The reality is however that legacy systems pose the greatest potential risk to any enterprise, as these platforms are anachronistic in terms of security support, lack many common safeguards, and don't have the necessary Application Programmer Interfaces (APIs) to scale globally as a secured platform (Gupta, Roth, 2007). Legacy systems were designed in an era where single authentication for an entire enterprise system was sufficient enough, and the concept of role-based access and computing was not considered a core requirement. Architects of these systems could not anticipate the breadth, depth and sophistication of attacks being carried out today against enterprise systems, websites, EDI links and every other potentially vulnerable entry point to a system. Enterprise software vendors including Oracle, SAP, Infor and others have opted to port or migrate their legacy ERP systems to Enterprise Application Infrastructure (EAI)-based platforms to increase their security while retaining compatibility with legacy databases and programs (Harney, 2006).
Legacy systems are the single greatest threat to any enterprise today (Talbot, 2006). This is because their initial architecture, design and implementation did not take into account the breadth, depth and sophistication of attacks today were not anticipated or forecasted decades previously. The retrofitting of legacy application is a formidable task with the costs for an ERP system being well over $16M or more for a typical distributed order management system for example (Talbot, 2006). Given the high costs of transforming legacy and home-grown ERP and enterprise systems into secured, scalable and role-based platforms, it is understandable why many companies today are looking at how their investments in compliance requirements can also attain a high level of risk mitigation and management. The following section illustrates how enterprises are pursuing compliance to government reporting requirements while working to quantify the financial value of their security management strategies.
Assessing the financial impact of enterprise security management strategies on an enterprise needs to capture the business improvements possible from role-based access to data and information while taking into account the measurable gains in performance due to reducing risk and increasing reporting accuracy. Measuring the financial impact of risk management needs to take a causal approach to best capture the return on investment (ROI) possible from greater security, risk mitigation and preventative security initiatives. These investments at the strategic level drive greater business improvements supported by highly scalable compliance platforms capable of supporting cost reductions while ensuring highly efficient use of assets. The relationships of these factors are shown in Figure 2 are used by enterprises to create unified, enterprise-wide strategies for security management that can have measurable, significant financial results over time. Figure 2, Causality of Security Management Strategies to Shareholder Value shows how compliance, security and compliance platforms, when coordinated, can deliver significant shareholder value over time.
Figure 2: Causality of Security Management Strategies to Shareholder Value
Source: (Nagaratnam, et.al, 2005)
The continual pursuit of security's contribution to shareholder value shown in Figure 2 is managed as an iterative workflow, with continual improvements made over time to system processes, procedures and integration points throughout enterprises. This iterative approach to continually strengthening and focusing enterprise security management investments to gain the greatest impact on financial performance has shown potential in reducing operating systems by reducing cost-based leakage, supply chain errors, and losses from pilferage and data loss including theft (Nagaratnam, Nadalin, Hondo, McIntosh, Austel, 2005). This model also illustrates how closely aligned enterprise risk management strategies are to the financial performance of enterprises that rely on them (Garbani, 2005). Each enterprise needs to take into account their specific strategic plans, IT integration points for core strategies, and the ability to quantify how risk management contributes to greater financial performance. While averting an attack that decimates information assets can't be calculated, when the performance of these systems are taken into account from a process improvement standpoint as part of a risk management strategy, their contributions can be clearly tracked (Nagaratnam, et.al, 2005). More efficient and highly targeted security management strategies can help an enterprise be more efficient in meeting the three triad requirements mentioned earlier in this analysis. Quantifying the value of risk management has the greatest impact in streamlining how IT resources are used in the attainment of long-term strategic plans and initiatives.
Too often organizations rely on a tactical, short-term orientation for solving strategic, complex and intricate security problems. This leads to many enterprises continually churning through risk management programs and initiatives. Burning thousands of hours and millions of dollars in the process (Kangasharju, Lindholm, Tarkoma, 2008). Enterprise security management is more than just migrating legacy applications from outmoded and often outdated operating systems. It involves the development of an entirely new platform for security management across the entire enterprise. While enterprise software companies have much to gain in terms of incremental sales by positioning role-based add-on applications including entire Enterprise Application Integration (EAI) layers, the best practices in this area center on those enterprises that are taking the extra step of aligning risk and security management to their strategic plans (Kangasharju, Lindholm, Tarkoma, 2008).
Making that causal link between investments in security management, risk management, compliance, analytics to enable more accurate financial reporting can form a powerful catalyst for enterprise security management (ESM) frameworks for the future. By integrating in compliance and financial reporting, enterprises have the ability to quantify the contributions of risk management over time (Ma, Orgun, 2008). Taking into account the triad of factors that research in this area has shown to be significant and mapping how they are integrated together leads to the development of a model that takes into account each factor. Figure 3: Proposed Enterprise Security Management Model shows how the triad of factors can be integrated with one another, creating an effective framework for enterprises to plan, implement, evaluate, monitor and change their risk and security management strategies over time. Transparency and information velocity form the balancing element of the model, linking COBIT (and SOX) compliance initiatives and strategies to the evaluation and certification processes across companies. These two areas rely on the enterprise information security policy and strategies to define how risk and security management initiatives and investments will be made over time. Balancing all of these factors are the two objectives of minimizing risk and the department and divisional level and defining cost controls and quantifying revenue opportunities over the long-term on the other. These two aspects of the model are embedded within the process workflows of the Enterprise Risk Management (ERM) module of the system. Also included in this area of the model is support for continual updating of business processes and business process re-engineering (BPR) specifically. The baseline component for ERM will also need to include support for Business Process Engineering Language (BPEL) functionality as well to support continually improving business processes based on risk analysis and mitigation.
Figure 3: Proposed Enterprise Security Management Model
Summary and Conclusion
Securing an enterprise at the most basic level involves hardening each potential entry point to its systems and ensuring network-based security is in place to protect information assets. The problem is that many enterprises have legacy and home-grown systems that are decades old. The stop-gap measure that many companies rely on is the use of Enterprise Application Integration (EAI) based security management. This approach does help to alleviate problems, yet it can potentially slow down the integration of enterprise systems corporate-wide, crippling productivity for the sake of security., This is especially true in legacy systems that lack the necessary APIs and coding platforms to ensure security across all systems while also enabling security management to the application level. One potential strategy companies have relied on over time to alleviate this problem is to acquire, install and continually customize role-based applications that can have authentication defined to the user level. Role-based authentication and security management have also proven to be highly effective in mitigating security threats, minimizing losses from lack of consistency security across enterprise systems, and greater traceability of performance attained. These three areas of an enterprise system including role-based access, compliance to government reporting and auditing, and quantifying the financial value of systems when combined form an effective framework for an enterprise security management model that this paper has proposed. The greater the level of synchronization of these elements, the greater the level of overall progress made in an enterprise to their strategic plans and goals.
Cuppens, F., and N. Cuppens-Boulahia. 2008. Modeling contextual security policies. International Journal of Information Security 7, no. 4, (August 1): 285-305.
Samar Das, Raj Echambadi, Michael McCardle, Michael Luckett. 2003. The Effect of Interpersonal Trust, Need for Cognition, and Social Loneliness on Shopping, Information Seeking and Surfing on the Web. Marketing Letters 14, no. 3 (October 1): 185-202.
Sushil Gupta, and Aleda V Roth. 2007. Martin K. Starr: A Visionary Proponent for System Integration, Modular Production, and Catastrophe Avoidance.…