Although businesses are at risk of losing $US1 trillion from loss or theft of data1 and other cybercrime, a far more co-ordinated security effort is required before multi-enterprise applications are fully protected.
Multi-enterprise environments are diverse and complex; sensitive information is handled by multiple parties both inside and outside corporate boundaries, involving time-sensitive transactions and LSA dependent relationships. The security of endpoints such as laptops, servers and network gear is a potential area of vulnerability and it is critical that enterprises formulate an overall security plan.
With around 80% of the world’s business data being exchanged as files, it is little wonder that unintentional exchanges take place along with everyday business activities. These include spam and phishing exploits, viruses and malware.
The extent of the problem cannot be overstated. A study by McAfee showed instances of malware increased by 400% in 2008, 80% of which had the aim of financial gain. According to a 2007 study, on average businesses lose $US4.1 million to data breaches, or $US128 per record compromised, with 40% of organisations reporting breaches by trusted third parties. Clearly a comprehensive security solution is imperative for organisations with multi-enterprise applications (MEA).
Such a solution will provide assurance that only the correct business transactions and behaviour are occurring, while enforcing policies across multiple partners and ensuring that the content is secure at all times. Embedding controls in the infrastructure, to ensure the integrity of the overall system, protects against unauthorised access to information while mitigating against ‘failures’ and mal-operations. MEA security also minimises the possibility of widespread failures or attacks and keeps all exposures contained. Robust security will understand and adapt to failure modes.
The key aspects of business content security include confi dentiality for both stored and communicated data; integrity in proving that only good copies of the real data are shared; and authenticity in proving the identities of all participants at all layers. Additionally, authorisation and access controls prove that each entity has the correct access rights to the information being accessed, while the ability to audit and track will support the business processes.
MEA security is able to address the various layers in an enterprise environment, ensuring the infrastructure and network layers are protected against malware and attacks.
No technique can provide perfect security, so several techniques must be combined to provide multifaceted in-depth defence. This usually implies having as many control points as practical. A key area to address is securing the connection and content for authentication, privacy and integrity. Security must be embedded seamlessly into other processes, so that no action is required of users after initial setup and enrolment. Added to this, consideration of the interfaces between two partners’ security policies is critical – in this case an enterprise has to enforce its security policy on partners.
Although the industry is making steady progress in advancing MEA security, efforts need to be co-ordinated among the various industry groups to streamline and standardise security support. While certain vendors are leading the way, a vigorous approach is needed on a broader front.
To manage all the potential corporate loopholes, three main processes need to be established: governance, risk management and compliance. Governance is the responsibility of senior executive management, who should focus on creating organisational transparency by defi ning the mechanisms used, to ensure that constituents follow established processes and policies. Risk Management comprises processes that leverage internal controls to manage and mitigate risk throughout the organisation. Compliance should be used to record and monitor these policies, procedures and controls in order for them to remain compliant with legislative or industry mandates.
Dr Taher Elgamal is Chief Security Offi cer of Axway Inc. (formerly Tumbleweed Communications), an industry leader in information security. Recognised in the industry as the ‘inventor’ of SSL, Dr Elgamal is one of the world’s leading experts in computer, network and information security. He also invented several industry and government standards in data security and digital signatures area, including the DSS government standard for digital signatures. He holds a PhD and MS in Computer Science from Stanford University and a BS in Computer Science from Cairo University.
+61 2 8916 6402