Understanding a “Secure Landscape”

by Jason Meister | Infrastructure Architect, Uniguest | September 2017

Because I come from a history of developing security-conscious enterprise applications, I want to take a few moments to talk about understanding and caring for an application or system’s “secure landscape.”

What I mean by “secure landscape” is that whatever your application, there’s some sort of security that you’re trying to ensure. Whether it’s securing physical access, user privacy, the operating system, or possibly just application integrity – you have some level of responsibility to protect something or someone. Take an inventory of everything your application does and think through possible security-related responsibilities you might have to your users, applications, or systems in general. Everything together makes up your “secure landscape.” Words that might be running through your mind might include: encryption, privacy, spyware, plain-text, credit cards, data persistence, history, communication, handshake, packet sniffing, keylogger, any sort of injection, etc.; the list goes on.

It’s not uncommon to have a secure landscape that spans several dozens of applications housed in several datacenters and individual workstations. The unique challenge that Uniguest has is that on top of the everyday stuff, it also includes more than 20,000 individual workstations running custom-built software on several hardware profiles with several operating systems – all promising a secure experience to the end user. Let’s also call out that the end user in this environment is anyone who sits down at a computer (untrained on these systems) – and in many cases, will use their credit card to do so (as if there weren’t enough responsibility to carry on your shoulders without credit cards). Maybe go back and re-read those last couple of sentences, because yes, I said that untrained users plug in credit card information into a public-space computer running any combination of operating system + hardware and promising the end user a private and secure experience.

Fortunately, Uniguest understands the vast secure landscape and is constantly evaluating systems, applications, and even processes and business rules in order to stay ahead of exposure and threats. We all remember the big ransomware fiasco that swept most of the globe in Spring 2017? Uniguest stayed ahead of it due to focused monitoring and swift preventative patching, resulting in the fleet of 20K+ remaining unscathed. Remember Target’s in-store credit card breach right smack in the middle of holiday shopping season 2013? Well, thanks to hard lessons learned by others (them), the PCI Security Standards Council came out with stricter requirements for merchants accepting credit cards. I can tell you first-hand that Uniguest’s latest platforms and internal processes not only adhere to those requirements, but go above and beyond by enforcing many best practices and findings from the OWASP research and recommendations. Want some good (but dry) reads? – visit https://pcisecuritystandards.org and https://owasp.org.

Having a former-Airforce + cybersecurity expert as your COO tends to keep you on your toes as far as security is concerned – there are no shortcuts or assumptions. Now, not only does Uniguest rely on experience and expertise of in-house resources, but also actively puts systems to the screws with Rook Security. Rook is a third-party, globally-recognized specialist in security assessments, and I was truly impressed by their knowledge and thoroughness in their assessments.

Getting back to the topic at hand: You should always have your secure landscape in mind when building any application or system, and take responsibility to ensure that it is in fact secure. Steal a page from Uniguest’s book and take the opportunity to hire the right resources, learn from the misfortunes of others, think outside the box to partner with outside experts, and strive to build the best and most secure systems in your space.