Security Enterprise Services

Three Tips for Securing the Open Enterprise

July 8, 2014
/ Print / Reprints /
ShareMore
/ Text Size+

openenterprise_enewsThe days of wrapping our enterprise users and systems within a network security perimeter are long gone. In order to better innovate and compete in today’s fast moving markets, the business needs to leverage any opportunity to accelerate new initiatives and create new revenue opportunities. For example, the business brings in SaaS applications to meet their needs if IT can’t deliver services fast enough; it adopts new mobile apps to support employee and customer engagement; it packages its own intellectual property in the form of APIs for growth and agility; and it sets up internal system access for partners and contractors for streamlined operations. This essentially opens the enterprise and creates a challenge for the security team: How to enable and still protect the Open Enterprise.  

Because we are expanding on three dimensions at the same time, enabling the secure Open Enterprise presents several challenges: 1) The identity population needing access to enterprise data is moving beyond employees and administrators to include business partners, contract developers and a rapidly growing customer community; 2) At the same time, the applications those groups need access to are migrating from the enterprise data center to the cloud and; 3) The access device is evolving from PC to smartphone and tablet but will quickly include other smart devices such as wearables and smart meters.  While opening the enterprise increases the attack surface, securely enabling the open business can help it innovate and grow.

The first step to securing the Open Enterprise is managing identity. According to the Verizon data breach report, the use of stolen or misused passwords continues to be the number one way to gain access to information. With fragmented IT systems, identity is the new security perimeter. Authentication of identities should be centralized to all resources, whether on premise or not. This offers a single point of control and an audit point. You can then apply multi-factor authentication options to reduce the threat of compromise from weak or leaked passwords. By federating access from your identity broker, multi-factor authentication is applied to applications that don’t otherwise support it. Over time, the business can add more sophisticated authentication elements bringing in context (device type, network type, geo-location, etc.) and analytics. In this model, disabling users now means they have no access to any external SaaS applications, a big win for securing corporate IP.

Next, the Open Enterprise needs to share information. The days of building a web app are quickly passing. The business needs API level access to information to share across divisions and with partners. In fact, instead of IT building a mobile app for the business, give the business a set of APIs to build their own mobile apps. By implementing an API gateway to your applications and data, you can create strong security controls while the business innovates and experiments with new apps. The business can even open these information feeds directly to partners to include in their applications.  

The final, key component of the Open Enterprise architecture is managing developer access to APIs and providing business owners insight to usage. Once applications and data are available in a secure, accessible model, the business will quickly find new revenue models and want to scale. The Developer Portal will allow a large number of developers inside or outside the organization to request access to a set of APIs, obtain access keys, review sample code, test integration and begin developing in a self-serve model. This component will also let application or business owners get reports on which applications and which business partners are driving traffic.

A great example of this in action is the New York MTA. Its business team thought it could increase ridership if the schedules were easier to access. Rather than trying to create the one perfect app, the IT team focused on securely exposing API access to the scheduling systems and allowing developers to focus on what they do best. Within three months, there were dozens of mobile apps that incorporated MTA scheduling information in a way that works best for their consumer. The security team had complete visibility to log and monitor each transaction.

It is well understood that the threats to corporate intellectual property continue to grow. The Open Enterprise further increases the attack surface. By centrally controlling identity and abstracting security controls to the API gateway, the business can securely enable the open enterprise and manage the risk. In fact, the new architecture helps the business move faster, innovate and experiment with programs that drive revenue. Using these three tips to secure the Open Enterprise shows business leaders that the security team supports and is in alignment with business goals. Who knows, additional budget and resources may surface as security becomes an enabler of the business.

Did you enjoy this article? Click here to subscribe to Security Magazine. 

You must login or register in order to post a comment.

Multimedia

Videos

Image Galleries

ASIS 2013 Product Preview

ASIS International 59th Annual Seminar and Exhibits, September 24-27 in Chicago, Illinois, will include an exhibit hall packed with innovative security solutions. Here are some of the products that will be shown at ASIS this year.

Podcasts

Virtualization and Data Center Security: What You Need to Know for 2014

Data centers are increasingly becoming the center of the enterprise, and data center and cyber security is following the same path for security departments. According to Justin Flynn, a consultant at the Burwood Group, the virtualization of data centers allows enterprises to scale more easily and faster, with a smaller footprint.

However, hosting enterprise data in the cloud can make intrusion detection more difficult – how can enterprise security leaders team up with other departments to keep aware of cyber risks and traffic, and physical and data compliance during the virtual transition? How can CISOs and CSOs discuss cyber threats with the C-Suite to get the resources they need? And how can the proper infrastructure test and verify possible malicious attacks? 

More Podcasts

Security Magazine

Security December 2014 issue cover

2014 December

This issue of Security Magazine covers our 12th annual Top Guarding Firms list. Check out the best of the best as of December 2014. The 21st century has brought with it new types of security threats. Read how to combat and protect against these threats.

Table Of Contents Subscribe

Security Emergency Preparedness Training

Which security personnel emergency preparedness training is the top priority to you and your enterprise?
View Results Poll Archive

THE SECURITY STORE

comptiahighriseproductphoto
CompTIA Security+ Certification Study Guide
CompTIA's Security+ certification is a globally-recognized, vendor neutral exam that has helped over 60,000 IT professionals reach further and higher in their careers. The current Security+ exam (SY0-201) focuses more on being able to deal with security issues rather than just identifying them.
More Products

Clear Seas Research

Clear Seas ResearchWith access to over one million professionals and more than 60 industry-specific publications,Clear Seas Research offers relevant insights from those who know your industry best. Let us customize a market research solution that exceeds your marketing goals.

STAY CONNECTED

Facebook 40px 2-12-13 Twitter logo 40px 2-12-13  YouTube  LinkedIn logo 40px 2-12-13Google+

Vertical Sector Focus: Critical Infrastructures

criticalhomepagethumbFrom terrorism to vandalism, it’s preparedness, response, training and partnerships. Learn about some of the critical security issues facing this sector.

Visit the Critical Infrastructure page to read more.