Security Predictions: Top Three Trends Affecting Enterprise Risk Management
Cloud computing, service oriented architecture (SOA) and other rapidly emerging technologies are increasing the threats to data governance strategies. Knowing how the threats are changing is key to successful risk management planning--and critical to your bottom line.
Mon, December 08, 2008
CIO — In this new global reality of companies rushing to exploit the opportunities of service-oriented architectures (SOAs), clouds and other distributed models of computing, determined outsiders and insiders may seek to exploit vulnerabilities. Consequently, the pervasiveness of these technologies marks a fundamental change in how organizations should approach the accompanying security challenges—especially the top three challenges identified by many organizations as being fundamentally important in the next year.
Every day billions of people are connecting to one another and therefore identity has taken on a new focus. Applications are no longer secured behind a firewall; more and more they are composites and mashups created from sources inside and outside the enterprise. Transactions depend on the level of trust each party places in the other's credentials and the systems supporting them. Yet considering the rising instances of identity theft and fraud, it is clear that without instituting policies, processes and best practices, that trust can be misplaced, unauthorized or uncertain.
In a SOA environment these concepts become more complex as identity is not limited to users alone. Often, services themselves must be given an identity. That is, when a service invokes another service, each service needs to take on an identity. For example, a shipping service may be automatically invoked by an order processing system, and that system must recognize the shipping service as a trusted identity, or the order fails. From order processing to healthcare authorizations and high-value banking operations, every business must treat SOA security with great care, and trust is the core principle behind driving these business operations. The ramifications of failed policies can reach all the way to the bottom line.
Moreover, identity systems continue to proliferate, forcing individuals to become their own identity administrators, juggling a mixture of self-created and third-party issued identities for every service they interact with, and balancing the trade-offs between privacy and reputation that come with increased disclosure. Individuals must also have a common set of "operating procedures" with which to navigate the new security landscape.
Going forward, the challenge lies in developing a common set of identity policies, processes, best practices and technology, as well as multipurpose identity systems that can be used across service providers. These systems should be able to accommodate complex identity relationships while providing a simplified way to address common identity.
Already a boardroom issue, organizations can expect a continued push to minimize the risks of data breaches. As a result, there should be a new focus on privacy management tools with the capability to mask data, particularly in nonproduction environments such as application development where data protection continues to be less stringent. This can reinforce the need for cryptography, and subsequent demand to simplify complexity.