Mobility and Cloud Computing and the need for a new security concept

RestrictedThe current modern way of doing business and service provisioning is based on openness and agility.
This brings the traditional security concept in which an organization is positioned as an “information fortress” strongly under pressure. The traditional perimeter is vanishing and sensitive information travel outside your organization in many ways on many different devices. Mobility and Cloud Services is the name of the game.

For the most part business information is stored as unstructured data. Unstructured data refers to information that either does not have a pre-defined data model or is not organized in a pre-defined manner and is usually stored in files instead of databases.

This context creates a strong need for other security concepts. Instead of securing a predefined and fixed “location” the focus must be shifted to the actual security of information that is mobile; information security at the file level. Or in other words file protection and control beyond the perimeters of the enterprise because the rule set is stored with the file itself.

There are security products on the market that makes it possible to achieve security at the file level. Applying this security concept will affect the current and usual roles and activities related to security.

Still it is common that a security officer in cooperation with the system administrator ensures safe work areas to which firewalls, passwords and malware scanners protect access. The user organization is consulted and her voice, the voice of the customer, is found in the general security policy but the focus is on the security of the IT infrastructure. So bottom line security is an IT issue.

By implementing a security concept based on information security on the file level, one comes in very close contact with the daily operational activities of the users and the organization. Security choices have a much more immediate and greater impact on the work and activities than in a traditional security concept.

Who has when and where access to which information? The access management can be excellently managed by using the new file access management tools. But access management is not an isolated topic. Access is granted to individuals and groups, thus the topic of Identity Management comes in sight and should be very well organized. Access management is part of the triple A; authentication (identity management), authorization (access management) and accounting. These are well-known concepts in the security world but they were mainly applied to the level of IT infrastructure. Now that it is urgently needed to shift the focus of the security of the IT infrastructure to the security of information, one comes in very close contact with the daily work of the organization. This includes authorization, as well as authentication and accounting.

In the traditional division of labor a security officer defines a security policy, based on the input from the user organization and rules and legislation, and then align with the IT organization what mechanisms will be used to operationalize this policy. Product selection, technical equipping and the daily operation are performed by the IT organization. Thus the questions about why, how and with what are satisfied. In fact the user organization is only involved with the first question and it plays no role in the implementation. Also the security officer is hardly involved in the daily operations of the IT organization and the user organization. It is a slow top-down approach.
In fact in terms of a responsibility assignment matrix (RACI), one could say that the security officer is accountable, the system administrator is responsible and the user organization is consulted and informed.

The application of information security through access management at the file level puts this traditional work under pressure. The granularity of the access rights on file level is very fine-grained, in combination with the dynamics of working processes, the needed agility, and the shortening of time to deliver, is conflicting with the traditional hierarchical top down approach.

So to solve this issue a different way of working is required, where the user organization should be much more involved in information security or better stated they should in fact take the lead. After all it affects their daily work. The security officer, the auditor, and the IT organization must be well aware about the daily work of the user organization. They should gain knowledge about what is going on in the workplace to ensure that the access management is workable, that it produces the desired result, and meets the expectations of the user organization. Additionally, identity management and accounting at this micro level should also be taken into account.

To get information security by means of access management at the file level it is advisable to take a closer look at the different roles that are involved. These are the security officer, the auditor, the system administrator and the “super user” or functional administrator of the access rules for the user organization.

• The security officer is dedicated to define the information security policy and with which mechanisms (the solution approach regarding the security organization, workflow and technology) this should be realized. On behalf of the user organization.
• The auditor is the one that shows how accounting should take place (what are the control points, which information should be captured to comply with laws and regulations, what is the audit trail) and executes audits.
• The system administrator is the one that operationalizes the access management within the framework of the security officer and the auditor, and also takes care of the relationship (in terms of technology and execution) with the work areas of identity management and monitoring (accounting).
• The “super user” or functional administrator of the user organization is the one that actually manages the access rules within the framework of the security officer and the auditor.

