by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
GCN : August and September 2016
SPONSORED CONTENT F OR MANY organi zations, application security has long been a hidden vulnerability—one often overlooked in cyber- planni ng even though it poses a significant and growing threat. Government agencies have come a long way in recognizing that it’s not enough to defend the perimeter of the enterprise. Many are just beginning to realize the enormity of the security challenge presented by their enterpr ise applications. Left unprotected, these applications can ser ve as a back door to the enterprise, leaving mission-critical data dangerously exposed. The challenge can seem overwhelming. I n ma ny agencies, I T ma nagers ca n’t even say how ma ny applications they have. A lso, the application environment has grown i ncreasingly complex. As agencies use cloud and mobility to extend applications to users wherever they are and whatever device they might be using—they are further exposing their data. Unfor tunately, application secur ity defies an easy fix . Many legacy applications were developed at a time when application security was an after thought at best. Retrofitting a security solution might be a necessity, but it’s far from ideal. This will become less of an issue over time as new applications a re being architected with security in mi nd. In developing any solution, agencies must keep in mi nd the end -user application experience. Solutions that restrict access or impede per formance won’t succeed. As we’ve seen i n the past, when users get frustrated, they often look for work-arounds that compromise security. Still, as daunting as it seems, application security is achievable. Here are three thoughts to keep in mind when developing a strategy: First: The best policy is zero trust. Trust no application, no user and no traffic flow. Instead, rely on strong , multi-factor authentication to provide access to all applications a nd related resources. At the same time, don’t make it overly complicated. A user should be able to sign on to the network once, with the backend system ma naging access control. Second: You can’t secure what you can’t see. For a long time, encr yption has been the key. Developers rely on Secure Socket Layer (SSL) technology to protect data in transit. That has proven to be a double-edged sword. In some high-profile data breach cases, hackers used SSL to mask data they were exfiltrating, making it difficult for agencies to understand what was happening until it was too late. In the case of outbound traffic, it’s important to provide an “air gap” in which security teams can view encr ypted data as clear text; then re- encr ypt it as it continues on its path. However, they must do this in a way that doesn’t tax performance too heavily. Third: Don’t treat all applications the same. No application should be left behind, but some applications clearly require a higher level of security than others. An agency should have a comprehensive set of security policies and services tailored to address the risk level of a given application, based on the nature of the data, the ser vice it is supporting, the context in which end-users are working, and so on. Application security is clearly a complex challenge, and the stakes are high. But today more than ever, the tools and understanding are available to meet this challenge and strengthen the overall security of the federal enterprise. Randy Wood is Vice P re sident, Federal, F5 Networks . RANDY WOOD VICE PRESIDENT, FEDERAL , F5 NETWORKS RISE TO THE CHALLENGE OF APPLICATION SECURITY Long treated as an afterthought, application security is now a key component of an enterprise security strategy. Secure User Access to Apps. Application-focused access and identity services are critical to maintaining a positive security posture while enabling users to access applications from anywhere at anytime. With access and identity architectures based on full user, application, and network context awareness, F5 enables single-sign on and federation of application access across the data center and into the cloud, while maintaining the integrity of data through comprehensive endpoint inspection and anti-malware services. Learn more at carahsoft.com/innovation/F5-Cyber CYBER RESILIENCE S -18
June and July 2016
October and November 2016