In today's increasingly interconnected business environment new security risks are emerging. Phil Huggins writes
The security risks that have emerged from the increasingly interconnected nature of modern business are a subject that dominates the concerns of senior security professionals working with large enterprises. They range, for example, from the security of the physical supply chain to the reliance on potential competitors for the delivery of a business process, to the growing importance of information technology.
This article concentrates on the risks emerging from increasing IT interconnections. Until recently, interconnected businesses generally relied upon electronic data interchange (EDI) to exchange information. EDI typically utilised point-to-point connections between two businesses, with the EDI documents defined between the two trading partners for the purposes of that connection.
These are expensive and complicated connections to establish, and they do not easily scale down to the smaller members of a business relationship. However, EDI links are easy to secure. It is easy to identify who needs what data and in which format, and it has been possible to build security into the applications on either side of the link.
However, the world of business connectivity is changing, driven by the increasing reliance on automated IT systems for business delivery in large enterprises and SMEs, and the growth of the internet as a platform for business-to-business (B2B) connections.
Using the internet and internet-derived technologies for B2B transactions has not replaced EDI documents, but the ability to cheaply and easily connect information systems proliferating within the businesses that make up many supply chains has led to a rapid expansion of business interconnections. For many businesses this has rendered the concept of a strong security perimeter redundant, for no longer is business connectivity limited to communications between two trading partners: integrated supply chains can now involve information transactions between many different enterprises.
This trend has been accelerated by large enterprises outsourcing non-core business activities. So interconnections now include not only partners in the supply chain, but suppliers of outsourced services. The delivery of a single business process often requires the interconnection of many different, sometimes competing, businesses.
Potential security risks
Using the internet has undoubtedly reduced costs and provided opportunities for new services and entirely new business models, but has thrown up potential security risks. What were once purely private connections are now increasingly available to anyone on the network. This increases the opportunity for targeted attack. The evolution of the curious hacker into the ruthlessly professional organised criminals that now haunt the internet has increased the number of threats.
The first half of this decade saw the security industry scramble to catch up. No longer tasked merely with securing the perimeter, they were being asked for products and services that allowed partners and customers across the perimeter deep into core business systems.
Some of the leaders of the information security world have described the concept of 'de-perimeterisation' – recognition of a change in priority to protecting information rather than protecting networks. This has been led by the Jericho Forum, which has produced an end-user derived roadmap for the security industry to follow to address the challenges of de-perimeterised security. While the Jericho Forum roadmap is a useful guide for future developments, what is clear is that many businesses are already significantly de-perimeterised, many without realising the risk implications.
Many businesses no longer have 'private' networks, and this means that building a system to a lower, internal, security standard is unlikely to be enough to manage the IT security risks. For many businesses, treating their corporate network as untrusted unless specifically verified as secure, is likely to require a new approach. This can include the creation of 'islands of security' around systems too expensive to easily secure themselves, the active scanning of client systems as they connect to identify potential compromises, and less emphasis on network security.
Network control and firewalls has given way to a focus on the security of the software applications themselves. This challenge has been taken up by many of the software vendors, who have made great strides, but it has not yet been satisfactorily addressed in most large enterprises who develop their own business systems or glue together many different components into a customised whole.
The lack of an easy killer response and an off-the-shelf product that can easily and completely solve the problem has led to many businesses building security into their business applications themselves, no longer relying on the security of the network to limit who can connect to what, but trying to limit the actions customers or partners can take when they are connected.
A number of clear principles to support this need to build security throughout an organisation's systems rather than patch it around the outside have been developed and are maintained by the Open Web Application Security Project (OWASP).
Challenges
Many businesses have varying levels of success in building security in at the application. The common approach is to integrate security throughout both the system engineering lifecycle and the software development lifecycle. Managing IT security risks is no longer a process of creating and enforcing policies and standards but a more active engagement with the IT delivery processes from inception, to build, to test, through to operation.
