http-equiv="Content-Type">
lang="en-US"> lang="en-GB"> style="font-weight: normal;">Andy
Mulholland, CTO, Capgemini
Sally
Hudson, an IDC analyst, positioned the new role of security recently
at a high profile global event (
href="http://www.cloudidentitysummit.com">the
Cloud Identity Summit at the end of July) by defining it as the
external necessity for an enterprise to be able to do business with
any other enterprise. This is already driving the growth rate which
will make a $6 billion market in 2016, at which point it would equate
to more than 10% of enterprise applications' spend. However, this
rapidly growing market is not about traditional IT department
security measures such as firewalls, which allow enterprise
applications to be deployed internally with little or no regard to
the issue of security. Instead it is the embedding of key elements
into all hardware and software.
face="Times New Roman, serif">Reading
the presentations and material from the Cloud Identity Summit really
highlights a lot of the issues that we are all facing in managing
'security' in our enterprises today. There is a strong shift in the
focus required towards people, devices, and services, and the ability
to use these to drive the new wave of external business-to-business
or consumer-to-business that has been the basis for strong growth in
certain technology sectors.
face="Times New Roman, serif">As
an example of this the US Government has announced plans to
introduce, by 2016, a 'National
Strategy for Trusted Identities in Cyberspace', NSTIC, to 'allow
State and Private Business to get the full benefit of eCommerce'.
The approach will allow multiple schemes for identity management to
be developed and used but within a set of common standards.
face="Times New Roman, serif">Pilots
are underway and the US Department of Defense, DOD, reported that the
shift to a well managed scheme 'cut intrusions by 46% in days', a
point not lost on many CIOs. At the same time the
href="http://www.whitehouse.gov/blog/2011/07/20/shutting-down-duplicative-data-centers">planned
shutdown
of more than 500 US Government data centers and the use of
either virtualization or cloud technology for consolidation is a
further demand for a new approach to security. The Federal Chief
Performance Officer stated 'moving to a more nimble 21st century
model will strengthen our security and the ability to deliver
services for less'. A pretty familiar statement of ambition for most
CIOs today!
face="Times New Roman, serif">But
what is the link to 'new' security and the focus on identity
security and people? In working through the impact of clouds and new
technologies such as tablets changing working practices here at
Capgemini, we find it convenient to divide this into two pieces;
inside-out and outside-in. Inside-out is the traditional IT where the
focus remains on the application and server to provide governance and
authentication, albeit through a single sign on service, and includes
access to a chosen application from a mobile device. The key point
being that everything is controlled from 'inside', even in the
case of old style access to an enterprise application from a
dedicated device that was physically outside the firewall.
face="Times New Roman, serif">The
new and more challenging aspect is outside-in where people usually
have more than one device, e.g. home PC, smartphone and tablet, and
use these devices widely to access a variety of 'services' via the
Internet, some of which are good old content from a web server, and
historically of relatively low risk, but increasingly may be small
applets, or apps from a variety of app shops, or even full-on
cloud-based complex sets of 'services' which are a very different
risk proposition. Included in these accesses will be their own
enterprise both for traditional enterprise applications as well as
'new' style 'services'. But this combination now introduces a risk
profile that is new and definitely in need of securing. Just consider
the widely reported
href="http://crave.cnet.co.uk/software/sony-hacked-again-with-over-one-million-users-details-nicked-50003983/">hacks
that Sony, and others have endured as their inside-out
application-based systems have been accessed via their outside-in
services.
face="Times New Roman, serif">As
the most obvious constant in this outside-in environment is the user
rather than the location, device, server or application, then the
need to refocus security models, tools and architecture is pretty
obvious. As most enterprises will have vey little in place for this,
even though they will probably find that a reasonable number of their
users have already changed their working practices and devices, it
seems a safe bet that the predictions as to the growth of the
security market will come true! So it's well worth taking a look at
the Cloud Identity Summit to pick up some views and information on
this topic!
face="Times New Roman, serif">By
the way, I have not described the excellent work of the
href="http://www.opengroup.org/jericho/">Jericho
Forum on security and their development of architectures that
secure all the elements of an interaction/process, or other equally
good developments on identity management such as
href="http://saml.xml.org/">Security
Assertion Markup Language, SAML, only because of lack of space
and wanting to focus on the change in what needs to be secured.