New Regulations Are Coming — Get a Handle on Your App Portfolio

With the realization that any app could be a gateway for a larger attack, there will be more pressure than ever on companies to fully protect their entire application landscape.

Kara Sprague, Executive Vice President and General Manager, BIG-IP at F5

October 7, 2021

4 Min Read
Digital image of hand and padlock
Source: Zoonar GmbH via Alamy Stock Photo

Colonial Pipeline. Solar Winds. Hundreds of millions drained from Washington state's unemployment system. The past year has brought a reckoning about the dire importance of application security and cybersecurity in general.

These high-profile attacks have elevated the topic in our national and international political dialogue. We've grown used to attacks as a course of business subject to a cost-benefit analysis and risk mitigation. But now they're the subject of a presidential executive order and were reportedly a topic raised during the June 2021 US-Russia summit in Geneva.

To those of us in the industry, this growing worldwide awareness of the severity and expansiveness of the threats we are facing seems like it's been a long time coming. And we now seem to be at a tipping point where governments are becoming much more involved.

As part of that, we will see increased calls for legislation and regulations about cyber measures companies need to take. Governments will have a stronger hand not only in setting but also enforcing the standard for what public and private companies must do to maintain the security of their application environments.

This can lead to real progress. Consider the regulations that help ensure public health in many other industries. If you run a restaurant, for example, you are required to meet a certain standard of hygiene. Similarly, we're on the brink of a world where companies with applications that transact value or support critical infrastructure will be subject to a set of mandatory security requirements to remain in business.

In this environment, technology solutions like Web application firewalls, API security, anti-bot, and anti-denial-of-service will be fundamental necessities for maintaining a clean cybersecurity environment.

And these security solutions won't only be for the most important apps, but for all of them. After all, you're only as secure as your weakest app or API. If an attacker can get into a network or infrastructure through one thing that's unprotected, then everything else on that same network or infrastructure is also at risk. Recent attacks on the software supply chain have shown how a vulnerability in one organization or system can affect many others downstream.

This process of creating cyber hygiene across the entire app landscape will pose some distinct challenges for customers, especially those with large or legacy app portfolios. One tough sell will be the need to keep systems up to date, and one big logistical challenge will be mapping out entire application ecosystems across not just disparate locations and systems, but often across decades of technology investments.

After making substantial investments in physical infrastructure, companies want to get as much out of those assets as possible before retiring them. They can be reluctant to upgrade software and services because those newer versions will run more slowly on older equipment.

This is commonly known as "sweating the assets." It's like trying to drive those last few miles on an empty tank of gas. But as any computer geek can tell you, if you want to get things done, you don't try to run Mac OS Catalina on a 1998 iMac, or Windows 11 on a 2003 Dell Latitude.

Customers are going to need help navigating this challenge. Since the dawn of enterprise tech, leaps forward have been tied to innovations in technology stacks. It went from mainframes to a client-server model, from three-tier applications to microservices, from on-premises systems to the public cloud. Every innovation that comes along introduces a new vertical architecture and technology stack to support and run applications.

But the unfortunate reality is that most customers are never able to fully move all their stuff into the next new stack. Most companies are dealing with multiple stacks. And ultimately, every stack becomes legacy after it's been around a while.

To solve this, the paradigm must change. We need a new model in which people can manage an application environment effectively no matter what mix of technologies they have.

The other big challenge customers will face is getting a lot more clarity on all the applications they have in their ecosystem. Where are those applications or APIs hosted? Which end users, human or machine, have access? What data can be accessed or manipulated? How are they protected from attacks to their confidentiality, integrity, and availability? Companies need to be able to map out all their apps and APIs, what they're doing, and how they're protected.

In the Biden administration's executive order in May, modernization of systems was expressly called out as an imperative for federal agencies. It might not be long before a similar mandate is made for the private sector, especially for industries that touch critical infrastructure. Sweating the assets may no longer be an option for many organizations. For others, solutions may soon be available that wrap new protections around older systems. And with the realization that any app could potentially be a gateway for a larger attack, there will be more pressure than ever on companies to fully map, understand, and protect their entire application landscape.

Companies in every industry should be thinking about these important issues now, before being forced by regulation and legislation.

About the Author(s)

Kara Sprague

Executive Vice President and General Manager, BIG-IP at F5

Kara Sprague is Executive Vice President and General Manager of F5’s BIG-IP, responsible for the company’s product portfolio management, product, and solutions.

Sprague joined F5 in 2017 from McKinsey and Company, where in her thirteen-year tenure she held various leadership positions across their technology practice. Most recently she led the Technology, Media, and Telecom Practice for the Western Region. Prior to McKinsey, Sprague was on the engineering staff of Oracle, Agilent Technologies, and Hewlett-Packard.

A trained computer scientist and electrical engineer, she holds two masters degrees from Massachusetts Institute of Technology and serves on the board of Girls Who Code.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights