure people
standardized framework; this best practice allows get more value out of it and so it spreads. Eventually, that's
organizations to provide defense in depth. what makes the entire organization adopt the API-led
approach and not create shadow systems.
Creating security through API-led
connectivity API-led connectivity forms an application
network
Secure integrations are needed, but security can longer be
solely in the domain of the CISO - there simply isn’t the time What emerges out of this approach is an application network
or the resources to have one person or team create security that is structurally more secure. It’s organized around well-
for the entire business. defined building blocks, and these building blocks all have an
API linking them to the application network. Security is built-
What you need to do instead is to move from a monolithic in because you’ve defined a door through an API and cleanly
approach to application development and data entry to well- defined your inside and outside.
defined, well-fortified nodes, delivered via an API-led
approach, potentially in a microservices architecture. Each of
these nodes, designed and built by the teams that need
them, will have security best practices baked in at the point of
design. These nodes are connected through APIs, which are
standardized, well-defined entry points that are easy to
visualize and thus secure. If you have connected a few of
these services and exposed those as APIs, you should be able
to reuse those services, discover that connected entity and
connect it to the next one. As you're building out and
connecting more and more of these systems, you're not
necessarily creating more and more connections, you're
actually reusing the ones you've already created that are
already known to and managed by the security team. This
approach to IT architecture, called API-led connectivity, allows
the business to go faster; you also get governance and
compliance naturally along with it thanks to the API, an
accessible and widely understood standard.

4
developing services controls access to their own data. The
It’s hard to open an unsecure door. With an application people who own the data are responsible for exposing the
network, security teams have many security options to keep data and control who has access to that data. You're giving
those doors barred against unauthorized entrants: the owners of the data the ability to expose it. The main
concern about increasing the number of services is how
• Who gets in (permissioning), much variety in entry points are there? How many different
• What is required for them to get in (authentication) ways are there to gain access to something? With an
• What they have access to (provisioning) application network, all of the entry points are encapsulated
• Full visibility into what they’ve accessed (monitoring, and standardized; not only does each one represent a
auditing) smaller level of attack, but also because the result is defense
• Alarms should something go awry (alerting) in depth.

With an application network, these doors are built into your A bad actor may be able to compromise one of these, but
integration fabric, making your network inherently more that doesn't mean that he or she can compromise the next
secure. The API entryways are managed and patterns of one, and the next one, and the next one. They may be
access can be reused; the good structure has been validated standardized, but each one serves as a barrier. Each one is
and can be reused multiple times. It’s highly tunable and controlling its own domain, each one is controlling what
configurable; with a standardized access point via an API, you access makes sense from a business perspective, and each
can easily suspend access to one service without harming any one should be checking the authentication. If every service
others. This makes the application network resilient; it bends, has a properly managed entry point, defense in depth is
unlike point-to-point architectures. The end result is the best possible even though the number of nodes or services is
practice of layers of security with central governance and quite large and growing quickly.
visibility.

Security is about people, not just technology


Another advantage of this approach is that it gives you boxes
in which to operate. Developers don’t have to be security

If every service has a properly experts, identity experts, or even domain experts as each of
those functions can be handled by people with expertise in
managed entry point, defense in those fields. A developer can build her application by reusing
tools that are already available, allowing her to focus on
depth is possible even with a large making a great application.

number of services. To enable the developer to do this, all stakeholders need to


think about reuse as they are developing and designing
capabilities. This includes the developer because after she
creates the application, it too will need to be available for
reuse.

Security and agility go hand in hand By creating new assets from reusable components built by
domain experts, you continually reduce your area of attack,
Complexity shouldn’t be confused with volume. The fact that because you aren’t introducing additional, unvetted access to
there are lots and lots of moving pieces is inevitable today. data or systems.
Businesses are going faster, there are more systems in
existence. CIOs need to keep that train moving and CISOs Then, because of this API approach, having declared the
don’t want to stop it. By creating some level of intent, you can pass the asset over to more standardized
standardization, encapsulation, and reusable overall patterns, mechanisms by operational people, or by security operations
paradoxically, complexity is reduced even if the volume is people to define security policies that attach to that
actually going up. layer. The entire approach depends on well-designed and
well-defined services with well-managed entry points, which
Increasing the number of services you bring online does not the CIO and CISO can enforce together.
increase the risk of attack if everyone responsible for

