Despite Breaches, Alarming Number of Companies Lack Security Controls for Accessing Enterprise Applications, According to Latest Research — Independent Study Respondents Recognize Need for More Stringent Access Controls, Yet 60 Percent of Organizations Do Not Require Multifactor Authentication for Non-Employees Accessing Enterprise Applications
Vidder Inc., the inventor of precision application access, announced the results of the Enterprise Application Security Market Research Report, an independent study conducted by King Research to understand the current state of controls for enterprise application access; which stringent access controls are deemed useful; and to what extent these access controls are being implemented. The survey of more than 400 InfoSec professionals reveals that despite widespread and highly publicized security breaches, most companies still fail to require necessary security controls for accessing enterprise applications, including those applications behind the corporate firewall.
Survey respondents also ranked as “highly useful” those solutions that enforce multifactor authentication (MFA) across all users at all times; hide app servers from all devices and unauthenticated users; ensure end-to-end encryption and integrity; and give complete control of who can connect to what, independent of app location, device type and user affiliation. These solution descriptions are all characteristics of the Software Defined Perimeter (SDP) model for secure connectivity. The highest ranked solution is one that does all of the above, according to respondents.
While MFA was indicated as a “highly useful” solution, those surveyed said 60 percent of their organizations do not require MFA for non-employees to access enterprise applications. In addition, while 57 percent of respondents’ organizations allow Bring Your Own Device (BYOD) for access to enterprise applications, 42 percent do not require non-employees to adhere to the corporate BYOD policies.
“This survey is unique in gathering information around enterprise application access, stringent controls, and the usefulness of solutions InfoSec professionals believe would best protect their organizations from becoming tomorrow’s headline,” said Ross King, Principal Analyst of King Research. “For example, we found that more than half of respondents (57 percent) said they have long-term contractors who need access to company information, and these contractors may or may not reside on-premise. But when asked which authentication type is typically used when providing non-employees access to enterprise applications, nearly half (42 percent) responded that simple passwords are used.”
For a copy of the study, see: http://info.vidder.com/surveymarketresearchreport.
Other key findings of the research include:
• Sixty-three percent of respondents said that 10 percent or more of their enterprise applications are behind the corporate firewall and are accessed by non-employees.
• When asked to score criteria importance for selecting enterprise security products and services on a scale of 1 to 10, respondents scored “Compliance” the highest with a near 7.6 score. The second most important criterion was “Security Advantage by Using Superior Technology,” with a score of 7.5.
• One-third of the respondents said they have heard of the new Software Defined Perimeter (SDP) model.
• The respondents also said their top security concerns, on a scale of 1 to 10, are server vulnerabilities (7.6), phishing (7.3), server misconfigurations (7.3), and denial of service attacks (6.9).
“Executed properly, multifactor authentication is very secure,” said Anna Luo, Senior Director of Marketing at Vidder. “But highly stringent controls have proven to be too complex for users to adopt. This complexity is likely the reason why so many organizations do not have the controls needed in place, and why the research findings reveal that characteristics of software defined perimeter are seen as ‘highly useful’ in these areas. SDP’s built-in transparent multifactor authentication executes for every user, every connection, every time. It has no impact on user experience. The attackers have no ability to simultaneously compromise both the device and user, and it is extremely effective to counter the threats of credential theft.”
This independent research project was underwritten by Vidder, Inc., and the research was wholly and independently conducted by King Research. Administered from June through August, the research consisted of an online survey, with a total of 408 people responding. More than 16 percent of respondents identified themselves as working in the technology industry, followed by financial services at more than 10 percent, and government at more than 8 percent.