As organisations suddenly find themselves responding to a massive increase in remote workers, immediate attention has necessarily focused on maintaining and enhancing VPN infrastructure. We should also keep in mind, however, that VPNs are not the only way to enable remote workers to access critical line-of-business functions. Web applications have a vital role to play in our business resiliency plans as well.
The benefits of web applications for enabling a remote workforce have been clear for some time. Making these line-of-business applications accessible from any connected device and modern web browser allows users to file expense reports, fill in timecards, check inventory levels, manage shipping and receiving as well as a wide array of other critical tasks. Tasks that would have once required a visit to the office (or at least use of a corporate-issued device with the right VPN client installed) can now be completed just as easily from an array of personal devices that many already possess, as they are connected to any available internet connection.
Web applications are also an excellent fit for a BYOD world. Web applications are inherently multi-platform, eliminating the need to develop separate apps for every user platform. While some organisations and industries routinely provide each worker with a laptop, other organisations without an effective BYOD plan in place may find a significant portion of their workforce cut-off from essential resources if they can no longer physically come into the workplace.
Tasks that would have once required a visit to the office (or at least use of a corporate-issued device with the right VPN client installed) can now be completed just as easily from an array of personal devices that many already possess, as they are connected to any available internet connection.
Business Continuity Is Not a New Challenge
The business continuity challenge presented by social distancing requirements most of us are operating under has some similarity to recent events, except for its scale. Other regional disasters – like Hurricane Harvey, a storm that devastated Houston in 2017, and Hurricane Katrina, that impacted the Gulf Coast of the US in 2005 – have challenged enterprises with, “How do I keep my business running when workers can’t come into the office?”
I remember speaking to at least one business during the Harvey recovery that had lost both their primary and backup data centres, and as a result ended up migrating most of their infrastructure to the cloud following that disaster. They realised that a significant cloud provider was better able to ensure the continuity of their infrastructure. They also saw that adopting tools such as Microsoft Office 365 significantly enhanced the ability of their end-users to access critical information from their own devices if corporate devices were unavailable. For that organisation, the benefit of leveraging the robust business continuity capabilities of cloud providers drove the shift towards adopting web applications for critical functions.
It is true public cloud providers such as AWS, Azure and Google Cloud or SaaS providers like Salesforce can face the same operational challenges as the rest of us during disasters. But, the flexibility of their cloud environments brings significant advantages in terms of survivability and scale.
How Web Applications Can Enhance Business Continuity Posture
Here are a few examples of how web applications can enhance BCDR (business continuity/disaster recovery) plans:
- When employees are unable to access the office physically, they should be able to use any internet-connected device with an SSL-enabled browser to access critical business systems securely. This could include inventory management, internal ticketing systems, content management systems (CMS), expense reporting, etc.
- There are instances when employee’s corporate-provided endpoint has issues and organisations can’t quickly ship them a replacement device due to disaster-related shipping challenges. In these cases, web applications enable BYOD, keeping the employee productive while awaiting their new device.
- Are you facing radical changes in your supply chain? Use web applications and or web APIs to establish connections with new vendors for inventory and shipping management.
Discover how Fortinet Teleworker Solutions enable secure remote access at scale to support employees with a wide array of access requirements.
Learn how Fortinet’s dynamic cloud security solutions provide increased visibility and control across cloud infrastructures, enabling secure applications and connectivity from the data centre to cloud.
Security For Business-Critical Web Applications
As organisations look to deploy their web applications for critical line-of-business functions, they can’t let security be an afterthought. Internet-facing web applications require robust protection. The solutions and strategies needed for securing internet-facing web applications can be different from those that they deploy to protect other kinds of workloads. VPNs, for example, clearly establish who is “inside” and who is “outside” the network. But internet-facing applications leave a door open to the outside world, and that door needs to be protected. In addition to authenticating users (typically with a combination of tools and solutions that may include 2FA, SAML, RADIUS, and other technologies), organisations need a strategy for web application and API protection. Especially one that can keep an eye on that door, and make sure apps are both secure and highly available.
The solutions and strategies needed for securing internet-facing web applications can be different from those that they deploy to protect other kinds of workloads. VPNs, for example, clearly establish who is “inside” and who is “outside” the network.
What kind of threats does an internet facing web application face?
- Denial of Service
- Malicious Bots
- Zero-day and unknown attacks
- API based attacks
- OWASP Top 10
The OWASP Top 10 is especially critical as it defines a “broad consensus about the most critical security risks to web applications.” Its goal, in part, is to change coding practices to produce more secure applications. However, the reality is that achieving 100% secure software is an aspirational goal at best. The OWASP Top 10 has been adopted as a guideline for fundamental security issues such that any Web Application Firewalls (WAF) should be able to defend against SQL injection attacks. Cross-site scripting attacks, for example, are included as part of the OWASP Top 10.
A Real-World Example: Fortinet’s Global Training And Enablement
As an example of how this works in practice, we recently published a case study showing how Fortinet’s Global Training and Enablement team design, develop, and manage custom web applications underlying the Fortinet NSE Institute’s training and certification programs. The team uses a combination of open-source and commercial-off-the-shelf (COTS) web applications to enable their distributed team to focus on delivering cost-effective and highly scalable training applications. And they secure their web applications using Fortinet’s FortiWeb. In addition to the cost savings described in the case study, this approach also enabled that team to work from any location using that set of web applications leveraging the public cloud to prevent redundancy and risks.
The Path Forward
As organisations evaluate their BCDR plans following this most recent global stress test, they should consider how web applications, and especially cloud-hosted web applications, can be part of their strategy going forward. Not all organisations may be ready to move all line-of-business functions to web applications. Still, for those functions where they can, web applications provide multiple benefits that enhance the resiliency of business. Perhaps most importantly, they enable users to securely access those business functions they need to get their work done from any device on any network. This enables organisations to reduce the disruption that an emergency transition to remote work can otherwise bring.
By Imran Chaudhery, Country Manager-EA, Fortinet.
Do you have a story that you think would interest our readers? write to us firstname.lastname@example.org