I recently attended a security conference where thousands of security products from hundreds of vendors were all vying for attention. While most of these products filled a legitimate need, the array of products reminded me of an orchestra warming up. Each instrument may sound good by itself, but together they would be cacophonous without a conductor.
Companies need to develop a coherent strategy to align security investments with the real risks faced by the business. How can a business leverage identity, role, and policy information to improve governance and security? How can an enterprise tie together the knowledge gathered by disparate security systems to help intelligently manage security services to effectively protect the business and increase IT effectiveness?
This challenge mirrors what's happening in our data centers. Too many companies have overspent on silos of solutions that are nearly impossible to manage holistically and leave the business at risk. Many enterprises have deployed dozens of identity management and threat solutions to thousands of desktops and servers. Yet the endless onslaught of unmanaged worms, viruses, and other attacks (both inside and outside) prove that these solutions aren't providing the necessary protection when implemented as "one-offs." The security management task - to make sense of it all - isn't getting any easier either. If companies can't get a handle on their security information, the entire corporation could be exposed to accident or attack.
From the CEO and CIO on down, it is imperative to align security and risk management with the business. To ensure business agility, IT must be able to react quickly to ever-changing business and security requirements. When a new threat or risk is discovered, the IT infrastructure must be able to mitigate and control the exposures before excessive damage can be done. Aligning security with business also means being able to instantly support a new business application that requires a strong degree of authentication. Another example is ensuring that every application meets strict audit requirements imposed by business or government regulations. Businesses need to create an agile infrastructure that treats security as if it were a volume button - one that can be adjusted as needed without disruptive retrofitting or architectural upheaval. Making this happen requires identity and security management tools that can deploy policies on the fly.
Making the Vision a Reality
Enterprises require a broad, contextualized view of their networks and security stance in much the same way that Google Earth lets users zoom down to the street level and out to the country level with the touch of a button. Such a comprehensive and intelligent view would help make it easier to understand dollar value impact to the business when problems occur or when new applications are being assessed or deployed.
So how can the technologists help make that vision real? One important part of the solution is to implement a cohesive approach to IT and security management- one that has been architected to create a cross-enterprise, platform independent view. The key to success is approaching the solution in a modular, service-oriented manner that supports the rapidly changing needs of the business.
One of the failings of today's disjointed, piecemeal approach to security is the myriad of disconnected solutions that have been rolled out in silos of ownership and management. These silos are brittle and restrictive. Service-oriented architectures (SOAs) have been developed to provide businesses with the ability to deliver information and services to an organization's ecosystem of customers and partners and then to manage these services to the appropriate risk level. This eliminates restrictions or roadblocks based on platform restraints, legacy deployments, or political or business unit boundaries. By liberating the intelligence from the silos, the promise of SOA is that enterprises can use both network and identity information to increase the focus and granularity of policy decisions.
Consider the earlier example of a business application that requires strong authentication. An enterprise creates an authentication service that all of the application developers call from within new applications. The service provides options such as password or biometric authentication, as well as control parameters such as password length restrictions and cryptographic key length. Using an authentication service shortens the development process and ensures that the resulting application is already in compliance with the corporate controls and infrastructure. If the developers had to create a new authentication service for each application, the process would be slowed as the service was developed and implemented. In addition, the missing connection to an approved authentication service would require extensive testing, approval from security organizations, redundant development, and possible changes to the architecture. This takes time and introduces additional risk. Using the services model as part of the development process allows organizations to create new user experiences and services on the fly - not just a personalized experience but one that is aligned with business and security needs as well. This intelligence needs to be managed by a heterogeneous policy management layer that provides the management process described above.
Instead of isolating (and duplicating) security information within the various silos throughout the enterprise, information silos must be broken down and replaced by service-savvy models that help enterprise technologists turn data into knowledge that serves the business. To support the service-oriented architecture, four cores of security building blocks are needed - users, assets, services, and policy. Each core component can be leveraged to realize the vision of advanced, intelligent security management services.
Users
Users are actors on a network. When looking at how a business runs, one of the most critical considerations is the profile and unique characteristics of the users accessing systems and services. In a service-oriented world, services also can be "users" of other services. To strategically approach the task of breaking down the security information silos, it is essential to plan for management of data related to users. This is because user data is a critical piece of information that enables security management services to function intelligently. Managing the entire user lifecycle - such as creation of the user ID, provisioning a profile and access for the user, and real-time awareness of what the user is doing (be it changing a password or accessing a service) - enables IT to know what is occurring on the network and how the services are being used.
If an organization approaches the user management function from a services approach, the vision becomes more focused. Each application no longer acts as a separate silo of user management- the user management itself is abstracted into a service. Now, instead of leaving the user data as breadcrumbs attached to unique applications, the applications interact with the user management service as needed. Federation takes this concept one step further by liberating the user from the repository. User access is managed and monitored from a central console that serves as an intelligent, policy-aware gatekeeper for all the applications and devices on the network. Concerns around user experience, customization, access control, and audit can be alleviated because centralized policies are called through a user service to which baseline controls can be applied. In addition, this information can be fed back into the security management service to provide risk data and usage data to the business for audit, compliance, and risk control.
