Large Enterprise Forum
Architecting a secure enterprise
Organisations need to look beyond technology and address
the human aspects while creating a secure enterprise. By Venkatesh Ganesh.
Most applications on a network will be hacked.
Associate Director, PricewaterhouseCoopers
This is an essential assumption for application programmers,
IT professionals and all levels of corporate managers. Applications must be
developed with security in mind, as security services cannot be easily or cost-effectively
retrofitted to most existing applications. An organisation today is defined
by its information networks. The digital enterprise comprises the constituent
users (employees, customers, partners), their interactions and transactions.
The boundary of the electronic environment is the boundary of the business.
Security cannot be an application development afterthought, says
Sivarama Krishnan, Associate Director, PricewaterhouseCoopers.
Security experts need to be involved with the design, programming and maintenance
of all critical applications. This applies to software residing on internal,
protected networks or applications exposed to the Internet.
The appropriate level of security for any application
depends on numerous factors including the value of information assets
accessed by the application, externally imposed controls and the organisation's
The appropriate level of security for any application depends
on numerous factors including the value of information assets accessed by the
application, externally imposed controls, the organisations culture, whether
the management will support the policies and what users are willing to accept.
Says Krishnan, Whether your systems need to protect the integrity of multi-million
dollar transactions, proprietary information, sensitive data, or achieve compliance
with externally imposed statutes such as HIPAA, we have the development and
testing skills to ensure secure application programming success.
Threats to the digital enterprise are tantamount to threats to the business
or government unit itself. Strategic objectives require ever more porous boundaries
in the network opening holes and connections for all manner of external
users and applications. Consequently, the job of protecting the enterprise becomes
that much harder.
Designing Security And Maintenance
Simply put, it is no longer a case of a closed enterprise. The enterprise is
getting extended and so are security concerns. Comments Krishnan, Take
the case of trading. Earlier people were concerned about the security aspects
of online trading. As security assumed more importance, that aspect was
no longer a deterrent. Further, this infrastructure enables it to go beyond
Many enterprises unfortunately depend on software that is insecure, unreliable,
and fragile. They compensate by investing heavily in workarounds and maintenance,
and by employing hordes of administrators to manage their system flaws. This
has to change. There is a need to design high-assurance applicationsapplications
with proven, built-in reliability, security, manageability, and maintainability,
High-assurance design presents basic design principles and patterns that can
be used in any contemporary development environment and satisfy the business
demand for agility, responsiveness, and low cost. Organisations need to draw
on real-world experience, focussing heavily on the activities and relationships
associated with building superior software in a mainstream business environment.
People And Processes
Clearly, bringing systems and people together from different organisations inside
or beyond a single business is a must based upon the new requirements. While
business lines blur, hardening the critical information and network systems
underlying these interactions becomes more important now than ever before.
Says Krishnan, There needs to be a way to openly connect people to processes
and devices across organisations, while avoiding additional exposure to attacks,
or creating other vulnerabilities.
More importantly, extending the enterprise to bring customers, buyers, suppliers
and other economic partners in closer interoperation can speed recognition of
and open new channels for revenue, and can also reduce transactional drag and
other inefficiencies. Wherever practicable, however, organizations need to extend
the useful life of existing systems.
There is also an inherent need to understand the business process and Krishnan
is of the opinion that not all systems need to be secured 100 percent all the
time. It has be secured based upon business needs and policies.
The Responsive Architecture
The history of computing and information security suggests that security is
always evolving and to an extent it can take care of the situation on the ground
as compared to a what-happens-next scenario.
M Chow Kang,
Chief Security Advisor,
Microsoft Asia Pacific
Says M Chow Kang, Chief Security Advisor, Microsoft Asia Pacific,
Different enterprises have different risk levels and usability requirements.
Ideal security recommendations dont always work in the real world, where
business must go on and at the same time, organisations must continue to support
a variety of technologies.
He explains the analogy of deploying patches or patch management
solutions. It is looked upon as a reactive rather than proactive policy,
says Kang. This is highlighted by the recent Zotob worms and certain vendors
and syndicated crime organisations are indulging in these acts.
It will be worthwhile to bear in mind that deploying technology would not address
the problem completely. Avers Kang, Technology will cost a fair bit of
money, so it makes sense to focus on people instead, since security is only
as strong as the weakest link.
When security is discussed in most firms, the higher management thinks in terms
of Internet and password access with policies and training geared towards keeping
firewalls, security patches, and anti-virus updates current.
Comments Kang, Organisations should have policies in place explaining
what is acceptable computer and Internet use, and they may even have had a security
awareness training session in the past. Unfortunately, most firms have
not updated their training and awareness to incorporate education on social
engineering attacks and phishing schemes which can divulge confidential information.
Enterprises As A System
In the final analysis, the enterprise should be looked at as a system. For example,
an administrator installs a patch into a server or workstation, there must be
a system log or screenshot as evidence of the work completed. Preventive and
corrective steps can ensure that patches and upgrades are not people-dependant,
and work on a push mode.
Further, it is not left at the discretion of an individual user. A monitoring
tool can capture the information from every workstation and reports on its updation
Enforcement of the policy is facilitated since every employee has been
given the wherewithal to ensure that in whatever asset they are using,
Across the public and private sectors and throughout the emerging information
society the pressure to enable secure yet open access across organisations is
growing. Organisations must balance the protection of sensitive, high value
and mission-critical information and systems against the imperative to open
access to a growing and diverse set of people, processes and devices across