|
Building a Secure Foundation for Web Applications, Portals and Services
Organizations today face two seemingly contradictory imperatives. In order to boost performance and revenues, they must expand their reliance on the Internet and Web applications that connect them with their customers, partners and employees. The competitive advantage often goes to organizations that can quickly deploy new Web applications and services. On the other hand, an organization that opens up its systems to potentially millions of users inside and outside the enterprise also exposes its applications, networks and data to significant risks, which can jeopardize the whole organization. In fact, a recent study found that the percentage of data breaches involving external partners such as customers or suppliers has jumped dramatically in recent years. The study found that 39 percent of data breaches in 2007 involved business partners, an increase from just 8 percent in 2004.1 In most instances, the data breaches went undetected for months. Many organizations, fearful of attacks and damaging data breaches, accidental or otherwise, believe they must choose between securing the enterprise and enabling user-friendly, business-driven Web access. This security challenge can usually be traced to a lack of centralized or automated controls. Organizations traditionally have managed user entitlements and access policies as part of each individual application or system. This fragmented approach, though cumbersome and manually intensive, worked reasonably well when the number of users and systems was relatively small. There has been an explosion of online users and applications over the past 5-10 years. Organizations are finding it nearly impossible to manage, control, and audit their users, particularly Web users, with the precision needed to ensure security, meet the needs of the business or satisfy regulatory requirements. This task is further complicated by the increasing stringency of laws and standards, such as the Sarbanes Oxley Act, and by the multiplying numbers and types of systems and applications that require compliance-related controls. What are the consequences of using outmoded approaches to manage identities and access,
particularly on the Web? First, organizations cannot provide swift or efficient application access to users, who as a result, may be driven to alternative, more expensive channels or, even worse, to competitors. Second, organizational performance is hampered because the IT organization cannot respond quickly to changing markets and business needs. Deployment of compelling new approaches and technologies, such as Service Oriented Architectures (SOA) and Web services,
also is slowed by inadequate security readiness. Such organizations also face higher administrative costs, especially for those related to security management and regulatory reporting. Clearly, organizations want to avoid these pitfalls. To do so, they need systems and processes that ensure security but do not stand in the way of organizational initiatives. In high-performing organizations, Web security management happens reliably and quickly, facilitating rather than hindering deployment. Such organizations simultaneously:
• Optimize and personalize the user experience
• Control user access to Web applications and services in compliance with organizational policy — letting the right people in and keeping the wrong people out
• Simplify compliance reporting
• Deploy applications more quickly and yet securely, consistent with the needs and risk tolerance of the organization
An organization, of course, must be able to implement the necessary technologies and processes affordably and at a pace that supports other organizational plans and objectives. When such capabilities are firmly established, the organization achieves both security and agility — and accelerates growth.
|