Assets
Users need to access resources, such as a portion of the network, a device on the network, or an application. Users also have devices to access resources, and the network has devices that are accessed. Information about these assets includes the type of device, the operating system on the device, configuration information, and current patch levels. This information is essential for creating a complete vision of current vulnerabilities and risks on the network, as well as the overall risk level for the business.
Armed with information about what is on the network, a security management service can begin to make intelligent decisions about those devices. For example, a critical application that resides on a device that can't be patched due to operational restrictions (such as a healthcare device that would no longer be considered approved for medical use if configuration was changed) can be flagged as a high priority risk. If vulnerabilities on that system are discovered, they would need to be protected via other mitigating controls such as being placed in a protected zone or via enhanced auditing. Coordination of the information about this asset, as well as workflow regarding how the controls were approved and implemented, would be handled by the intelligent security management service.
Many enterprises already have some type of asset management investment in place, so the challenge is often how to find a way to share existing data with the security management service. This can be accomplished by creating a service model overlay from which security management services can consume legacy asset data, and translating that data into usable information within the new model.
Services
Services provide distinct functions that can be used and reused by users, applications, and other services. The service approach decouples functionality and data from proprietary applications and makes them available to a wider ecosystem.
To work efficiently, these services need to be embedded in the infrastructure and be accessible to a variety of systems, applications, and users. An example can be seen in identity and access management (IAM). Embedding an entitlement service into an application platform provides hooks that give new applications and services access to existing policies and user repositories. The services themselves can be self-protecting. That is, they carry with them information and data that protects the transaction or usage. For example, say that a company wishes to provide a partner with access to data for only one day so the partner can check out the offering. An IAM service would issue a temporary user identity with a time to live of 24 hours. The service maintains the kill time on that identity so that it is deleted at the end of its lifecycle. The applications that interact with this service do not need awareness of the kill date, because it is already contained in the self-protected service.
Ultimately, the service approach abstracts complexity from the application or service developer, the administrator, and the user. It also supports federation. This is powerful because it allows the business to centralize the policies governing that self-protection into a single place - while also enabling the business to gather data about service usage. This data can be aggregated into the security management service to provide full visibility into what is really happening within the business.
Policy
With the previous three components in place, the nirvana for security management is nearly achieved. However, one key ingredient is still missing: policy. Policy is the glue that ties assets, users, and services together to enable organizations to adjust security procedures to meet business requirements. Policy infrastructure has to be heterogeneous and standards-based, and offer lifecycle management capabilities. It needs to support different policies such as authentication, authorization, auditing administration, privacy, and governance. By implementing a service-based approach to policy management, organizations can integrate and consolidate individual policy silos into an enterprise policy tier that governs enterprise IT security services. This policy service tier enables organizations to fine-tune alignment since it allows decisions to be made centrally and implemented en masse across the enterprise without the need for costly individual testing and approval.
To illustrate how a policy service can improve the alignment of security with the business, consider the case of a new business partner in a typical enterprise. For most IT managers and application architects, this means long hours of integration work, testing and retesting of rules, roles and permissions, and potentially, weeks of effort cataloguing existing system security mechanisms. If, in addition, this partner has contractually negotiated a higher level of response time for security services, many IT organizations may find the challenge just too great to bear and might even be tempted to compromise security in order to fulfill the obligations of the business. In a policy-driven enterprise, however, individual systems would not have to be catalogued and mapped to ensure compliance with the business goals. An appropriate change to the high-level policy is all that's required to make the necessary changes at the application or system level.
Presence is the perfect example of a policy decision point that can be applied to a variety of policies. The location of a user, device, or service is a telling piece of information that affects risk. Presence information includes data about not only when a user or device is active, but also where it is in the context of the overall environment. This is especially true in today's mobile environment, where users and services are accessed from points all over the globe, including kiosks, un-trusted networks, and a variety of devices such as PDAs and handhelds.
Policy decisions about access might need to be changed based on information related to presence. If we consider the data points of physical presence and integrate these into the security management service, organizations can identity possible policy violations. Say, for example, a user accesses the corporate headquarters in New York using a physical access badge card at 9:00 AM and then the same user ID attempts to login from a laptop located in California at 9:05 AM. This presence disconnect could have deep security implications for the firm. It could represent an active attack or an unauthorized use of system resources. Another example is the set of services that a user may be approved to access but only under certain presence conditions. For example, managers may be able to access payroll applications when connecting from a trusted network, but will be blocked when connecting from a wireless connection at a coffee house.
Using advanced analytics within the security management service, such violations can be identified quickly and prevented. Such a model empowers the business with the intelligent flexibility to deliver (or revoke) services from a central point based on presence information. It is the security management service that intelligently ties this information together and provides the full view of risk from which policy decisions can be made.
Bringing Security into Harmony
By taking a service-based approach to security we can help enterprises understand and quantify their security controls in a way that effectively manages risk while promoting more efficient business operations. Like the conductor of an orchestra, the service-level approach brings the disparate sounds of the instruments into alignment and allows the melody to appear. The best way to bring security into harmony is to implement the "core four" - users, assets, services, and policy - as services and then to feed the data into a security management service that is built on top of a flexible policy management infrastructure. In this way, the disparate bits and bytes of security data can be transformed into the intelligent, contextualized knowledge necessary to protect the enterprise in an increasingly complex environment.
Subscribe to JAVA Developer's Journal Email News Alerts
Subscribe via RSS
