Security Framework for Securing Digital Enterprise

In the new era of "Digital Enterprise - Disrupt Digitally or Get Disrupted", by becoming context aware, embracing digital and driven by data enterprises are aligning with the entire value chain vs their own core competencies. The core of this disruption is technology enablement creating simple, scalable, sustainable and smart digital systems. The ability of digital systems and impact of Digital Enterprises on the value chain and its internal ecosystems is redefining the scope of securing digital assets and privacy. Any digital system that is capable of accepting online transaction is susceptible to attack and breach.

The complexity is further fueled by business scenarios that blend approaches from social, mobile and cloud architectures, combined with data from sensors, automation and wearable’s. These scenarios and processes are constantly transforming themselves making it often resistant to any particular security categorization. As per Gartner, by 2017 over 20 percent of enterprises will have digital security services devoted (part time or full time) to protect digital business initiatives, asset and operations.

“Any digital system that is capable of accepting online transaction is susceptible to attack and breach.”

Why we need framework?

While Digital World is getting fueled by Information and Innovation, it is also creating a conspicuous inflection point where both internal and external threats are growing exponentially. The new threats are diverse, extremely sophisticated and becoming part of well-funded and organized network of hackers and attackers.

Securing the digital lifestyle is critical and growing challenges for nations, governments, business and individuals alike. A comprehensive security framework is required to balance the need of speed to market, innovation, customer experience and responsibility towards protecting enterprise digital assets, combating fraud, compliance and regulations. To keep pace with business dynamics the framework must be holistic, data driven and context sensitive, enabling security as a fuel for disruption. The core focus has to be on transforming from traditional static security practices to intelligent and adaptive security models. This requires alignment of business and security supported by adaptive security architecture that includes solutions for identification, authentication, access control and digital signature for all end points. A framework that leverages tamper resistant hardware, secure embedded software, cryptography and security protocols to address challenging concerns related to CIA, privacy, non-denial of service, non-repudiation and digital content protection. Core components of the framework are:

Identity and Access Management (IAM) - Identity Federation, usage and support of social identities, third-party credentials and context-based authentication have become the heart of the digital enterprise. As more people, applications, devices and ‘Things’ are accessing digital assets & services, management of ‘Identity’ across various distributed systems is key and fundamental security requirement. With new regulations, increasing number of hosted and on-premise applications coupled with mobile, sensors and wearable’s make it important to know who, when, what and why information is accessed.

The context based security allows enterprise to find out when and where a particular entity performed what action and the outcome of this action.

As information gets accessed across domains, networks and enterprise boundaries, an Identity hub based Identity Relationship Management service can offer simple, smart and scalable solutions. The hub offers flexibility in management and orchestration of access. Technologies like SAML 2.0, Oauth 2.0 and OpenID Connect can help enterprises in Identify Relationship and Federation Management. Additionally Digital enterprises can leverage the power of real-time analytics to monitor how users are accessing, sharing and using sensitive data in real-time, it enables to spot abnormal activities and address security concerns before they have turned into a major concern. Using intelligent IAM tools, machine learning and analytics, it is possible for generate visual display (Heat Maps, Anomalies) of potential threats.

SMAC - Social, Mobile, Analytics and Cloud (SMAC) are becoming cornerstone of digital enterprises providing them competitive edge and ability to disrupt. Business leaders are gearing towards exploiting the SMAC platforms for competitive edge, quite often oversimplifying and overlooking the need of balance between security and business opportunity. SMAC security may be fairly simple to explain but can be extremely challenging and complex to implement. Security and Privacy should be core part of SMAC strategy and initiative. SMAC requires new foundational infrastructure, technologies and services but they cannot be treated as isolated and individual technologies. Lack of testing and unenforced policies is the two main factors for compromises in security. Quite often there is overlap with back office transactional systems, services and infrastructure. Big data and Analytics offer a great insight but have to be protected against unauthorized access, data proliferation and veracity of input data. From Social Media point of view, enterprise need to be concerned about leakage of sensitive information, targeted spear-heading attacks or APT ingress.

Privacy - Managing the “entitlement,” which defines who can access your data, and under what conditions it can be viewed and used by others, one of the major challenges of digital world. Digital enterprises are often caught between right balance of privacy risks and big data rewards.

The first step in managing privacy is to understand that privacy and security are different. One can argue that there can be inverse relationship between the two - increased security often leads to less privacy?

Privacy is multi-facet and has various forms and shapes. Privacy of person, behavior, action, communication, data, location, association and thoughts are to name a few.

Digital Enterprise must evaluate full spectrum of privacy and appropriately identify and define policies, controls and implement right technologies. The polices and controls should be defined at enterprise level and must address both Internal controls (Administrative and Physical processes) like Data access and usage, Segregation of Duties along with External controls (Contractual and Legal) like SLA’s, Data Sharing etc. Enterprises have to invest in technologies for Data Masking, Tokenization, Encryption, Anonymization and privacy enhancement.

