Security Management Defining an Effective

Security Management

Defining an Effective Enterprise Security Management Strategy

For any enterprise to attain its long-term and most strategic objectives, the need to have an agile, highly secure framework for managing their financial reporting and audit applications corporate-wide. Security within the enterprise is not relegated to just layers of passwords or authentication technologies protecting intellectual property. Best practices in enterprise security management focus on how to use the global requirements for audit compliance including COBIT, Information Technology Infrastructure Library (ITIL), Sarbanes-Oxley (SOX), ISO/IEC 17799 and other security and audit standards (Robinson, 2005). Combining Governance, Risk and Compliance (GRC) as part of a broader strategy of enterprise security management ensures higher levels of compliance while also anticipating and responding to compliance regulations (Maner, 1999). Organizations who have taken this approach to enterprise security management (ESM) have continually been able to drastically reduce security threats to their applications, ensuring their up-time and performance over the long-term.

ESM strategies need to combine risk management pertaining to enterprise-wide applications including ERP, CRM, and supply chain management (SCM) while also attaining compliance to reporting requirements as well. This dual requirement of mitigating risk to enterprise applications while at the same time ensuring a high level of compliance to reporting requirements can serve as a very powerful catalyst of innovation and long-term change within an enterprise. Based on the research completed for this analysis, it is clear that the need exists for an equilibrium model that can assist senior management teams including CEOs, CFOs and CIOs in navigating these two initially conflicting objectives that need to be coordinated if a company is going to attain its strategic plans and initiatives. Balancing the need for application security management and the need for compliance can be combined into a single initiative, and many organizations have done this successfully. When the Sarbanes-Oxley Act of 2002 was passed (SOX) the initial audits of publically-traded companies showed that many did not have application security programs in place, and the majority lacked an enterprise security management (ESM) strategy as part of their strategic plan. Redefining the core business processes to ensure application security and compliance actually increased the effectiveness of company's ability to respond to market conditions while reducing security and audit risk (Stoica, Farkas, 2004).

Integrating the enterprise information systems, audit processes and certification programs, costs controls and Enterprise Risk Management (ERM) systems and compliance programs into a single, unified framework can accomplish the goals of mitigating risk and increasing compliance (Smith, 2008). Both objectives can be accomplished, they do not need to be mutually exclusive. Further, the greater the level of enterprise security management to mitigate security threats, the greater the potential for auditability and compliance (Mitchell, 2007). Instead of seeing these two aspects of the overall risk management strategy as mutually exclusive, they can complement each other and make the enterprise not only more secure but also more efficient and agile in response to market conditions as well (Hawkins, Alhajjaj, Kelley, 2003). The intent of this analysis is to show how such a model could work.

Background

Creating an effective enterprise security management strategy needs to start at the application level, where the dual design objectives of supporting workflows that can align to specific roles in the organization are also compliant to regulatory requirements. By integrating application security, evaluation or auditing and compliance to SOX, COBIT and other governance initiatives, enterprises are finding they can quantify the performance and value of their security management programs. Integrating security management of applications to governance initiatives in conjunction with the audit processes used to ensure compliance has the effect of actually strengthening applications security throughout enterprises (Ma, Orgun, 2008).

The first step in creating a more effective enterprise security management strategy is to design applications so they are more role-based than functionally oriented, as the majority are today. To attain the highest levels of security possible at the application level, enterprise applications need to have identity management, authentication from a role and situational-based context, in addition to supporting constraint-based modeling and definition of security access privileges by user and account (Das, Echambadi, McCardle, Luckett, 2003). This is critical to ensure that enterprise applications support and strengthen each role within an organization to the maximum extent possible. The defining of security and authentication to the role-based level has been a concept enterprise application vendors however had been slow to adopt, until the Return on Investment (ROI) and quantifying of its value was readily seen in customers' results. Security management strategies are driving enterprise application vendors to be more aligned and attuned to role-based information needs, as security of corporate information assets including critical financial data, now must be managed to the corporate officer level (Ma, Orgun, 2008).

