Thank you all, it has been a great discussion. @Mark_Wonsil and @MikeGross chimed in that they would use an application proxy. @aaronssh uses a very segregated approach to ensure maximum security as his costs of being down and losing proprietary info are extremely high. @josecgomez spoke about the need to utilize the internet and noted the many corporations that are using ssl and IIS to the best of their ability… it would be nice to hear more about 2nd factor authentication with Epicor and if anyone is having success using that with mobile CRM yet. He also mentioned the access scope for API.
I was really hoping that between at @aaronssh 's take on this and maybe some examples of attacks that he has, and @josecgomez ‘s approach (as well as others’ opinions who have opened up websites that integrate with their app server) I could understand “the pros and the cons of each approach and take that which you are comfortable with.”
I just do not see a very “defined” approach. What approaches are there? Is this also too broad of a question, so broad that I am going to get broader responses back? @aaronssh gave a pretty concrete example of his approach, but I haven’t seen any others chime in with how they have approached integrating with CRM or exposing their app server. Can anyone speak to that? Did you just use port 443 and an SSL cert and call it a day or what else is there? What are we fighting against?
I am leaning more towards what @josecgomez said because there are pros and cons to each decision and to speak only in absolutes about security will take some of your technological capabilities off of the table, the same capabilities that could give your company a competitive advantage (think CRM, Ecommerce, etc.), but at the same time could risk increasing the attack vectors and cost you money.
In short, it would be nice to know what the “approaches” are as @josecgomez said in his post. Are there any typical approach paths that someone can speak to or lay out? An external link to someone else’s approaches for web apps would suffice too. Really hoping for a flow chart/architecture chart to visualize these approaches, but hey I am not picky, I like to read too. It would help to understand these approaches if we can define them and then list out the pros and cons. I just don’t have the understanding of cybersecurity to answer these questions and was hoping to find someone who does. Any contacts are much appreciated.
Thank you all again.