Application Security: How It Works

Are your internal drives protected against data theft? Yes? Awesome! But what about customer datasales figures and other sensitive information that is accessible via CRM and ERP systems? In this article, we are going to examine why application security is a crucial component of any effective cybersecurity concept and how access management software can help protect your applications against unauthorized access.

What Is Application Security?

The term application security summarizes the processes, tools and methods used to protect your applications against external cyber-attacks, as well as unauthorized access and attacks from within. It is vital that the measures you set protect your applications against external and internal threats and abuse throughout the duration of their lifecycles. IT security experts recommend taking measures both on the software and hardware levels.

Why Do We Need Application Security?

Oh, brave new world! Do you remember the time when cyber security meant protecting static websites and desktop applications? Today, most organizations deploy a colorful mix of third-party and open-source systems and standard software components, alongside other types of applications (e.g. desktop, web, mobile, microservices). These programs are usually accessed via networks, which inevitably exposes them to all sorts of threats.

Most businesses allow not just their users to access the data that is managed within these applications, but also grant access to business partners, suppliers and other relevant parties.

Such a slack approach to data management can quickly turn into an exploitable weakness. If important systems such as SAP or Microsoft® Dynamics NAV are not sufficiently protected, you’ll have internal and external perpetrators walking all over you.

The consequences are vandalism, plagiarism and/or heavy fines for the violation of compliance regulations.

What Is the Purpose of Application Security?

First off, application security is a malleable concept that should be discussed and defined as part of an ISMS (Information Security Management System). Those in charge should create a security profile for each application that is used in the company and precisely define the role of this application with regard to the company’s resources: What is the application allowed to do, what is it not allowed to do?

Another measure to combat data abuse and other security risks is to compile a threat model. This involves identifying and prioritizing potential threats to the company’s resources and might include anything from a broken storage medium to large-scale hacker attacks. All incidents as well as any actions taken in each case must be sufficiently documented.


ISO 27001: Access Management Requirements

Everything you need to know about IAM requirements and what documents are needed in preparation for ISO-compliance.

Safeguarding Application Security

The most common approach to safeguarding application security is the installation of firewalls. Firewalls are designed to prevent certain applications from executing files or processing data. Other useful and common measures for improving application security include:

  • Conventional firewalls & anti-virus programs

  • Encryption/decryption programs

  • Tools for detecting and removing spyware

  • Biometric authentication systems

Improve Application Security Through Access Management

One striking issue that recrystallizes each time a data incident occurs is the misconception that the greatest threat to sensitive data emanates from cyber criminals – when in reality employee data theft poses a much greater security risk, as organizations tend to either overlook or ignore it entirely. However, by investing in a professional access management strategy, this risk can be significantly mitigated.

Manual Access Management Compromises Application Security

Managing users and access rights for different systems and programs manually instead of centrally poses a great threat to application security, simply because admins have no way of maintaining a good overview of who has or needs which rights. They will happily assign rights to users as needed, but not revoke them once they are obsolete. This is the main problem with manual user management.

Example: take Ms. Williams, for instance, an employee of Organization X. She is given new rights because she switches from HR to the Sales Department, where she needs access to other folders and programs. However, the rights she had in HR are not revoked. She simply gets to keep them – even though she does not need them anymore.

Or Mr. Peterson, a colleague of Ms. Williams in Sales. He joins a big project which he needs additional rights for. Once the project finishes, however, his extra rights are not revoked either.

Reference users are another way of providing users with more privileges than they need. These actions combined lead to what is commonly referred to as a privilege creep.

The privilege creep is so creepy because nobody is aware that it’s happening. Rights are issued left and right, yet there is no central reporting system to document what is happening. Without a professional access management solution, the admin has no way of keeping an overview of who currently has access to what programs.

Manual User Management Fosters Malware Spread

Organizations who rely on manual user administration often have a problem with endpoint security, which usually ensures that malware such as trojans or keyloggers are unable to spread throughout the system.

These types of malware commonly find their way into systems via phishing-Mails, zero-day exploits or other vulnerabilities in applications that allow remote code execution. The more rights the compromised user account has, the faster and wider the malware can spread throughout the system.

Video Overview

Watch Our Demo Video to See tenfold in Action!

Improve Application Security With tenfold

Access management or identity and access management software constructs all necessary privilege structures automatically and in accordance with best practices and the principle of least privilege. The result is that the access rights each user receives are tailored precisely to their job description.

tenfold can further be integrated with more than 60 third-party systems, including SAP ERP, Microsoft® Dynamics NAV, Exchange, and more. Other external systems for which there is no individual plugin available can be integrated via the Generic Connector.

Once installed, you can simply import existing infrastructures to tenfold. Furthermore, there is an additional interface to the personnel database available which ensures that HR data is imported automatically to tenfold and that new user accounts are also created automatically, including the appropriate permissions.

What Does tenfold Do For Application Security?

Data Owner Concept

Solely data owners are authorized to decide which users shall be granted access to specific applications. Your first action should therefore be to appoint data owners who are then in charge of granting or rejecting access to applications. This way, you can ensure that only users who really need it have access to certain data (principle of least privilege).

Role-Based Access

Users who belong to the same user group usually require the same privileges. To simplify the process of assigning privileges in tenfold and to keep it as transparent as possible, you must define what we refer to as access profiles. An access profile is basically a compilation of all privileges a certain user group needs. Individual users are then assigned to these profiles or roles. You can assign one user to multiple profiles (e.g. profiles “IT department” and “Team leader”), depending on the user’s job duties.


User privileges must be updated and reviewed regularly. This is important to prevent users from accumulating more and more rights, and never having their old rights removed (privilege creep). Unfortunately, most companies do not have structured procedures for deleting privileges in place. To overcome this problem, tenfold conducts regular user access reviews, also referred to as recertification.

Auditable Reporting

Do you know who has access to what resources in your company? If the answer is no, your access landscape is probably not as tidy as it should be. This is dangerous for a number of reasons: besides posing a great threat to security, a chaotic access landscape also sets you up on a collision course with regulatory frameworks such as the GDPR. To counter this issue, tenfold documents all processes meticulously and produces detailed reports on them.

Seamless Documentation

If a data incident does occur, despite all measures, the search for possible causes begins. To trace back who had access to a certain application or resource and why, it is vital that any requests, approvals and changes are well-documented at all times. tenfold takes care of these processes and it does so entirely automatically. There will be no gaps in your documentation and you will be able to trace exactly who was given access to what by whom and why.

Solely data owners are authorized to decide which users shall be granted access to specific applications. Your first action should therefore be to appoint data owners who are then in charge of granting or rejecting access to applications. This way, you can ensure that only users who really need it have access to certain data (principle of least privilege).

About the Author: Helmut Semmelmayer

Helmut Semmelmayer currently heads channel sales at the software company tenfold software. He looks back on 10 years of involvement in the identity and access management market. Having worked on countless customer projects, he has extensive knowledge of the challenges that organizations face when it comes to protecting data from unauthorized access. His goal is to educate businesses and build awareness for current and future access-based attack patterns.