There is an added complexity from a deployment perspective, of different businesses providing wildly differing application interfaces for the same tasks. Similarly the rise in the number of relationships to be defined and managed has seen the cost of defining and maintaining EDI document definitions for each relationship grow dramatically. As a result of this increasing complexity many businesses are moving towards providing interconnectivity through more standardised data formats and service orientated architectures (SOA).
SOA is a fairly widely defined approach to business system architecture, that builds on the idea of decomposing business systems into loosely-coupled services commonly provided via web services or proprietary enterprise messaging systems. The key goal of SOA is to make services available across platforms in a standardised manner. This also has an initial overhead in terms of defining the service interfaces, but with centrally available repositories of service definitions it is possible for many different developers to more easily make use of these distributed services, without requiring a direct relationship with the original developers.
The extension of these loosely-coupled services to the internet has been the basis for the recent consumer internet trend for 'mash-ups', where a developer combines services from different businesses to create a new application that did not exist before, for example combining the property listings of craigslist with Google maps to provide a map of available properties.
The development of such loosely-coupled services across an enterprise has allowed forward-thinking businesses to introduce a faster development cycle for new business systems.
One problem now faced by corporate IT security risk managers is that the move from dedicated systems to loosely-coupled services has changed the risk model many have relied on. Previously it was possible to identify how important a system was to a business (its potential business impact as a result of a compromise) and use that as a basis for future security decisions.
Identifying the business impact ratings of systems is no longer granular enough to support the decision-making process. A critical system may provide many non-critical services as well as the one critical service that raised the system rating as a whole. To require critical system levels of security for non-critical services is not efficient and can introduce costs and delays to the IT process, that in turn can undermine the standing of the security team within the IT team as a whole.
IT security risk managers need to start thinking about service criticality rather than system criticality. This leads to a greater understanding of the importance of the data stored and manipulated by the system. For many large enterprises that have seen systems and data volumes proliferate at an almost uncontrolled rate, identifying critical services and critical data is a daunting task that will only get bigger over time.
Managing cross-domain identity
Extending the use of these services across the perimeter to partners and customers has brought cross-domain identity management to the fore again. The proliferation of internal business systems had already produced problems relating to multiple staff identities and long provisioning processes, that in many businesses have lead to the deployment of centralised directories of user identities. The challenge for deploying SOA services to partners is that, once again, each partner is likely to have their own user directories. In a point-to-point EDI connection this can be carefully controlled through a strict user management process as connection-specific users from each side of the connection are identified. The numbers of relationships now enabled by SOA approaches however, mean that traditional user management processes do not scale. We are once again looking at providing users with an identity that crosses multiple organisational boundaries.
The security industry has faced these problems once before and produced Public Key Infrastructure (PKI) systems to act as internally centralised repositories for user identities. PKI systems are expensive to establish, complex and have significant difficulties in managing different trust levels across organisations. This has limited the numbers of successful deployments of PKI systems and they have a poor reputation among IT departments.
It appears that the consumer internet may provide a developing solution for the issue of cross organisational identity. A new approach to identity management called Identity 2.0 focuses much more on a user-centric model where users control and maintain their own identity, based on certified documents from a wide range of identity providers.
Technologies such as the OpenID standard and Microsoft's CardSpace provide clues to the management of such complex identities. These technologies are still focused on the consumer, but are being rapidly adopted. Mapping internet 2.0 identities to centralised directories is starting to happen, suggesting that an enterprise Identity 2.0 approach may soon be a viable solution to the issue of cross-organisational identity in a SOA world.
IT security risk managers need to consider how de-perimeterised they already are, if they are adequately addressing risk within applications, what data and services they are going to focus their attentions on and how they are going to manage customer and partner identities.
It is clear that managing the risk of increasing IT interconnection in the business world alone is a large task without even considering the implications of outsourcing and physical supply chain integration. A flexible approach that allows businesses to take appropriate risks confidently is key to managing the security implications of these changes.
Phil Huggins is chief technical officer, Information Risk Management plc, E-mail: phil.huggins@irmplc.com, www.irmplc.com