Large Enterprise Forum

Architecting a secure enterprise

Organisations need to look beyond technology and address the human aspects while creating a secure enterprise. By Venkatesh Ganesh.

“Most applications on a network will be hacked.”

Sivarama Krishnan, Associate Director, PricewaterhouseCoopers

This is an essential assumption for application programmers, IT professionals and all levels of corporate managers. Applications must be developed with security in mind, as security services cannot be easily or cost-effectively retrofitted to most existing applications. An organisation today is defined by its information networks. The digital enterprise comprises the constituent users (employees, customers, partners), their interactions and transactions. The boundary of the electronic environment is the boundary of the business.

“Security cannot be an application development afterthought,” says Sivarama Krishnan, Associate Director, PricewaterhouseCoopers.

Involvement

Security experts need to be involved with the design, programming and maintenance of all critical applications. This applies to software residing on internal, protected networks or applications exposed to the Internet.

The appropriate level of security for any application depends on numerous factors including the value of information assets accessed by the application, externally imposed controls, the organisation’s culture, whether the management will support the policies and what users are willing to accept.

Says Krishnan, “Whether your systems need to protect the integrity of multi-million dollar transactions, proprietary information, sensitive data, or achieve compliance with externally imposed statutes such as HIPAA, we have the development and testing skills to ensure secure application programming success.”

Threats to the digital enterprise are tantamount to threats to the business or government unit itself. Strategic objectives require ever more porous boundaries in the network – opening holes and connections for all manner of external users and applications. Consequently, the job of protecting the enterprise becomes that much harder.

Designing Security And Maintenance

Simply put, it is no longer a case of a closed enterprise. The enterprise is getting extended and so are security concerns. Comments Krishnan, “Take the case of trading. Earlier people were concerned about the security aspects of online trading.” As security assumed more importance, that aspect was no longer a deterrent. Further, this infrastructure enables it to go beyond boundaries.

Many enterprises unfortunately depend on software that is insecure, unreliable, and fragile. They compensate by investing heavily in workarounds and maintenance, and by employing hordes of administrators to manage their system flaws. This has to change. “There is a need to design high-assurance applications—applications with proven, built-in reliability, security, manageability, and maintainability,” says Krishnan.

High-assurance design presents basic design principles and patterns that can be used in any contemporary development environment and satisfy the business demand for agility, responsiveness, and low cost. Organisations need to draw on real-world experience, focussing heavily on the activities and relationships associated with building superior software in a mainstream business environment.

People And Processes

Clearly, bringing systems and people together from different organisations inside or beyond a single business is a must based upon the new requirements. While business lines blur, hardening the critical information and network systems underlying these interactions becomes more important now than ever before.

Says Krishnan, “There needs to be a way to openly connect people to processes and devices across organisations, while avoiding additional exposure to attacks, or creating other vulnerabilities.”

More importantly, extending the enterprise to bring customers, buyers, suppliers and other economic partners in closer interoperation can speed recognition of and open new channels for revenue, and can also reduce transactional drag and other inefficiencies. Wherever practicable, however, organizations need to extend the useful life of existing systems.

There is also an inherent need to understand the business process and Krishnan is of the opinion that not all systems need to be secured 100 percent all the time. It has be secured based upon business needs and policies.

The Responsive Architecture

The history of computing and information security suggests that security is always evolving and to an extent it can take care of the situation on the ground as compared to a what-happens-next scenario.

M Chow Kang, Chief Security Advisor, Microsoft Asia Pacific

Says M Chow Kang, Chief Security Advisor, Microsoft Asia Pacific, “Different enterprises have different risk levels and usability requirements. Ideal security recommendations don’t always work in the real world, where business must go on and at the same time, organisations must continue to support a variety of technologies.”

He explains the analogy of deploying patches or ‘patch management’ solutions. “It is looked upon as a reactive rather than proactive policy,” says Kang. This is highlighted by the recent Zotob worms and certain vendors and syndicated crime organisations are indulging in these acts.

It will be worthwhile to bear in mind that deploying technology would not address the problem completely. Avers Kang, “Technology will cost a fair bit of money, so it makes sense to focus on people instead, since security is only as strong as the weakest link.”

When security is discussed in most firms, the higher management thinks in terms of Internet and password access with policies and training geared towards keeping firewalls, security patches, and anti-virus updates current. 

Comments Kang, “Organisations should have policies in place explaining what is acceptable computer and Internet use, and they may even have had a security awareness training session in the past.  Unfortunately, most firms have not updated their training and awareness to incorporate education on social engineering attacks and phishing schemes which can divulge confidential information.” 

Enterprises As A System

In the final analysis, the enterprise should be looked at as a system. For example, an administrator installs a patch into a server or workstation, there must be a system log or screenshot as evidence of the work completed. Preventive and corrective steps can ensure that patches and upgrades are not people-dependant, and work on a push mode.

Further, it is not left at the discretion of an individual user. A monitoring tool can capture the information from every workstation and reports on its updation status.

“Enforcement of the policy is facilitated since every employee has been given the wherewithal to ensure that in whatever asset they are using,” explains Kang.

Across the public and private sectors and throughout the emerging information society the pressure to enable secure yet open access across organisations is growing. Organisations must balance the protection of sensitive, high value and mission-critical information and systems against the imperative to open access to a growing and diverse set of people, processes and devices across enterprises.