Mike Small, CA: Forward into the Future of IT Security
March 2009 by Mike Small CITP, FBCS, Principal Consultant, CA
Security management is often viewed as being equivalent to “keeping the bad guys out”. In the cases of viruses, hacker attacks and unauthorized access attempts, this is precisely the goal. However, one important (and often unappreciated) benefit of integrated security management is the enablement of new business initiatives, and the strengthening of existing ones. Effective security management provides the infrastructure on which you can more easily grow your business. It also strengthens the relationship with existing customers and partners, thereby creating a sales opportunity for additional products and services.
Economic pressures are forcing organizations to adapt to the changing environment. IT security needs to evolve to enable them to face up to these new circumstances. For example information security can enable improved integration between suppliers and customers, and allow common access to data in a safe environment. Mergers and acquisitions expose a strong need to rationalize processes and IT services to get the expected returns. Identity and access is deeply embedded in business process and there are real gains to be made by adopting best practice and the correct technologies. Organizations are also looking to save costs by outsourcing, but as well as providing savings this also brings new security risks. For example: the trend toward virtualization and off shoring has increased the volumes of data being transferred externally between organisations. This raises the risk of data being lost or misused, and needs to be mitigated using information security techniques.
Customers, partners and employees often find it hard to access the information and applications that they need for the business to grow and prosper. Customers and partners have concerns over data leakage and these concerns restrict new business initiatives. The processes for administering identity and access are often manual and do not provide a service that matches the demands of the business. With manual administration, it can take days to get access rights set up for a new hire or to change the access rights for an existing employee moving jobs. This is not an acceptable level of service and in some circumstances would breach compliance with regulations.
Managing Operational Risks
Operational risk covers aspects such as processes being vulnerable to theft, fraud, disruption or mismanagement. Better management of the way in which employees, partners and customers are identified and their access is controlled and audited is important to mitigate operational risks.
Although hacker and virus attacks are well publicised, the insider remains the greatest threat to an organization in terms of potential to cause financial loss. Armed with an understanding of the organisation’s systems and physical access to those systems, insiders can be the greatest security risk.
New ways of doing business have brought with them new kinds of risk. Organizations need to evolve their identity management to better manage these changing risks.
A further aspect concerns compliance with regulation and the law. Managing who is able to access what information is critical to complying with the broad range of governmental regulations relating to financial reporting, security and privacy of information that have evolved over the years. The cost of compliance is high and manual processes are not a viable long term option. Organisations need to be able to automate their security management processes to ensure sustainable compliance.
Security Management as a Business Enabler
Security management is often viewed as being equivalent to “keeping the bad guys out”. In the cases of viruses, hacker attacks and unauthorized access attempts, this is precisely the goal. However, one important (and often under-appreciated) benefit of integrated security management is the enablement of new business initiatives, and the strengthening of existing ones. Effective security management provides the infrastructure on which you can more easily grow your business. It also strengthens the relationship with existing customers and partners, thereby creating a sales opportunity for additional products and services.
Since organizations are critically dependent upon their IT systems to operate any improvements that can be made here can have a positive impact on the business. Equally any loss of these systems due to security issues can have a severe negative effect. For example:
A bank in the Middle East suffered a failure of the system which allowed their staff to authenticate to the IT systems and was unable to process customer transactions for 24 hours.
A quote from a hospital regarding their authentication system: “if this is not fixed within 2 hours babies will start to die”. Another organization lost their operational SAP systems due to an administrator error that resulted in the complete Oracle installation being deleted.
Even small to medium sized enterprises can be vulnerable. As a Belgian Company found out when the “freeware” that was supposed to protect them did not and they lost their IT systems.
Today security management is no longer just about securing the perimeter and managing employee access, it is about understanding your customers and providing them with the personalized services that they need, reliably securely and when they need them. Some recent examples of requirements from customers include:
A leading bank takes advantage of market forces and acquires several key competitors. The sum of users for the consolidated financial institutions is a user population approaching 100 million bank customers. This institution will require a system that can support concurrent transactions for this massive population of customers.
A government agency handles tax reporting. While some activity occurs quarterly, the majority of activity on an income tax system takes place in the days just before the filing deadline, and the system must handle significant spikes in usage as important dates approach. For such a system the requirements for a sustained transaction load far surpass most existing enterprise requirements.
A Software as a Service (SaaS) provider offers backend services to online shopping sites. These sites rely on the service provider for 100% availability during peak retail shopping periods. Thousands of transactions per second must be handled by the service provider during the peak holiday shopping season.
