Jiri’s Notepad

Over the last few years, large tracts of media space have been used to describe the dire state of current enterprise security. Even more has been used to describe various potential remedies for the perceived problems. People speak of defence-in-depth, de-perimeterisation, identity-centric solutions and so forth, the list of ‘answers’ seems endless.

Most of today’s security is actually implemented using mechanisms provided by operating system or network technology. Application-level security does exist, but it is typically implemented in more fragmented manner. That was good enough for a while, but it is ceasing to be so; not because of security threats or vulnerabilities, but because of changes in business requirements, for example:

• Increased focus on business-to-business interactions. This often requires extension of internal systems to external customers and business partners;
• Integration of organisations and their information technology alongside business processes instead of around functional boundaries;
• Increased stringency of management controls to meet requirements of new regulatory regimes;
• Lowering the long-term cost of information technology.

The fundamentals of the response to these new requirements will inevitably include:

• Increasing the use of application-level security mechanisms to complement system and network security;
• Developing and using common common components used consistently across the enterprise to increase consistency and efficiency of authentication, authorisation and audit in a manner integrated with the overall architecture;
• Identifying the right set of technical and architecture security standards and making sure they are used.

To achieve this, security departments need to upgrade their capability and re-focus their activities, aligning them with enterprise architecture and system development processes. Payoff for those who manage this is an opportunity to fix some old problems an avoid other fundamental future ones.Read more