Securing the extended enterprise

Ashish Thapar  Verizon Enterprise Solutions

What are the challenges faced by businesses today? Firstly, businesses today are global – the biggest opportunities are found in global markets. Organizations therefore need to be able to move in and out of markets quickly to maximize the potential of these opportunities; they need to deliver high quality services and solutions, yet at the same time minimize expenditure; they need to ensure the effective delivery of applications on a global basis; and they need to ensure compliance with local regulations at all times, or risk considerable financial penalties.

Business today therefore cannot be confined. Business now takes place on desktops, within devices (or machines), along networks and around the world. Data and information must span systems, countries, languages, and borders. Work is an activity, not a location. Supply chains need to be connected and optimized across the globe to meet customer and market demands.

By embracing the extended enterprise, organizations hope to harness the potential of global timezones and new service models to improve customer service and relationships, increase business resilience and enhance overall productivity.

However, the more information that enterprises have to distribute and manage, and the more places in which that information is housed, the greater the risk of that information being accessed by unauthorized parties. Data is no longer a contained entity – it flows in and out of the enterprise, and competitive advantage is directed by how well organizations are able to manage the speed of that flow while utilizing the business oriented knowledge harnessed from that data. Yet by opening up the enterprise to maximize its global business potential, organizations also increase their operational risks. And most importantly, this risk will no longer originate from “outside” the enterprise; real and present threats also emanate from sources within the data flow and along the enterprise supply chain, including business partners, suppliers, and data users.

Managing Risk
Most organizations today will have some form of security in place to protect business-critical information. The traditional way of protecting electronic information has been to implement a variety of point solutions designed to counteract specific individual threats. Yet today’s sources of electronic attack, or threat vectors, are much more varied and subtle. Businesses therefore need to employ equally more subtle and varied approaches to the protection of their business critical resources. Security needs to be an integrated, ongoing process that absolutely mirrors overall business objectives.

At its most basic level, managing information security risk is a balancing act between the cost of a breach to a firm’s IT infrastructure—both directly and indirectly—and the efforts that an organization needs to take in order to properly secure its infrastructure and the most important information assets that this infrastructure contains.

Successful risk management is essentially about mitigating events that may cause business disruptions or data breaches that may jeopardize revenue streams, harm customers or negatively impact the business reputation. Data breaches are becoming more sophisticated, targeted and harder to identify, and are increasingly done with the intention of compromising data for financial gain. Successful risk management therefore involves setting up not only the technologies, but also the practices and systems that will enable an organization to protect its business-critical assets – and in doing so, maintain its corporate brand, reputation and customer trust. These are the elements that go right to the heart of a firm’s value proposition.

Dealing with Data Flow
Businesses, and by extension their IT departments, have to be able to move with agility and speed to maximize the potential of new business opportunities. But they also need to satisfy multiple, and evolving compliance regulations – and all in the context of an ever-present need to control costs, and maintain quality of service.

Data no longer sits in corporate databases alone; it flows in and out the enterprise, is stored in remote databases or flat files, and is sent to wireless and mobile devices where it may be stored or sent on again. Data privacy legislation, which is invariably different in each different territory, must be respected, and adds another layer of complexity to data access and management, making data classification more important than ever.

Such issues are an everyday part of any global organization IT management processes that have to be addressed even before the issue of threat management comes around.

Evolving Nature of Threats
Given the reach and scope of the enterprise, it makes sense that the nature of threats is also evolving. Threats may now originate not just from outside the organization, but also from applications, or users, or the IT infrastructure itself. Attackers are changing their tactics from mass-attack of networks to personalized and targeted attacks.

The 2012 Verizon Data Breach Investigation Report analyzed 855 data breaches across 174 million stolen records – the second highest data loss that the team has seen since it began collecting data back in 2004. Surprisingly, 97 percent of the attacks analyzed were avoidable, without the need for organizations to resort to difficult of expensive countermeasures.

Basic security recommendations from our team included eliminating unnecessary data; establishing essential security controls by ensuring fundamental and common sense security countermeasures are in place and that they are functioning correctly; placing importance on event logs and most importantly prioritizing the overarching security strategy.