5
When we speak with the top architects and the top security
Real-world implementations of security and professionals at this organization, they realize that the only
the application network way to solve this is to approach it with an application network
that enables them to build those security patterns into the
One of the largest global financial institutions has an IT way that people actually end up building things, day to day,
infrastructure of enormous scale. It has distinguished itself by and to govern it at that level.
having local presences across many countries in multiple
continents.
How Anypoint Platform enables an
As a result, either by design or inadvertently creating a
tremendous amount of diversity, numerous silos were
application network
created. Like other financial institutions, this one needs to
MuleSoft’s Anypoint Platform™ is a complete solution for API-
keep up with the demands of the digital era. It needs to fend
led connectivity that creates a seamless application network
off a lot of financial tech upstarts that are trying to compete
of apps, data, and devices, both on-premises and in the
for its business. It also has to deal with an increasing level of
cloud. Why Anypoint Platform?
regulatory oversight and needs for compliance after the
financial crisis of 2008. And it is facing financial pressures to
• Unified Platform for API-led Connectivity.
increase efficiency, stop redundant development, bring costs
Anypoint Platform provides full API lifecycle
down, and align towards future value-adding
management and enterprise-grade connectivity on a
propositions. This institution realizes that a lot of their future
single platform.
investment is going to be in the cloud, an initiative driven by
• Full API Lifecycle Management Platform.
that need for business agility and cost reduction.
API Management is only one piece of the puzzle. As
companies build APIs they need a full SDLC from
design, collaboration, build, test, deploy, publish,
version and retire. Anypoint Platform provides
This financial institution has capabilities at each of these lifecycle stages.
Creates application networks secured and
realized the only way to achieve

governed by design.
Every node in the network – every connection and
their innovation and security goals every API – can be governed using policies. Policies
can be enforced and updated without making
is to approach them with an changes to the underlying code with API Manager.
Changes the clock-speed of your business with
application network.

self-service consumption.
Unlock data and break down silos between
development teams by publishing APIs that
developers can discover, access and use in a self-
service model with Anypoint Exchange - the
To do all this, they are in the process of creating an
component of Anypoint Platform that captures all
application network to rationalize their globally distributed
APIs, templates, and connectors you create and
assets and apply the API-led approach to create reuse and
allows you to share these assets with different
agility across multiple pieces of this large and distributed
groups within or outside of your organization.
financial institution.
• Single runtime for cloud and on-premises. Deploy
in any cloud, any data center, on premises, or in a
The executive leadership at this institution is also realizing
hybrid environment. You write the application and
that they actually have to transform their people, business
deploy it or redeploy it in any environment
operations, and processes. This kind of shift is not just about
seamlessly.
technology; the organizational mindset also has to shift in
• Built for agile development and DevOps.
order to align with this distributed way to discover what every
The platform works with the common toolchains
part of the business has already created, to reuse that, and to
used for continuous integration and continuous
build in security into every aspect of this the application
deployment (CI/CD) i.e. SCM, Maven, Junit, Jenkins
network.

6
and works well in DevOps environments to build and structured APIs by which people can expose or
manage microservices, the platform can be access your data.
containerized. • Create visibility. Visibility is great for security, but it's
also great for the business. The business wants to
know what's going on, they want to know who's
How your business can implement security using it, they want to make data-driven decisions.
by design with an application network today Security wants that same data for a different
purpose, they want to know who's is using it to
make sure that the data is safe and that only the
There are concrete steps you can take today to become more
right people have access to it. API-led connectivity
secure. While these steps won’t be a panacea, beginning with
provides a clear path to broad visibility.
this approach will give you a head start on the process:

• Meet with your business leaders, discover the Conclusion


projects they’re doing, figure out what data that they The missions of the CIO and the CISO are aligned, reducing
have and what data they're trying to expose, and risk to the business and enabling agility. They might be
understand what it is they're trying to accomplish. Be looking at data to measure performance against those
part of helping them solve a problem as opposed to missions with two distinct lenses, but their intended
being the endpoint. outcomes are often the same. The CIO needs to take risks to
make the organization better and faster, while the CISO
• Once this happens, CISOs are going to be able to needs to manage those risks and mitigate their effect on the
reduce their exposed surface area, because they will business An application network allows the two to work
discover known entrance points and exit points. This together and achieve the same goal of business agility rather
will help security teams create well-defined, well- than creating friction by working towards opposite goals.

i
MuleSoft Connectivity Benchmark Report 2016. https://www.mulesoft.com/lp/reports/2016-connectivity-benchmark
ii Proctor, Paul, and Ray Wagner. Special Report: Cybersecurity at the Speed of Digital Business. Gartner, May 26, 2016.
https://www.gartner.com/doc/3332117?srcId=1-3132930191&cm_sp=gi-_-cysec-_-srpage

MuleSoft’s mission is to connect the world’s applications, data and devices. MuleSoft makes connecting anything easy with Anypoint Platform™, the only
complete integration platform for SaaS, SOA and APIs. Thousands of organizations in 60 countries, from emerging brands to Global 500 enterprises, use
MuleSoft to innovate faster and gain competitive advantage.