Andy Mulholland, CTO, CapgeminiSally Hudson, an IDC analyst, positioned the new role of security recently at a high profile global event (the Cloud Identity Summit at the end of July) by defining it as the external necessity for an enterprise to be able to do business with any other enterprise. This is already driving the growth rate which will make a $6 billion market in 2016, at which point it would equate to more than 10% of enterprise applications' spend. However, this rapidly growing market is not about traditional IT department security measures such as firewalls, which allow enterprise applications to be deployed internally with little or no regard to the issue of security. Instead it is the embedding of key elements into all hardware and software.
Reading the presentations and material from the Cloud Identity Summit really highlights a lot of the issues that we are all facing in managing 'security' in our enterprises today. There is a strong shift in the focus required towards people, devices, and services, and the ability to use these to drive the new wave of external business-to-business or consumer-to-business that has been the basis for strong growth in certain technology sectors.
As an example of this the US Government has announced plans to introduce, by 2016, a 'National Strategy for Trusted Identities in Cyberspace', NSTIC, to 'allow State and Private Business to get the full benefit of eCommerce'. The approach will allow multiple schemes for identity management to be developed and used but within a set of common standards.
Pilots are underway and the US Department of Defense, DOD, reported that the shift to a well managed scheme 'cut intrusions by 46% in days', a point not lost on many CIOs. At the same time the planned shutdown of more than 500 US Government data centers and the use of either virtualization or cloud technology for consolidation is a further demand for a new approach to security. The Federal Chief Performance Officer stated 'moving to a more nimble 21st century model will strengthen our security and the ability to deliver services for less'. A pretty familiar statement of ambition for most CIOs today!
But what is the link to 'new' security and the focus on identity security and people? In working through the impact of clouds and new technologies such as tablets changing working practices here at Capgemini, we find it convenient to divide this into two pieces; inside-out and outside-in. Inside-out is the traditional IT where the focus remains on the application and server to provide governance and authentication, albeit through a single sign on service, and includes access to a chosen application from a mobile device. The key point being that everything is controlled from 'inside', even in the case of old style access to an enterprise application from a dedicated device that was physically outside the firewall.
The new and more challenging aspect is outside-in where people usually have more than one device, e.g. home PC, smartphone and tablet, and use these devices widely to access a variety of 'services' via the Internet, some of which are good old content from a web server, and historically of relatively low risk, but increasingly may be small applets, or apps from a variety of app shops, or even full-on cloud-based complex sets of 'services' which are a very different risk proposition. Included in these accesses will be their own enterprise both for traditional enterprise applications as well as 'new' style 'services'. But this combination now introduces a risk profile that is new and definitely in need of securing. Just consider the widely reported hacks that Sony, and others have endured as their inside-out application-based systems have been accessed via their outside-in services.
As the most obvious constant in this outside-in environment is the user rather than the location, device, server or application, then the need to refocus security models, tools and architecture is pretty obvious. As most enterprises will have vey little in place for this, even though they will probably find that a reasonable number of their users have already changed their working practices and devices, it seems a safe bet that the predictions as to the growth of the security market will come true! So it's well worth taking a look at the Cloud Identity Summit to pick up some views and information on this topic!
By the way, I have not described the excellent work of the Jericho Forum on security and their development of architectures that secure all the elements of an interaction/process, or other equally good developments on identity management such as Security Assertion Markup Language, SAML, only because of lack of space and wanting to focus on the change in what needs to be secured.