Security management concerns and the needs of enterprises is then reshaping how Customer Relationship Management (CRM), Enterprise Resource Planning (ERP), Supply Chain Management (SCM) and many other areas of enterprise applications are being developed and sold today. The following graphic explains how contextual roles are influencing the design and implementation of enterprise applications today. Figure 1 shows the taxonomy-based approach often used by enterprise software companies including Infor, Oracle, SAP and others.

Figure 1:

Taxonomy-based Approach to Role-based Application Development

Source: (Cuppens, Cuppens-Boulahia, 2008)

Enterprise security management strategies on the part of companies have forced enterprise software vendors to take a more multidimensional approach to how they design, implement and support their applications. As Figure 1 shows, there are a variety of contextual reference points that enterprise applications must be compatible with for the enterprise to mitigate security risks while also staying in compliance to financial reporting standards including SOX and others. The prerequisite, provisional, spatial, temporal, and user-declared contexts of an enterprise application need to be taken into account to ensure security management goals of enterprises are met. This contextual approach to defining security is also critically important from the role-based reporting and use requirements of enterprises over the long-terms as well (Swart, Marshal, et.al., 2005). Finally, taking this contextual-based approach to defining roles and the security supporting them also is ensuring a higher level of compliance to reporting requirements as well (Cuppens, Cuppens-Boulahia, 2008). The triad requirements of role-based access to applications to increase security, compliance to government reporting requirements, and quantifying or measuring the financial value of these factors form the foundation of effective enterprise security management (ESM) platforms today (MacVittie, 2006).

Role-based applications are quickly transforming the enterprise software landscape, leading to much greater focus on measurable performance by sales, marketing, services, pricing, production and executive management teams. This focus on measuring the contributions of each role in an enterprise has inherent risks from a security, authentication and data use perspective. The greater the level of authentication required to the role level, the more critical it is to create a more agile enterprise security management framework. Given the constraint of legacy systems in many enterprises, there has continues to be retrofitting programs in place to make applications more-role-based through the use of Business Process Engineering Language (BPEL) support (Ma, Orgun, 2008). This however has not solved the inherent design limitations of applications designed more for functional use, not role-based, highly secured and authenticated use. Retrofitting applications to be more role-based also mitigates the value of analytics for tracking their performance over time as well -- a key component of any enterprise security management strategy (Vijayan, 2007). What enterprises have typically done is concentrate on creating a series of proprietary networks very comparable in scope to Intranets, yet differentiated from this collaboration framework through the use of multi-layer sign-ons and the use of biometrics and advanced forms of security management (Gupta, Roth, 2007). In companies that have an inflexible, highly structured series of enterprise systems, the security management strategies shift from role-based application development and implementation to creating internal networks that sacrifice fluidity and agility of information flows for having security management defined to the network protocol layer (Ray, Tideman, 2004). Companies that have a legacy of functional enterprise applications, inflexible to being modified to reflect role-based accountability and use of data, face the daunting task of taking their enterprise infrastructure and creating walled and highly secured internetworks that attain the highest levels of security while sacrificing agility, information integration, and the ability to collaborate freely across the enterprise (Ma, Orgun, 2008).

This is the dichotomy that many organizations face from a security standpoint. They can either stay with their existing IT infrastructure which for many of them is highly siloed, difficult to use in today's more turbulent economic climate and uncertain business environment, or they can opt to create a role-based enterprise infrastructure (Talbot, 2006). Making this transition on legacy systems is however fraught with potential security problems high levels of security and intrusion risk, and worst of all, the degradation in the quality and availability of knowledge. Legacy systems also lack the necessary support and infrastructure for supporting more advanced algorithms used for managing authentication and validation of users by role they have in the organization as well (Ma, Orgun, 2008). An essential element in any enterprise security management (ESM) strategy is the continual improvement of legacy databases and the internal processes they support to warden them against potential external risk (Saltzman, 2006)

. The reality is however that legacy systems pose the greatest potential risk to any enterprise, as these platforms are anachronistic in terms of security support, lack many common safeguards, and don't have the necessary Application Programmer Interfaces (APIs) to scale globally as a secured platform (Gupta, Roth, 2007). Legacy systems were designed in an era where single authentication for an entire enterprise system was sufficient enough, and the concept of role-based access and computing was not considered a core requirement. Architects of these systems could not anticipate the breadth, depth and sophistication of attacks being carried out today against enterprise systems, websites, EDI links and every other potentially vulnerable entry point to a system. Enterprise software vendors including Oracle, SAP, Infor and others have opted to port or migrate their legacy ERP systems to Enterprise Application Infrastructure (EAI)-based platforms to increase their security while retaining compatibility with legacy databases and programs (Harney, 2006).

