Reasonable security is a concept prevalent in many data protection regulations, but its requirements are far from concrete.
In the context of security for web applications and the evolving threat landscape, antivirus software and regular patching alone are not sufficient to be considered reasonable. Web application firewalls, DDoS protection, and other technologies are likely necessary to comply with new regulations.
Where does reasonable security come from?
The European Union’s General Data Protection Regulation (GDPR) went into effect in May. The U.S. does not have a federal law similar to GDPR in place, so individual states have acted on their own. So far this year, 12 states have put new or updated privacy regulations in place.
When reviewing several of these laws, a common theme stands out: the concept of reasonable security. For example, the California Consumer Privacy Act of 2018 says it’s the duty of a business or organization to implement and maintain reasonable security procedures and practices. Alabama’s new law says each covered entity and third-party agent shall implement and maintain reasonable security measures. And Colorado’s updated law says a person that maintains, owns, or licenses a resident’s personally identifiable information shall implement reasonable security procedures and practices.
What kind of security for web applications is reasonable?
There are no official definitions or requirements regarding what technologies constitute reasonable web app security, but it should include the following, at a minimum.
Reasonable security for web applications begins with protection against DDoS attacks. There are many motivations for DDoS attacks; they’re not always about taking an organization offline. Research has shown that many DDoS attacks are being used in conjunction with other web application attacks focused on gaining access to personal data.
The security, reliability, and resiliency of DNS is also crucial. DNS outages cause website and application downtime, but they can also consume significant portions of the IT team’s time and attention. Attackers understand this and can use DNS attacks as another weapon in their arsenal to hide concurrent attacks that aim to steal protected data.
Organizations need to address the massive uptick in malicious bot attacks on their web apps, which try to access private information. Next-generation bot management technologies can keep up with the advancements bots have made, such as being able to pass CAPTCHA challenges designed to root out non-human behavior.
Reasonable security for web applications should also include deployment of a web application firewall (WAF). WAFs are designed to stop exploits of known and possibly unknown vulnerabilities in web applications — and a host of other application-layer attacks — by inspecting and blocking traffic to and from the server.
The final consideration is shoring up the defenses of publicly exposed APIs. Attacks targeting APIs that are inadequately protected can be used to expose private data. Implementing API token challenges and deploying API security gateways will help guard against these types of cyberattacks.
If faced with a data breach related to web apps, organizations that have not deployed these controls will have a difficult time proving that they implemented reasonable security.