New Customer Acquisition
Every organization wants to grow their business. You can do this by selling “more stuff” to your existing customers, but expanding your business to new customers is also a critical element of long-term growth. To do this, any organization must be able to introduce new and often online products and services quickly and painlessly. For example:
A large US cable and Internet Service Provider bases its offerings on a production backbone of identity servers, with 5.3 million entries is adding 50,000 entries a month.
Strengthening Existing Customer Relationships
Customers are fickle. One critical way of keeping customers happy and loyal is to provide them with an excellent “experience” every time they have to interact with the company for any reason. Their experience consists of the totality of all their interactions with the company, but their web site experience is possibly the most important. Easy access by staff and partners to IT systems remains a problem for many organizations with forgotten passwords representing a major load on their help desk. One of our customers (another bank) used CA products to provide simplified sign on to 300 applications. This reduced password related help desk calls from 30% to 8% and saved more that $1M. It also increased employee satisfaction to 81%.
One of the US leading health benefits company serving the needs of approximately 28 million medical members nationwide. One of their clients - one of the world’s largest companies – asked for single sign-on between its corporate portals and the health service provider’s members’ portal - to ease their employees’ access to health services provided Like most successful organizations this company is highly responsive to their customers’ demands — particularly customers that represent significant portions of their overall business. Planning ahead, they knew they would need to offer federated SSO to other clients down the road, so it was important to architect a solution that was flexible, scalable, and highly manageable to support their federation requirements in both the short and longer term. Enhanced Business Credibility and Customer Confidence In business, especially in financial services, it’s often true that the most important corporate asset is the corporate brand and reputation. Public knowledge of security breaches can have a dramatic, and sometimes catastrophic, effect on the willingness of the public to do business with you.
Individuals are increasingly making decisions based on their perception of trust. In September 2007 a study, conducted by the independent research consultancy YouGov, showed that concerns over Identity Theft is changing online behaviour and reveals which types of organizations the public trust to protect their personal details. For example, while 60% of respondents answered that they would trust their bank to keep their personal data secure, only 25% would trust the government. A practical demonstration of the need to keep personal data secure was given by the writer and TV presenter Jeremy Clarkson. Following the widely reported loss in the mail of a CD containing the bank details of 25 million UK citizens, Mr. Clarkson is reported as saying that the data was useless and published his own bank data to prove the point. As a result Mr Clarkson had £500 stolen from his account.
Hence the protection of data and applications is not just a burdensome requirement but a financial imperative for organizations. In fact, IT security has become an indispensable business tool that enable new and more effective ways of doing business in the with confidence in the Internet age.
New Partner Business Models and Opportunities
One of the biggest challenges to the creation and expansion of robust customer/partner eco-systems of all kinds is the lack of strong, consistent security across these environments. Many organizations would like to tightly integrate suppliers, distributors, outsourcers and other marketing partners into a unified IT infrastructure that allows members of one organization to securely access the applications and information of another organization.
Examples of this include:
o Instead of delivering pricing information and technical support documentation as paper, allow resellers and partners to access your systems directly via the web. This means securely opening up access and you need to be able to do this without creating an unsustainable administration load.
o Delivering specialist services to a wider range of customers. One example of this is one bank offering specialist banking services, which it has developed, to other banks.
o Outsourcing of specialist technical functions, such as automotive style design, while allowing the employees of the organization providing these functions direct access to your IT systems.
o Inter-working between competitors on large government projects. All of these depend upon being able to securely identify people from outside of the organization and control and audit their access while minimizing the administrative load. The technical solution to this is standards based identity federation.
Increased Business Agility
The area of security management that is most important in improving the ability to react to industry events quickly is a comprehensive, centralized identity and access management system. A fully deployed IAM platform allows an organization to more easily and quickly react to growing user populations, requirements for new applications, and changing business requirements or models. This provides greatly increased business agility, and will position the company strongly to react quickly to changing market conditions.
IT Security is now business security
IT security needs to be viewed in the context of the whole business rather than focused on a specific technology or process. The security team in an organisation should engage with the business stakeholders to focus on how the business can leverage information security as an asset. Organizations depend critically upon IT to exist and IT security is becoming more about managing business risk than just operational risk. IT security needs to be viewed within the bigger picture of aligning IT infrastructure. The objective is to unify and simplify the processes and the technology to better meet the needs of the business to increase agility and reduce cost while complying with the increasing regulatory burden.