To support the modern way of doing business and service provisioning we need to create an agile security organization, with a transparent separation of interests and responsibilities. Instead of a hierarchical security organization, a flat organization is needed where the “super user” is accountable, the system administrator is responsible, the security officer and auditor are consulted and the end-users get informed.

Available: IT Sourcing Textbook for the Classroom

RightSourcingCoversmallJust before the summer I and two other fellow editors published a book about IT sourcing that is also suitable for the classroom. By presenting perspectives on IT sourcing from 21 different contributors, we as editors hope to enable and inspire readers to make better-informed IT Sourcing decisions.

We received some nice endorsements:

“What most impressed me about this book is the scope of it’s coverage, and the level of academic rigor behind the analysis. The broad scope makes this relevant to senior executives concerned with strategy, operational executives accountable for results, and technologist on the ground. The academic rigor gives me confidence that the findings and recommendations are sound. This book will be the reference guide for anyone seriously involved in strategic sourcing.”
R. Lemuel Lasher
Global Chief Innovation Officer, CSC

“Thought provoking, occasionally frustrating and timely! As the theory of the firm is “tested” with evolving technology and globalization driving down transaction costs and enabling greater connectivity we’re presented with many different possibilities for business operating models. By exploring the perspectives of organization, economics, technology and people this book provides the reader with a compendium of theory, ideas and practical tips on “Right Sourcing” the business of IT and enabling different business models. The slightly idiosyncratic nature of a book with contributions from different authors only serves to engage the reader in the discussion. I hope the editors find a way to continue this discussion beyond the book!”
Adrian Apthorp
Head of Enterprise Architecture, DHL Express Europe

“Sourcing is a business theme which gets more and more attention. But making the right decisions is not easy. Sourcing is a wicked problem. This book provides valuable insights and concepts that will help to improve decisions with regard to sourcing. I would recommend this book to anyone who wants to achieve right sourcing.”
Martin van den Berg
Enterprise Architect, Co-Founder of DYA and author of several books, including “Dynamic Enterprise Architecture: How to Make It Work”.

“Sourcing is becoming an increasingly complex task – one that requires fundamental changes in management thinking, radical new ways in which to communicate and deal with knowledge, and a totally new and different view of all the stakeholders. In this book leading thinkers in this space, do a great job in opening up the reader’s mind to possibilities for alternative solutions that integrate the human aspects in everything we do.”
François Gossieaux
Co-President Human 1.0 and author of “The Hyper-Social Organization”

The book Right Sourcing helps undergraduate students to better understand and appreciate the topic of sourcing the information processing function of an organization.
Shortening time to market, huge transaction volumes, 24 x 7 business at lesser cost puts a burden on organizations. How should one adapt to the increasing complexity and changes in the organization and its environment?
Sourcing the information processing function of an organization is covered from different perspectives and light is shed on how we can assure that the chosen solution is in line with the business strategy, business models, business plans and the technology that is available
The book puts forward the proposal that the modern enterprise must fundamentally rethink its ‘sourcing equation’ to become or remain viable.
It is ideal for tomorrow’s decision makers who need to understand the requirements of how best to source the people, services and products it needs, to deliver its business model and keep its commitments to all the stakeholders.
Editors:Rien Dijkstra
John Gøtze 
Pieter van der Ploeg ISBN: 978-1481792806

List price: 

23.96 USD/
20,60 EUR/
15.04 GBP

286 pages
Pub Date: May 2013

KEY FEATURES:

  • Explains management and design choices along with tradeoffs to consider when sourcing information systems and/or technology that run in an enterprise environment.
  • Explores trending topics such as cloud computing, SOA, security, complexity/chaos & organizations, and cross cultural collaboration.
  • Explores sourcing from the perspectives of organization, economics, technology and people.
Website: www.sourcing-it.org
Amazon: http://amzn.to/GzrqaT