Saturday, February 14, 2009

Effective Enterprise Security Begins and Ends With Architectural Best Practices Approach

Transcript of a podcast on security as architectural best practices, recorded at the first Security Practitioners Conference at The Open Group's 21st Enterprise Architecture Conference in San Diego, February 2009.

Listen to the podcast. Download the podcast. Find it on iTunes and Podcast.com. Learn more. Sponsor: The Open Group.

Dana Gardner: Hi, this is Dana Gardner, principal analyst at Interarbor Solutions, and you're listening to BriefingsDirect. Today, we welcome our listeners to a sponsored podcast discussion coming to you from The Open Group's first Security Practitioners Conference in San Diego, the week of Feb. 2, 2009.

Our topic for this podcast, part of a series of events and coverage at this conference, centers on enterprise security and the intersection with enterprise architecture (EA). The goal is to bring a security understanding across more planning- and architectural-level activities, to make security pervasive -- and certainly not an afterthought.

The issue of security has become more important over time. As enterprises engage in more complex activities, particularly with a boundaryless environment -- which The Open Group upholds and tries to support in terms of management and planning -- security again becomes a paramount issue.

To help us understand more about security in the context of enterprise architecture, we're joined by Chenxi Wang, principal analyst for security and risk management at Forrester Research; Kristin Lovejoy, director of corporate security strategy at IBM; Nils Puhlmann, chief security officer and vice president of risk management of Qualys, and Jim Hietala, vice president of security for The Open Group.

Let's start with you, Jim. Security now intersects with more elements of what information technology (IT) does, and there are more people responsible for it. From the perspective of The Open Group, why has it been a transition or a progression in terms of bringing security into architecture? Why wasn't it always part of architecture?

Jim Hietala: That's a good question, but probably predates my involvement with The Open Group. In TOGAF 9, the latest iteration of TOGAF that we announced this week, there is a whole chapter devoted to security, trying to get to the idea of building it in upfront, as opposed to tacking it on after the fact.

You've seen movement, certainly within The Open Group, in terms of TOGAF, and our enterprise architecture groups try to make that happen. It's a constant struggle that we've had in security -- the idea that functionality precedes security, and security has to be tacked on after the fact. We end up where we are today with the kind of security threats and environment that we have.

Gardner: Chenxi, we've seen security officer emerge as a role in the past several years. Shouldn't everyone have, in a sense, the role of security officer as part of their job description?

Chenxi Wang: Everyone in the organization or every organization? My view is slightly different. I think that in the architecture group there should be somebody who is versed in security, and the security side of the house should have an active involvement in architecture design, which is what we are seeing as an emerging trend in a lot of organizations today.

Gardner: We're also facing a substantial economic downturn globally. Often, this accelerates issues around risk, change management, large numbers of people entering and leaving organizations, mergers and acquisitions, and provisioning of people off of applications and systems.

Kristin, perhaps you can give us a sense of why security might be more important in a downturn than when we were in a boom cycle?

New technologies

Kristin Lovejoy: There are a couple of things to think about. First of all, in a down economy, like we have today, a lot of organizations are adopting new technologies, such as Web 2.0, service-oriented architecture (SOA) style applications, and virtualization.

Why are they doing it? They are doing it because of the economy of scale that you can get from those technologies. The problem is that these new technologies don't necessarily have the same security constructs built in.

Take Web 2.0 and SOA-style composite applications, for example. The problem with composite applications is that, as we're building these composite applications, we don't know the source of the widget. We don't know whether these applications have been built with good secured design. In the long-term, that becomes problematic for the organizations that use them.

It's the same with virtualization. There hasn't been a lot of thought put to what it means to secure a virtual system. There are not a lot of best practices out there. There are not a lot of industry standards we can adhere to. The IT general control frameworks don't even point to what you need to do from a virtualization perspective.

In a down economy, it's not simply the fact we have to worry about privileged users and our employees, blah, blah, blah. We also have to worry about these new technologies that we're adapting to become more agile as a business.

Gardner: Nils, how do you view the intersection of what an enterprise architect needs to consider as they are planning and thinking about a more organized approach to IT and bringing security into that process?