 API Layer Management - Digital enterprises are leveraging API’s as key driver often recasting how B2B and B2C information is shared across networks, domains and enterprises. Publically available API’s make enterprise assets reachable by apps and are tools that are accelerating growth in digital layers, connectivity and integration. As with any technology involved in exchange of information, it is critical for enterprise to secure their API’s. In 2014 Snapchat data breach, API allowed hackers to match Snapchat users phone numbers with usernames on a massive scale. Besides building security and validation within the API’s, enterprises must ensure that API’s are able to handle unexpected inputs and requests. Data validations to avoid standard injection flaws, cross site forgery along with black-box testing and fuzzing are crucial. One should not restrict testing primarily to Mobile Apps and Browser(s) but ensure that all end points have been tested and secured. Further like any website and apps testing, penetration tests and vulnerability assessments should also focus on APIs as they are entry points to the application.

Governance - Digital risks can manifest in all forms of technology, processes and events that take part in the value chains (internal and external) – from creation to destruction of digital information. Governance and process optimization is one effective way to secure digital operations and assets of enterprise. Security governance is a journey that requires continual investment and improvement over period of time. Governance model takes a cross functional approach that considers risk assessments & evaluation, structure and periodic reviews of response procedures and management. The governance framework should explicitly assign roles, authority and accountability. Its known facts that every enterprise had or will have a breach one way of other. By implementing technical and behavioral controls and leveraging various tools like Data Centric audit and protection, enterprise can build robust monitoring and detection analysis process that allows them to respond effectively and timely. Governance helps digital enterprises in ensuring reliance on its technology for business continuity as well as addressing compliance and regulations requirements.

“Digital enterprises invest resources to ensure that its governance framework suits its risk profile. The focus is not only on protection but also on detection and timely response”

Technology (Infrastructure and Services) - As technology is the primary fuel of digital enterprises, the technology advancement has also resulted in growth in number of cybercrimes creating a continuous trade-off that often hinges on a balancing act between attacker and defender. Unfortunately, the balance is never static as technology advancements affect both sides. Historically attackers are more agile and adaptable, making them much better at being early adopters of new technology. To maintain the balance, enterprises must have strong and robust defense in-depth, one that not only takes a holistic view of entire IT infrastructure and services (Network, Hosts, Applications and API) but also how they interact with each another, what is accessed and how is it accessed. By adapting Secure by Design architecture approach that takes into account the inventory of all assets and identify critical information assets, analyze the network traffic, usage patterns and identifies any anomalies to segregated which traffic is legitimate and which isn’t. Further to protect the critical and sensitive information, enterprise should explore to move sensitive data off of main servers and isolating it to lesser used systems with controlled number of access points. Advancement in Layer 2/Layer 3 architecture to intelligently analyze traffic by taking content and context into consideration, SIEM, run time detection & prevention against XML poisoning, JSON & SQL injection, Quota/Spike arrest help in prevention and containment of attack. Further by leveraging ‘Big Data’, enterprises can weave distributed data collection to analyze large chunks of data every second giving them real-time information on anomalies, incident response and remediation to enhance security.

People - On a face, security is often focused on technology and compliance often overlooking the people aspect. Technology and systems can be tweaked to form trust, (there is no malicious machines, all attacks and breaches have a person in the end), compliance processes can be optimized but people will always be the weakest link. Digital enterprises are all about change, its core model may be based on ‘Fail Fast, Fail Often’, continuous innovation and explore how to disrupt the value chain. The rapid pace of change and disruption may increase in threats that can arise from people resisting change, rogue employee who can circumvents corporate security or genuinely fall victim of phishing or malware attack. A well-established and implemented awareness program supported by clearly defined policies, guidelines and practices help organization safeguard their digital assets from breaches that can generate from ‘Human Problem’.

  “There are no malicious machines; all attacks and breaches have a person in the end”

Compliance - For digital enterprises, consumers connections and data is currency. Compliance remains the key item on list Board and CXO, they are looking at their IT and Security counterparts to ensure that digital assets are in compliance with multitude of laws, regulations and frameworks along with internal requirements PCI, HIPAA, FISMA, GLBA, NERC, SOX, EU Data Directive, ISO, COBIT and the 20 Critical Security Controls. However a compliance focused security framework may not offer be able to meet needs of digital enterprises and its business model. This offers an opportunity for CIO/CISO to convince Board/CXO for a need to build a proactive and comprehensive vs fear based and siloed compliance strategy. A focus should be on investing in various tools for Governance, Risk and Compliance to track and monitor compliance in methodical way. Further awareness on key policies, risk and expected behavior of employees will make it easier to achieve compliance.

Conclusion

Threats, risks and attacks on digital assets is coming from every corner and are equally concerning for government, enterprises and individuals. In the age of digitization where systems are highly connected and inter twined, it is impractical to assume that any enterprise is fully protected. To bolster ability to withstand threats and attacks a comprehensive framework has to play crucial role in shaping the security posture around  prevention, detection and effective response by integrating various components into one integrated approach and paradigm.

Disclaimer: “The views expressed here are mine and do not necessarily reflect the views of my current, former or future employers or any organization with which I am associated.”

 ***************************************************************************I really appreciate that you are reading my post and I hope are finding contents relevant. I look forward to hearing your thoughts and feedback about the post. Please Share, like, and comment. Connect and follow me via LinkdedIn. You may also enjoy:

Digital Enterprise - Disrupt Digitally or Get Disrupted 

Organization Reset – Different perspective for Transformation & Turnaround

SAP S4/HANA - Simple, Scalable, Sustainable and Smart!

Data 2.0 transforming Health 2.0