In this new global reality of companies rushing to exploit the opportunities of service-oriented architectures (SOAs), clouds and other distributed models of computing, determined outsiders and insiders may seek to exploit vulnerabilities. Consequently, the pervasiveness of these technologies marks a fundamental change in how organizations should approach the accompanying security challenges—especially the top three challenges identified by many organizations as being fundamentally important in the next year.
Every day billions of people are connecting to one another and therefore identity has taken on a new focus. Applications are no longer secured behind a firewall; more and more they are composites and mashups created from sources inside and outside the enterprise. Transactions depend on the level of trust each party places in the other’s credentials and the systems supporting them. Yet considering the rising instances of identity theft and fraud, it is clear that without instituting policies, processes and best practices, that trust can be misplaced, unauthorized or uncertain.
In a SOA environment these concepts become more complex as identity is not limited to users alone. Often, services themselves must be given an identity. That is, when a service invokes another service, each service needs to take on an identity. For example, a shipping service may be automatically invoked by an order processing system, and that system must recognize the shipping service as a trusted identity, or the order fails. From order processing to healthcare authorizations and high-value banking operations, every business must treat SOA security with great care, and trust is the core principle behind driving these business operations. The ramifications of failed policies can reach all the way to the bottom line.
Moreover, identity systems continue to proliferate, forcing individuals to become their own identity administrators, juggling a mixture of self-created and third-party issued identities for every service they interact with, and balancing the trade-offs between privacy and reputation that come with increased disclosure. Individuals must also have a common set of “operating procedures” with which to navigate the new security landscape.
Going forward, the challenge lies in developing a common set of identity policies, processes, best practices and technology, as well as multipurpose identity systems that can be used across service providers. These systems should be able to accommodate complex identity relationships while providing a simplified way to address common identity.
Already a boardroom issue, organizations can expect a continued push to minimize the risks of data breaches. As a result, there should be a new focus on privacy management tools with the capability to mask data, particularly in nonproduction environments such as application development where data protection continues to be less stringent. This can reinforce the need for cryptography, and subsequent demand to simplify complexity.
Collectively, security practices—including data steward assignments, data monitoring, policy-based data classification and security requirements records—should provide the metrics that calculate and reflect the security protections for a particular repository. These metrics can then be used in formulating “trust indexes” that can guide decisions about the use of a data repository. A data repository with a high trust index association can be used for high-risk decisions; conversely, a repository with a low trust index association should be used only for low-risk activities. These repositories can be reused across the enterprise and applied to incoming information from a variety of sources, especially as mash-ups continue to be a driving force of innovation.
In 2008, a new type of threat known as Search Engine Optimization (SEO) code injection or poisoning impacted around 1.2 million websites, including some very high-profile sites. As the dust settled from this exceptionally destructive threat, it became clear that applications had become ground zero for hacker attacks.
Part of the vulnerability lies in the evolution from monolithic applications to composite applications, both in SOA-style process choreography and through Web 2.0-style widgets and mash-ups. These composite applications can include application code from a wide variety of sources in a true mix-and-match fashion. Though it has tremendously improved programmer efficiency and enabled many non-programmers to compose sophisticated applications with little training, it can leave applications vulnerable.
Perhaps the most challenging aspect of composable applications is the inability of the application to fully understand the composition, and therefore the security posture, until the application is deployed. Only then—when it’s too late—are all the contributing elements exposed, including malware and vulnerabilities. Security development expertise is now being embedded into the tools and development platforms so that security checks can be performed at each stage of development.
These security trends can also offer a wealth of opportunities for forward-acting companies. It’s how the risk is managed that will determine how an organization thrives—or fails—in the face of emerging technologies.
Kris Lovejoy is director of IBM’s security, governance, and risk management division.