Securing the Extended Enterprise
By John Killian - President Verizon Business

The Challenges of the Extended Enterprise
What are the challenges faced by businesses today? Firstly, business today is global - the biggest opportunities are found in global markets. Organisations therefore need to be able to move in and out of markets quickly to maximise the potential of these opportunities; they need to deliver high quality services and solutions, yet at the same time minimise expenditure; they need to ensure the effective delivery of applications on a global basis; and they need to ensure compliance with local regulations at all times, or risk considerable financial penalties.

Business today therefore cannot be confined. Business now takes place on desktops, within devices, along networks and around the world. Data and information must span systems, countries, languages, and borders. Work is an activity, not a location. Supply chains need to be connected and optimised across the globe to meet customer and market demands.

By embracing the extended enterprise, organisations hope to harness the potential of global timezones and new service models to improve customer service and relationships, increase business resilience and enhance overall productivity.

However, the more information that enterprises have to distribute and manage, and the more places in which that information is housed, the greater the risk of that information being accessed by unauthorised parties. Data is no longer a contained entity - it flows in and out of the enterprise, and competitive advantage is directed by how well organisations are able to manage the speed of that flow. Yet by opening up the enterprise to maximise its global business potential, organisations also increase their operational risks. And most importantly, this risk will no longer originate from “outside” the enterprise; real and present threats also emanate from sources within the data flow and along the enterprise supply chain, including business partners, suppliers, and data users.

Managing Risk
Most organizations today will have some form of security in place to protect business-critical information. The traditional way of protecting electronic information has been to implement a variety of point solutions designed to counteract specific individual threats. Yet today's sources of electronic attack, or threat vectors, are much more varied and subtle. Businesses therefore need to employ equally more subtle and varied approaches to the protection of their business critical resources.

In the extended enterprise, security has to be an integrated, ongoing process that absolutely mirrors overall business objectives. The real aim of enterprises today should be to actively reduce risk to the business; their challenge is how to accurately assess and manage business risk in the extended enterprise environment, where boundaries are not fixed, and business scope is continually evolving.

At its most basic level, managing information security risk is a balancing act between the cost of a breach to a firm's IT infrastructure-both directly and indirectly-and the efforts that an organisation needs to take in order to properly secure its infrastructure and the most important information assets that this infrastructure contains.

Successful risk management is essentially about mitigating events that may cause business disruptions or data breaches that may jeopardise revenue streams, harm customers or negatively impact the business reputation.. Data breaches are becoming more sophisticated, targeted and harder to identify, and are increasingly done with the intention of compromising data for financial gain. Successful risk management therefore involves setting up not only the technologies, but also the practices and systems that will enable an organisation to protect its business-critical assets - and in doing so, maintain its corporate brand, reputation and customer trust. These are the elements that go right to the heart of a firm's value proposition.

This is perhaps the critical element of the new security approach - technology alone is not the answer. The policies and procedures that govern operations and corporate practice are just as important - and culture change is perhaps as much an issue as technology. However, organisations must also ensure they respect the broader external world, and in particular its compliance and governance requirements. In the extended enterprise, the community of interest extends far beyond the supply chain, and far beyond the traditional scope of IT department awareness.

Dealing with Data Flow
For those tasked with dealing with this problem, today's global business dynamic throws up a number of key challenges. Businesses, and by extension their IT departments, have to be able to move with agility and speed to maximise the potential of new business opportunities. But they also need to satisfy multiple, and evolving compliance regulations - and all in the context of an ever-present need to control costs, and maintain quality of service.

Data no longer sits in corporate databases alone; it flows in and out the enterprise, is stored in remote databases, and is sent to wireless and mobile devices where it may be stored or sent on again. Data privacy legislation, which is invariably different in each different territory, must be respected, and adds another layer of complexity to data access and management, making data classification more important than ever.

Such issues are an everyday part of any global organisation's IT management processes that have to be addressed even before the issue of threat management comes around.

Evolving Nature of Threats
Given the reach and scope of the extended enterprise, it makes sense that the nature of threats is also evolving. Threats may now originate not just from outside the organisation, but also from applications, or users, or the IT infrastructure itself. Attackers are changing their tactics from mass-attack of networks to personalised and targeted attacks.

Typically, and until relatively recently, those trying to breach a company's information infrastructure focused attacks upon the network itself. These days, state-of-the-art threats also focus attacks on network users. The aim is to gain unauthorised access by hiding programs that transmit network authorisation details back to attackers within key applications, most notably email attachments, or increasingly email messages and Internet pages. In addition, attackers are commonly using what is called a blended threat-a convergence of threats such as spam, spyware, Trojans, viruses and worm code - as part of a single, coordinated attack.

Threat is therefore no longer the only issue - indeed, perhaps the best way of rationalising risk is to consider it in the context of an equation whereby risk equals the multiplied product of threat, vulnerability and impact on assets. In each element there are some important constituent parts:

• Threat information is sourced from a wide variety of security devices and IT systems in the form of logs and alerts.
• Vulnerability information is sourced from periodic vulnerability scans and regular assessments that organisations can undertake.
• Asset information arises from asset classification and the grouping of assets into business systems.