Nils Puhlmann: Enterprise architecture is the cornerstone of making security simpler and therefore more effective. The more you can plan, simplify structures, and build in security from the get-go, the more bang you get for the buck.

It's just like building a house. If you don't think about security, you have to add it later, and that will be very expensive. If it's part of the original design, then the things you need to do to secure it at the end will be very minimal. Plus, any changes down the road will also be easier from a security point of view, because you built for it, designed for it, and most important, you're aware of what you have.

Most large enterprises today struggle even to know what architecture they have. In many cases, they don't even know what they have. The trend we see here with architecture and security moving closer together is a trend we have seen in software development as well. It was always an afterthought, and eventually somebody made a calculation and said, "This is really expensive, and we need to build it in."

Things like security and the software development lifecycle came up, and we are doing this now for architecture. Hopefully, we'll eventually do this for complex systems. Kristin mentioned Web 2.0. It's the same thing there. We have wonderful applications, and companies are moving towards Facebook en masse, but it's a small company. The question is, was security built in, has anyone vetted that, or are we not just repeating the same mistake we did so many times before?

A matter of process

Gardner: We see with security that it's not so much an issue of technology but really about process, follow through, policy determination and enforcement, and the means to do that.

Chenxi, when it comes to bringing security into a regulated provision, policy-driven process, it starts to sound like SOA. You'd have a repository, you'd have governance, and the ways in which services would be used or managed and policies applied to them. Is there actually an intersection between some of the concepts of architecture, SOA, and this larger strategic approach to security?

Wang: There is definitely some intersection. If you look at classic SOA architecture, there is a certain interface, and you can specify what the API is like. If you think about a virtual approach to security, it's also a set of policies you need to specify upfront, hopefully, and then a set of procedures in which you adhere to these policies.

It's very much like understanding the API and the parameters that go into using these APIs. I hadn't actually thought about this really nicely laid out analogy, Dana, but I think that's a quite good one.

Gardner: I think we're talking about lifecycles and managing lifecycles and services. I keep seeing more solutions, shared services, and then actual business and IT services, all being managed in a similar way nowadays with repository and architecture.

Jim, this is your first security conference at The Open Group. It's also coinciding with a cloud computing conference. Is there an element now, with the "boundarylessness" of organizations and what your architectures have tried to provide in terms of managing those permeable boundaries and this added layer, or a model for the cloud? More succinctly, how do the cloud and security come together?

Hietala: That's one of the things we hope to figure out this week. There's a whole set of security issues related to cloud computing -- things like compliance regulation, for example. If you're an organization that is subject to things like the payment card industry data security standard (PCI DSS) or some of the banking regulations in the United States, are there certain applications and certain kinds of data that you will be able to put in a cloud? Maybe. Are there ones that you probably can't put in the cloud today, because you can't get visibility into the control environment that the cloud service provider has? Probably.

There's a whole set of issues related to security compliance and risk management that have to do with cloud services. The session this week with a number of cloud service providers, we think, will bring a lot of those questions to the surface.

Gardner: Clearly, those on the naysaying side of the cloud argument often have a problem with the data leaving their premises. As we've heard from other speakers at the conference, having data or transactions that are separate from your organization or that happen at someone else's data center is actually quite common, and is sort of a cultural shift in thinking.

Nils, what do you think needs to happen from this cultural perspective in order for people to feel secure about using cloud models?

A shift in thinking

Puhlmann: We need to shift the way we think about cloud computing. There is a lot of fear out there. It reminds me of 10 years back, when we talked about remote access into companies, VPN, and things like that. People were very fearful and said, "No way. We won't allow this." Now is the time for us to think about cloud computing. If it's done right and by a provider doing all the right things around security, would it be better or worse than it is today?

I'd argue it would be better, because you deal with somebody whose business relies on doing the right thing, versus a lot of processes and a lot of system issues. A lot of corporations today are understaffed, or there is a lot of transition, and a lot of changes there. Simply, things are not in order or not the way they should or could be.

Then, we have the data issue. Let's face it, we already outsource so much work to other places. If ever my data is in a certain place, where I have audited and vetted that provider, or somebody from a remote country as a DBA is accessing my data in-house, is there really a difference when it comes to risk? In my mind, not really, because if you do both well, then it's a good thing.

