Security best practices for enterprise software systems

How to secure your enterprise systems without compromising user experience


Enterprise software systems mainly consist of applications, data, users (people), and infrastructure. Out of these main aspects, infrastructure security is an area that involves physical components such as people, buildings, and devices. The securing of applications, data and users is something that enterprise software teams need to take care of on top of the security provided by the infrastructure teams. In this article, we are going to discuss the best practices we can follow to secure the applications, data, and users. Out of these 3, we can consider users as the consumers who interact with applications and data over secure access that is implemented with best practices. That brings our focus to 2 main components which are

  • Application
  • Data

Data Security

Data is the value of any business in the modern world. Securing data is critical to the success of any company. We can identify 3 main aspects of data security in enterprise software systems.

  • Securing data at rest
  • Securing data in transit
  • Data privacy

Securing data at rest

Business-critical data is typically stored in a database or a file system. To prevent anyone else from accessing this data, we can use techniques such as encryption to secure data at rest. In encryption, we transform the content to a form that is unreadable without a secret key to decrypt the content. Another technique used to secure data at rest is tokenization in which the actual data is represented as a token that is unusable without context. As an example, you can represent a credit card number with a token so that other people cannot recognize the credit card number other than the system which is capable of detokenizing the data. Additionally, the database system or the file server can be protected with advanced security measures such as strong authentication.

Securing data in transit

The data stored in the storage systems need to be retrieved by the user via the applications or systems. Usually, data transmits through the network and we need to prevent network-based attacks such as man-in-the-middle attacks. The solution for securing data in transit is to use transport layers security protocols such as SSL and TLS for the communication of data from the data store to the consumer. By implementing a proper secure key and certificate management system, we can implement transport layer security and encrypt the data while in transit.

Data privacy

Another critical aspect of data security is privacy. What this means is that the data that we collect from the users (e.g. customers, partners) needs to be used according to the data privacy laws applicable to the specific region that these users are pertaining to. As an example, for European countries, there is a data protection law called GDPR (General Data Protection Regulation) which all organizations need to follow when dealing with data related to users from that region.

Application security

Enterprise software systems consist of 10s, 100s, or even 1000s of different applications that are developed by entirely different vendors including in-house development teams. The users who access these applications need to be provided with the best possible user experience without compromising security. To achieve that level of security for applications, we can follow the approaches mentioned below.

  • Build a strong identity foundation
  • Adhere to security best practices and automate them
  • Follow zero-trust architecture for application security
  • Prepare for security events

Build a strong identity foundation

A typical enterprise may have applications that involve interactions with different types of users including

  • Customers
  • Employees
  • Partners

We need to implement proper security measures depending on the category of users. There are different types of security approaches that we can follow based on these user profiles. Some common aspects are

  • Business to Customer (B2C)
  • Business to Employee (B2E)
  • Business to Business (B2B)

It is important to implement the proper security measures on the applications depending on these use cases.

Another key aspect here is to understand the requirements for authentication, authorization, and user management within the enterprise and adhere to standard methodologies to implement these aspects so that you don’t need to worry about vendor locking or technical debt in the future.

Adhere to security best practices and automate them

Enterprise security needs to be considered as a highest priority job function and it is good to have a dedicated security team to overlook the overall security best practices and implementations. If you are an organization that has a considerable software development process that impacts your business operations, you can implement the below-mentioned processes within your enterprise.

  • Secure software engineering process
  • Vulnerability and risk management process
  • Security reward and acknowledgment process

The figure below depicts a secure software development process that you can follow within your organization.

Figure: Secure software development and release process

The preceding figure depicts how the different phases of the software development process can be secured with checkpoints to make sure the code that is being released minimizes the security risk and captures as many vulnerabilities as possible prior to the release.

Follow zero-trust architecture

The security teams recommend using the “zero-trust architecture” where no system is considered trustworthy when communicating with another system for enterprise applications. It eliminates the implicit trust that was there in the trusted subsystems model and continuously validates every interaction within the system. It uses the mantra of “never trust, always verify” in communication between systems in an enterprise. There are 3 main principles of zero-trust architecture that need to be considered when implementing it. Those are

  1. All entities are untrusted by default
  2. Least privilege access is enforced
  3. Comprehensive security monitoring is implemented

Following these standards make your enterprise software system more secure and less vulnerable.

Prepare for security events

Even with the best security models and best practices implemented within your enterprise, there can be situations where the systems become vulnerable and pose risks to the system. In such a situation, you need to have a mechanism to respond to these events to control the damage that could otherwise occur. It is important to prepare for such incidents with proper planning and resources in place. This requires having the following aspects in place.

  • Identify the responsible persons and their roles
  • Develop incident management process
  • Deploy the necessary tools for monitoring and reporting
  • Provide necessary access to the responsible persons ahead of time
  • Prepare forensic capabilities and processes

Implementing best practices with security patterns

The next step is to implement these best practices with the industry-accepted patterns. You can learn more about these patterns by reading the book “Solution Architecture Patterns for Enterprise”.

If you are interested in learning the specifics of implementing security best practices, you can refer to the chapter “Securing Enterprise Software Systems” in the book.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Chanaka Fernando

Writes about Microservices, APIs, and Integration. Author of “Designing Microservices Platforms with NATS” and "Solution Architecture Patterns for Enterprise"