To effectively balance this equation, companies should adopt a basic strategy that is both process-centric, and specifically tailored to their own business needs. The fundamental risk principle is that no one-size fits all; technology and service providers have to deliver security solutions designed to individual customer requirements and delivered as the customer needs, whether it is out-sourced, co-sourced or indeed in-sourced. The solution simply has to align with the business requirements and working practices of the customer.

But it is still commonplace for those in charge of protecting and managing information assets to focus just on security threats trying to enter the organization through the traditional perimeter; thereby ignoring the threat from the extended enterprise.

Balancing the Risk Equation
A fundamentally different approach to security is therefore needed to satisfy the evolving needs of business today. For most organisations, there are four absolutely critical areas of concern:

• Securing the complete extended enterprise, including internal networks, extranets, but also endpoints in the hands of end users
• Meeting the challenges of governance, risk and compliance, including aggregating, monitoring, measuring and reporting on security compliance and control efforts on an ongoing basis
• Protecting data, the flow of data, and the applications handling the data
• Securing the infrastructure in the context of business objectives, to get the most out of the technologies you have

Security solutions cannot be constrained by any delivery mechanism, and effective risk management, and thus optimised information security, must be based on an integrated security approach. In essence, it's about taking security wider; smarter; and deeper. It's also about the intelligent resolution of these key organisational issues.

At the heart of the new security approach is the concept of securing trust around users - security must encompass the breadth of all those places where an organisation's users can access its data. In the extended enterprise, this requires a wider perspective than that traditionally employed. Security controls must be cost-efficiently executed at all those places where they are most effective. This means looking not only at deployment at base premises, but also across “the cloud” - the extended enterprise's broader reach.

Effective security must also be applied on a deeper basis, ie spanning the entire IT stack, including the network, data, applications and users. This links to the concept of integrated security solutions. It's not enough to focus protection on a single layer of the stack; all elements must be considered as part of an integrated whole; the consequences of a breach in one part of the stack has to be considered within the context of the extended enterprise's full reach. It's not about monitoring a device, or a perimeter, but rather acknowledging the reach of the organisation overall.

This links to the third consideration - a smarter approach to security. This essentially means accepting that security decisions should be based on risk, not on threats and vulnerabilities, and on achieving measurable gains for the systems and services that have been implemented. Of course, measuring 'security performance' in such an environment can present its own unique challenges, but by adopting this type of working culture, businesses are in a strong position to respond to compliance requirements.

This approach essentially gives companies data in a format they can use in a process-centric manner; organisations get maximum leverage from the knowledge that they generate and have a mechanism by which this knowledge can be leveraged in future projects. The key is to make sure that organisations are able to conduct risk management in the most cost efficient way and from the most effective place.

The Security Ideal
The ideal security solution is one that works around a customer-focused business model. This ideal solution supports information protection, business continuity and compliance through solutions that offer fully integrated threat and vulnerability management, identity and access management, security and compliance measurement.

It should be delivered as an ongoing process, providing visibility and control across all parts of the security life cycle, aiming for continuous improvement to reduce risk. It should be based around a network-centric infrastructure and designed to maximise the potential of available security intelligence. The key is to enable analysis of large amounts of data so that businesses have meaningful information to support decision making.

The end result is then something that adds real value to the business overall: security that truly supports overall business' objectives, and enables the organization to maximize the potential of its existing investments and assets, by protecting data, and the flow of data, across the entire extended enterprise.

Delivering Security
Of course, there is one major stumbling block to most organisations achieving this aim - having the knowledge and expertise to enable effective security solution implementation. To fully understand the potential security risks to an organisation requires not only in-depth knowledge of organisational security as a whole, but also the ability to ensure a critical and dispassionate view of existing business practices.

This is why managed security services are gaining an increasing foothold in the world's leading organisations. Rather than having to invest in internal expertise, it is simpler, quicker and more cost effective to buy in expertise from a trusted third party - that expertise can then be integrated as a critical element of the extended enterprise's infrastructure.

The underlying aim for a managed security service is the delivery of services driven by business priorities. Making sure that an organization can continuously reduce business risk, without increasing costs, requires not only technology expertise, but also risk quantification capabilities, comprehensive knowledge of threats and (of course) knowledge of the client environment.

The whole gamut of security issues, including scanning, firewall, compliance and access control, can be addressed on a managed basis, ensuring world-class service on a cost-effective basis. But most importantly, by working with third-party experts, organizations gain access to a host of additional and invaluable knowledge, whether in terms of ongoing planning and strategy development, compliance and regulatory guidance, or forensic investigation in the event of a security breach.

Historically, perhaps the outsourcing of security has been viewed as a dilution of protection, removing responsibility from the core IT support team. In the world of the extended enterprise, it is the wisest course of action to take.

Conclusion
The nature of today's extended enterprise environment brings with it unprecedented security challenges that continue to evolve in sophistication and potential impact. In order to effectively address these challenges, organisations must move beyond the constraints of historic approaches to security, effectively shifting mindset from a point protection approach to one that encompasses both the premises and the extended enterprise cloud. Most importantly, the complex nature of security issues requires a depth of knowledge that few IT departments could ever hope to have available in house.

Securing the extended enterprise, and the flow of data within and without its perimeter, is probably today's absolutely critical business challenge. How well businesses manage to achieve this goal will determine their future business success