Securing the crossroads

01 Jul 09

Although businesses are at risk of losing $US1 trillion from loss or theft of data1 and other cybercrime, a  far more co-ordinated security effort is required before multi-enterprise applications are fully protected.

Multi-enterprise environments are diverse and complex; sensitive information is handled by multiple parties  both inside and outside corporate boundaries, involving time-sensitive transactions and LSA dependent  relationships. The security of endpoints such as laptops, servers and network gear is a potential area of  vulnerability and it is critical that enterprises formulate an overall security plan.

With around 80% of the world’s business data being exchanged  as files, it is little wonder that unintentional  exchanges take place along with everyday business activities. These include spam and phishing exploits, viruses and malware.

The extent of the problem cannot be overstated. A study by McAfee showed instances of malware increased by  400% in 2008, 80% of which had the aim of financial gain. According to a 2007 study, on average businesses  lose $US4.1 million to data breaches, or $US128 per record compromised, with 40% of organisations reporting breaches by trusted third parties. Clearly a comprehensive security solution is imperative for organisations with multi-enterprise applications (MEA).

Such a solution will provide assurance that only the correct business transactions and behaviour are occurring,  while enforcing policies across multiple partners and ensuring that the content is secure at all times. Embedding controls in the infrastructure, to ensure the integrity of the overall system, protects against  unauthorised access to information while mitigating against ‘failures’ and mal-operations. MEA security also  minimises the possibility of widespread failures or attacks and keeps all exposures contained. Robust security  will understand and adapt to failure modes.

The key aspects of business content security include confi dentiality for both stored and communicated data;  integrity in proving that only good copies of the real data are shared; and authenticity in proving the identities  of all participants at all layers. Additionally, authorisation and access controls prove that each entity has the  correct access rights to the information being accessed, while the ability to audit and track will support the  business processes.

MEA security is able to address the various layers in an enterprise environment, ensuring the infrastructure and  network layers are protected against malware and attacks.

No technique can provide perfect security, so several techniques must be combined to provide multifaceted  in-depth defence. This usually implies having as many control points as practical. A key area to address is  securing the connection and content for authentication, privacy and integrity. Security must be embedded  seamlessly into other processes, so that no action is required of users after initial setup and enrolment. Added  to this, consideration of the interfaces between two partners’ security policies is critical – in this case an  enterprise has to enforce its security policy on partners.

Although the industry is making steady progress in advancing MEA security, efforts need to be co-ordinated  among the various industry groups to streamline and standardise security support. While certain vendors are  leading the way, a vigorous approach is needed on a broader front.

To manage all the potential corporate loopholes, three main processes need to be established: governance, risk management and compliance. Governance is the responsibility of senior executive management, who should  focus on creating organisational transparency by defi ning the mechanisms used, to ensure that constituents  follow established processes and policies. Risk Management comprises processes that leverage internal controls to manage and mitigate risk throughout the organisation. Compliance should be used to record and  monitor these policies, procedures and controls in order for them to remain compliant with legislative or industry mandates.

Dr Taher Elgamal is Chief Security Offi cer of Axway Inc. (formerly Tumbleweed Communications), an  industry leader in information security. Recognised in the industry as the ‘inventor’ of SSL, Dr Elgamal is one  of the world’s leading experts in computer, network and information security. He also invented several industry and government standards in data security and digital signatures area, including the DSS government standard for digital signatures. He holds a PhD and MS in Computer Science from Stanford   University and a BS in Computer Science from Cairo University.
+61 2 8916 6402

Share on: LinkedIn Twitter Facebook