Legacy systems are the single greatest threat to any enterprise today (Talbot, 2006). This is because their initial architecture, design and implementation did not take into account the breadth, depth and sophistication of attacks today were not anticipated or forecasted decades previously. The retrofitting of legacy application is a formidable task with the costs for an ERP system being well over $16M or more for a typical distributed order management system for example (Talbot, 2006). Given the high costs of transforming legacy and home-grown ERP and enterprise systems into secured, scalable and role-based platforms, it is understandable why many companies today are looking at how their investments in compliance requirements can also attain a high level of risk mitigation and management. The following section illustrates how enterprises are pursuing compliance to government reporting requirements while working to quantify the financial value of their security management strategies.

Assessing the financial impact of enterprise security management strategies on an enterprise needs to capture the business improvements possible from role-based access to data and information while taking into account the measurable gains in performance due to reducing risk and increasing reporting accuracy. Measuring the financial impact of risk management needs to take a causal approach to best capture the return on investment (ROI) possible from greater security, risk mitigation and preventative security initiatives. These investments at the strategic level drive greater business improvements supported by highly scalable compliance platforms capable of supporting cost reductions while ensuring highly efficient use of assets. The relationships of these factors are shown in Figure 2 are used by enterprises to create unified, enterprise-wide strategies for security management that can have measurable, significant financial results over time. Figure 2, Causality of Security Management Strategies to Shareholder Value shows how compliance, security and compliance platforms, when coordinated, can deliver significant shareholder value over time.

Figure 2: Causality of Security Management Strategies to Shareholder Value

Source: (Nagaratnam, et.al, 2005)

The continual pursuit of security's contribution to shareholder value shown in Figure 2 is managed as an iterative workflow, with continual improvements made over time to system processes, procedures and integration points throughout enterprises. This iterative approach to continually strengthening and focusing enterprise security management investments to gain the greatest impact on financial performance has shown potential in reducing operating systems by reducing cost-based leakage, supply chain errors, and losses from pilferage and data loss including theft (Nagaratnam, Nadalin, Hondo, McIntosh, Austel, 2005). This model also illustrates how closely aligned enterprise risk management strategies are to the financial performance of enterprises that rely on them (Garbani, 2005). Each enterprise needs to take into account their specific strategic plans, IT integration points for core strategies, and the ability to quantify how risk management contributes to greater financial performance. While averting an attack that decimates information assets can't be calculated, when the performance of these systems are taken into account from a process improvement standpoint as part of a risk management strategy, their contributions can be clearly tracked (Nagaratnam, et.al, 2005). More efficient and highly targeted security management strategies can help an enterprise be more efficient in meeting the three triad requirements mentioned earlier in this analysis. Quantifying the value of risk management has the greatest impact in streamlining how IT resources are used in the attainment of long-term strategic plans and initiatives.

Analysis

Too often organizations rely on a tactical, short-term orientation for solving strategic, complex and intricate security problems. This leads to many enterprises continually churning through risk management programs and initiatives. Burning thousands of hours and millions of dollars in the process (Kangasharju, Lindholm, Tarkoma, 2008). Enterprise security management is more than just migrating legacy applications from outmoded and often outdated operating systems. It involves the development of an entirely new platform for security management across the entire enterprise. While enterprise software companies have much to gain in terms of incremental sales by positioning role-based add-on applications including entire Enterprise Application Integration (EAI) layers, the best practices in this area center on those enterprises that are taking the extra step of aligning risk and security management to their strategic plans (Kangasharju, Lindholm, Tarkoma, 2008).