Companies need to adopt a basic security strategy that is both process-centric, and specifically tailored to their own business needs. The fundamental risk principle is that no one-size fits all; technology and service providers have to deliver security solutions designed to individual customer requirements and delivered as the customer needs, whether it is out-sourced, co-sourced or indeed in-sourced. The solution simply has to align with the business requirements and working practices of the customer.

Balancing the Risk Equation
A fundamentally different approach to security is needed to satisfy the evolving needs of business today. For most organizations, there are four absolutely critical areas of concern:
• Securing the complete extended enterprise, including internal networks, extranets, but also endpoints in the hands of end users
• Meeting the challenges of governance, risk and compliance, including aggregating, monitoring, measuring and reporting on security compliance and control efforts on an ongoing basis
• Protecting data, the flow of data, and the applications handling the data
• Securing the infrastructure in the context of business objectives, to get the most out of the technologies you have

Security solutions cannot be constrained by any delivery mechanism, and effective risk management, and thus optimized information security, must be based on an integrated security approach. In essence, it’s about taking security wider; smarter; and deeper. It’s also about the intelligent resolution of these key organizational issues.

At the heart of this security approach is the concept of securing trust around users - security must encompass the breadth of all those places where an organization users can access its data. In the extended enterprise, this requires a wider perspective than that traditionally employed. Security controls must be cost-efficiently executed at all those places where they are most effective. This means looking not only at deployment at base premises, but also across “the cloud” - the extended enterprise’s broader reach.

Secondly, effective security must also be applied on a deeper basis. For example, spanning the entire IT stack, including the network, data, applications and users. This links to the concept of integrated security solutions. It’s not enough to focus protection on a single layer of the stack; all elements must be considered as part of an integrated whole; the consequences of a breach in one part of the stack has to be considered within the context of the extended enterprise’s full reach. It’s not about monitoring a device, or a perimeter, but rather acknowledging the reach of the organization overall.

This links to the third consideration – a smarter approach to security. This essentially means accepting that security decisions should be based on risk, not on threats and vulnerabilities, and on achieving measurable gains for the systems and services that have been implemented. Of course, measuring ‘security performance’ in such an environment can present its own unique challenges, but by adopting this type of working culture, businesses are in a strong position to respond to compliance requirements.

This approach essentially gives companies data in a format they can use in a process-centric manner; organizations get maximum leverage from the knowledge that they generate and have a mechanism by which this knowledge can be leveraged in future projects. The key is to make sure that organizations are able to conduct risk management in the most cost efficient way and from the most effective place.

The Security Ideal
The ideal security solution is one that works around a customer-focused business model. This ideal solution supports information protection, business continuity and compliance through solutions that offer fully integrated threat and vulnerability management, identity and access management, security and compliance measurement.

It should be delivered as an ongoing process, providing visibility and control across all parts of the security life cycle, aiming for continuous improvement to reduce risk. It should be based around a network-centric infrastructure and designed to maximize the potential of available security intelligence. The key is to enable analysis of large amounts of data so that businesses have meaningful information to support decision making.

The end result is then something that adds real value to the business overall: security that truly supports overall business’ objectives, and enables the organization to maximize the potential of its existing investments and assets, by protecting data, and the flow of data, across the entire extended enterprise.

Delivering Security
Of course, there is one major stumbling block to most organizations achieving this aim – having the knowledge and expertise to enable effective security solution implementation. To fully understand the potential security risks to an organization requires not only in-depth knowledge of organizational security as a whole, but also the ability to ensure a critical and dispassionate view of existing business practices.

This is why managed security services are gaining an increasing foothold in the world’s leading organizations. Rather than having to invest in internal expertise, it is simpler, quicker and more cost effective to buy in expertise from a trusted third party – that expertise can then be integrated as a critical element of the extended enterprise’s infrastructure.

The nature of today’s enterprise environment brings with it unprecedented security challenges that continue to evolve in sophistication and potential impact. In order to effectively address these challenges, organizations must move beyond the constraints of historic approaches to security, effectively shifting mindset from a point protection approach to one that encompasses both the premises and the extended enterprise cloud. Most importantly, the complex nature of security issues requires a depth of knowledge that few IT departments could ever hope to have available in house.

Securing the enterprise, and the flow of data within and without its perimeter, is probably today’s absolutely critical business challenge. How well businesses manage to achieve this goal will determine their future business success.