There's too much fear going into this, and hopefully the security community will have learned from the past and will do a good job in addressing what we don't have today, like best practices, and how vendors and customers strive for that.

Gardner: Kristin, I read a quote recently where someone said that the person or persons that manage the firewall are the most important people in the IT organization. Given what we are dealing with in terms of security, and also trying to bail ourselves of some of these hybrid models, do you agree with that, and if so, why?

Lovejoy: That's a leading question. Is the firewall administrator important? Obviously, yes. More important than ever. In a world with no boundaries, it becomes very hard to suggest that that is accurate.

What we're seeing from a macro perspective is that the IT function within large enterprises is changing. It's undergoing this radical transformation, where the CSO/CISO is becoming a consultant to the business. The CSO/CISO is recognizing, from an operational risk perspective, what could potentially happen to the business, then designing the policies, the processes, and the architectural principles that need to be baked in, pushing them into the operational organization.

From an IT perspective, it's the individuals who are managing the software development release process, the people that are managing the changing configuration management process. Those are the guys that really now hold the keys to the kingdom, so to speak.

Particularly when you are talking about enterprise cloud, they become even more important, because you have to recognize -- and Nils was mentioning this or inferred this -- that cloud provides a vision of simplicity. If you think about cloud and the way it's architected, a cloud could be much simpler than the traditional enterprise. If you think about who's managing that change and managing those systems, it becomes those folks that are key.

Gardner: Why is the cloud simpler? Is it because you're dealing now at a services and API level and you're not concerned necessarily with the rest of the equation?

Lovejoy: That's correct.

Gardner: Is that good for security or bad?

Aligning security and operations

Lovejoy: We've been dancing around the subject, but my hope is that security and operations become much more aligned. It's hard to distinguish today between operations and security. So many of the functions overlap. I'll ask you again, changing configuration management, software development and release, why is that not security? From my perspective, I'd like to see those two functions melding.

Gardner: So, security concerns and approaches and best practices really need to be pervasive throughout IT?

Lovejoy: Exactly. They need to come from the top, they need to move to the bottom, and they need to be risk based.

Gardner: Now, when it comes to the economics behind making security more pervasive, the return on investment (ROI) for security is one of the easier stories. Not being secure is very expensive. Being publicly not secure is even more expensive. Let's go back to Chenxi, the economics of security, isn't this something that people should get easy funding for in an IT organization?

Wang: The economics of security. This issue has been in research for a long time. Ross Anderson, who is a professor at University of Cambridge, runs this economics of security workshop since 1996, or something like that. There is some very interesting research coming out of that workshop, and people have done case studies. But, I'm not sure how much of that has been adopted in practice.

I've yet to find an organization that takes a very extensive economics-based approach to security, but what Kristin said earlier and what you just said is happening. We're seeing the IT security team in many organizations now have a somewhat diminished role, in the sense that some of the traditional security tasks are now moving into IT operations or moving into risk and compliance.

We're even seeing that security teams sometimes have dotted reporting responsibility to the legal team. Some of the functions are moving out of the security team, but at the same time, IT security now has an expanded impact on the entire organization, which is the positive direction.

Gardner: If there is a relationship between doing your architecture well, making systemic security, thought, vision, and implementation part and parcel with how you do IT, then it seems to me that the ROI for security becomes a very strong rationale for good architecture. Would you agree with that, Jim?

Hietala: I would. Organizations want, at all costs, to avoid plowing ahead with architectures, not considering security upfront, and dealing with the consequence of that. You could probably point to some of the recent breaches and draw the conclusion that maybe that's what happened. So, I would agree with that statement.

Gardner: We did have quite a few high profile breaches, and of course, we're seeing a lot more activity in the financial sector. Actually, we could fairly call it a restructuring of the entire financial sector. Do you expect to see more of these high-profile breaches and issues in 2009?

Same song - second verse

Hietala: I'll be interested to hear everyone else's opinion on this as well, but my perspective would be yes. It's been interesting to me that 2009 has started out with what I would call "same song, second verse." We've had a massive worm that propagated through a number of means, but one of which is removable storage media. That takes me back to 1986 or 1988, when viruses propagated through floppy disk.

