The scramble to provide remote work capabilities on a massive scale has led IT to focus on maintaining and enhancing VPN infrastructure. Telecommunications giant Comcast reports that for its network, VoIP and video conferencing have jumped 212% compared to the beginning of March, while VPN traffic is up by 40% As these stats show, VPN is not the only enabler of the work-from-home mandate. Web applications are crucial to business continuity and resilience, too.
By making line-of-business applications accessible from any device with an internet connection and a modern web browser, web applications enable users to file expense reports, fill in timecards, check inventory levels, manage shipping and receiving, as well as manage a wide array of other critical activities. Tasks that once would have required a visit to the office (or at least use of a corporate-issued device with the right VPN client installed) can now be completed just as easily from an array of personal devices that many folks already possess, connected to any available internet connection.
Because web applications are inherently multiplatform, eliminating the need to develop separate applications for every user platform, they are also a great fit for a bring-your-own-device (BYOD) world. While organizations in some industries routinely provide every worker with a corporate-owned laptop, other organizations without an effective BYOD plan in place may find that a significant portion of their workforce is cut off from important resources in the event that they can no longer physically come into the workplace.
Not a New Challenge, but One of Scale
People tend to have short memories, but the current crisis isn’t completely unprecedented — with the major exception of its scale. Other regional disasters (such as Hurricane Harvey in 2017 and Hurricane Katrina in 2005) have challenged businesses with the question of how to keep their businesses running when workers can’t come into an office.
In one example, an organization lost both its primary and backup data centers due to Hurricane Harvey, which prompted the company to migrate most of their infrastructure to the cloud. They realized that a major cloud provider was better able to ensure the continuity of their infrastructure, and adopting tools such as Microsoft Office 365 significantly enhanced their end-users’ ability to access critical information from their own devices if corporate devices were unavailable. For that organization, the benefit of leveraging the robust business continuity capabilities of cloud providers drove the shift towards adopting web applications for critical functions.
Though public cloud providers like Google Cloud, Azure and AWS or software-as-a-service (SaaS) providers like Salesforce face the same operational challenges as the rest of us when disaster strikes, the flexibility of their cloud environments brings significant advantages both in terms of survivability and scale.
Web Applications Improve Your Business Continuity
Three real-world instances that show how web apps can enhance BCDR (business continuity/ disaster recovery) plans are:
- Your employee’s company-issued device died, but you can’t quickly ship them a replacement due to disaster-related shipping challenges: Web applications enable BYOD, keeping the employee productive while awaiting their new device.
- Workers can’t be physically present at the office: Use any internet-connected device with an SSL-enabled browser to securely access critical business systems. This could include inventory management, internal ticketing systems, content management systems (CMS), expense reporting, etc.
- You’re dealing with huge changes to your supply chain: Use web applications and/or web APIs to establish connections with new vendors for inventory and shipping management.
Securing Web Applications
Don’t let security be an afterthought while you begin to deploy your own web applications for critical line-of-business functions. And don’t forget the principles of DevSecOps when developing your own, even if you’re feeling the pressure to deploy. Internet-facing web applications require robust protection. The solutions and strategies required for securing internet-facing web applications can be different from those that you deploy to protect other kinds of workloads. VPNs, for example, clearly establish who is “inside” and who is “outside” the network.
But internet-facing applications leave a door open to the outside world, and that door needs to be protected. In addition to authenticating users (typically with a combination of tools and solutions that may include 2FA, SAML, RADIUS and other technologies), you need a strategy for web application and API protection that can keep an eye on that door and make sure that your application is both secure and highly available.
Internet-facing web application face threats like:
- Zero-day and unknown attacks
- API-based attacks
- Denial of Service
- Malicious Bots
- OWASP Top 10
Because it discusses a “broad consensus about the most critical security risks to web applications,” the OWASP Top 10 is especially critical. Its goal, in part, is to change coding practices to produce more secure applications. However, the reality is that achieving 100 percent secure software is an aspirational goal at best, and the OWASP Top 10 has been adopted as a guideline for basic security issues that any Web Application Firewalls (WAF) should be able to defend against. SQL injection attacks and cross-site scripting attacks, for example, are included as part of the OWASP Top 10.
In light of the upheaval caused by the current pandemic, think about how web applications fit into your business continuity. It may not be possible right now to shift all your line-of-business functions to web applications. However, where that is possible, web apps make your business more resilient in many ways. This includes security resilience, as they make it possible for employees to access business tools securely, regardless of network or device. An approach like this helps your organization transition smoothly to remote work as needed without business disruption.