We've had the Heartland breach, which may be as many as 100 million credit cards exposed. Those kinds of things, unfortunately, are going to be with us for some time.

Gardner: Let's get the perspective of others. Kristin, is this going to be a very bad year for security?

Lovejoy: The more states that pass privacy disclosure requirements that mandate that you actually disclose a breach, the more we're going to hear. Does this mean that there haven't always been breaches? There have always been breaches, but we just haven't been talking about them. They're becoming much more public today.

Do I see a trend, where there are employees terminated or worried employees who are perpetrating harm on the business? The answer is yes. That is becoming a much more of an issue.

The second issue that we're seeing, and this is one of those quasi-security, quasi-operational issues, is that, because of the resource restrictions within organizations today, people are so resource starved, particularly around the changing configuration management process.

We're beginning to see where there are critical outages, particularly in infrastructure systems like those associated with nuclear power and heavy industry, where the folks are making changes outside the change process simply because they are so overloaded. They're not necessarily following policy. They're not necessarily following process.

So, we are seeing outages associated with individuals who are simply doing a job that they are ill-informed to do or overwhelmed and not able to do it effectively.

Gardner: Or perhaps cutting corners as a result of a number of other diminished resources.

Lovejoy: That's exactly right.

Gardner: Nils, do you have any recommendations for how to come into 2009 and not fall into some of these pitfalls, if you are an enterprise and you are looking at your security risk portfolio?

Security part of quality

Puhlmann: Security to me is always a part of quality. When the quality falls down in IT operations, you normally see security issues popping up. We have to realize that the malicious potential and the effort put in by some of the groups behind these recent breaches are going up. It has to do with resources becoming cheaper, with the knowledge being freely available in the market. This is now on a large scale.

In order to keep up with this we need at least minimum best practices. Somebody mentioned earlier, the worm outbreak, which really was enabled by a vulnerability that was quite old. That just points out that a lot of companies are not doing what they could do easily.

I'm not talking about the tip of the iceberg. I'm talking about the middle. As Kristin said, we've got to pay attention to these things and we need to make sure that people are trained and the resources are there at least to keep the minimum security within the company.

Gardner: As we pointed out a little earlier, security isn't necessarily an upfront capital cost. You don't download and install security. It's process and organizational and management centric. It sounds like you simply need a level of discipline, which isn't necessarily expensive, but requires intent.

Puhlmann: Yes, and that is actually similar to architecture. Architecture also is discipline. You need to sit down early and plan, and it's the same for security. A lot of things, a lot of low hanging fruit, you can do without expensive technology. It's policies, process, just assigning responsibility, and also changing security so it's a service of a business.

The business has no interest in either a breach or anything that would negatively affect the outcome of a business, for example, business continuity.

We talked earlier about how IT security might change. My feeling is that security will more and more become a partner of the business and help the business achieve its goals. At some point, nobody will talk about ROI anymore, because it's just something that will be planned in.

Gardner: Jim, what about this issue of intent? Is this something that we can bring into the architectural framework, elevate the need, and focus on intent for security?

Hietala: I believe so. Most system architects are going to be looking at trying to do the right things with respect to security and to ensure that it's thought about upfront, not later on in the cycle.

Gardner: Chenxi, in the market among suppliers that are focused on security, how are they adapting to 2009, which many of us expect to be a difficult year? We mentioned that it's about intent, but there are also products and technologies. Is there any top-of-mind importance from your perspective?

Slight increase in spending

Wang: We haven't seen a severe cut of IT security budget yet from organizations we surveyed, perhaps because some of those budgets were set before the economic downturn happened.

For some of them, we actually saw a slight increase, because just as Lehman Brothers is now Barclays, you have to merge the two IT systems. Now, you have to spend money on merging the two systems, as well as security. So, there is some actually increase in budget due to the economic situation.

A lot of vendors are taking advantages of that, and we are seeing an increased marketing effort on helping to meet security regulations and compliance. Most of us anticipate an increase of regulatory pressure coming down the pipeline, maybe in 2009, maybe in 2010. My belief is that we'll see a little bit more security spending there, because of the increased regulatory pressure.

Gardner: Kristin, we've discussed process and architecture, but are there any particular technologies that you think will be prominent in the coming year or two?

Lovejoy: Interestingly enough, identity and access management (IAM) is likely to be one of the more significant acquisitions that most businesses make.

This goes back to the business value point of security that we have been making, if you think about what's happening in the world with all of these folks wanting to access the network via smart devices. How are they going to do that? Well, they are going to do that using some sort of authentication mechanism that allows them to securely connect back.

Most organizations want to be able to access the new customer, the new consumer, via smart devices. They want to be able to allow their employees access to the network via smart devices or via any kind of other mobile device, which allows them to do things like telecommute.

IAM, as an example, is a technology that enables the business to offer a service to the employee or to that new consumer. What we're seeing is that organizations are purchasing IAM, not necessarily for security, but for the delivery of a secure service. That's one area where we are seeing uplift.

Gardner: Let's just unpack that a little bit. How is this is different from directory provisioning or some of the traditional approaches? These folks wouldn't be in the directories at that point?

Identity managements

Lovejoy: What we're seeing is much more of a focus on federated identity management and single sign-on. In fact, we're beginning to see this trend in our customer base, and a lot of organizations have been talking about this issue of mobile endpoint management. It's very hard in the new world to secure these mobile devices. What organizations are saying to us is, "Why can't we just use single sign-on and federated identity management?"

Single sign-on, in particular, has the capacity, if you think about it in the right way, to uncouple the device from the individual who is using the device, define the policy, apply the policy to the role, and then based on the role, secure the endpoint or isolate the endpoint. It's a very interesting way in which organizations are beginning to think about how they can use this technology as an alternative to traditional secure mobile endpoint management.

Gardner: It also sounds, while pertinent to mobile, that they would have a role in cloud or hybrid boundaryless types of activities.

Lovejoy: That's absolutely correct.

Gardner: Does anyone have anything to offer on this IAM in the cloud.

Puhlmann: Kristin is right. We've tried IAM for many years, and there have been many expensive failed projects in large corporations. Perhaps, we need the cloud to give us this little push to really solve it once and for all in a very federated model. I'd very much like to see that. Based on past experience, though, I'm a little cautious how quickly it will happen.

I think what we will see is a simplification of security, because it has gotten to a point where it's just too complex to handle with too many moving parts, and that makes it hard to work with and also expensive.

Also, we'll see a more realistic approach to security. What really matters? Do we really need to secure everything, or do we need to focus on certain types of data, and where is that really? Do we have to close off every little door, or can we leave some doors open and go closer to where our assets are. How much do they really mean to us?

Gardner: Great. We've been discussing security and some of the pressures of the modern age, this particular economic downturn period, but also in the context of process and architecture.

I want to thank our panelists. We were joined by Chenxi Wang, principal analyst for security and risk management at Forrester Research; Kristin Lovejoy, director of corporate security strategy at IBM; Nils Puhlmann, chief security officer and vice president of risk management of Qualys, and Jim Hietala, vice president of security for The Open Group.

Thanks to you all. Our conversation comes to you through the support of The Open Group, from the first Security Practitioners Conference here in San Diego in February, 2009.

Listen to the podcast. Download the podcast. Find it on iTunes and Podcast.com. Learn more. Sponsor: The Open Group.

Transcript of a podcast on security as architectural best practices, recorded at the first Security Practitioners Conference at The Open Group's 21st Enterprise Architecture Conference in San Diego, February 2009. Copyright Interarbor Solutions, LLC, 2005-2009. All rights reserved.

View more podcasts and resources from The Open Group's recent conferences and TOGAF 9 launch:

The Open Group's CEO Allen Brown interview

Live panel discussion on enterprise architecture trends

Deep dive into TOGAF 9 use benefits

Reporting on the TOGAF 9 launch

Panel discussion on cloud computing and enterprise architecture


Access the conference proceedings

General TOGAF 9 information

Introduction to TOGAF 9 whitepaper

Whitepaper on migrating from TOGAF 8.1.1 to version 9

TOGAF 9 certification information


TOGAF 9 Commercial Licensing program information