Security is a process
By Kunaciilan Nallappan January 30, 2014
- Security should not be just left to software engineers because they are not security experts
- The burden of coding security policies should fall credible security solutions professionals
A NEWSPAPER report recently warned that many IT products and applications, including payment systems, lack adequate security. The reasons cited are that firstly, security is treated as an afterthought, and secondly, because trained practitioners are not involved in the design and implementation.
Security is a process and it should be managed as such. There’s an important role for the security experts who build the policies that ensure security and compliance within the organisation. And, there’s an equally important role for the programmers who develop the software.
But the two are quite distinct from each other.
Business applications are the critical assets of an enterprise. Its security should not be just left to the software engineers to decide because they are not security professionals.
Therefore, the prudent approach is to offload the burden of coding security policies from the software programmers onto credible security solutions professionals.
Viewed from that perspective, security is as an end-to-end process, with policies to govern the various areas wherever there is user interaction with the enterprise – device, access, network, application and storage.
Given the complexities of the different moving parts, it sometimes makes sense to combine several of the point security concerns into a converged solution. In short, this is akin to a process simplification not too different from what consultants would call ‘BPR’ (business process reengineering) in the business world.
However way you see it, from a CFO (chief financial officer) perspective, this represents immense cost savings, both operationally as well as in capital costs.
For example, when it comes to application security, the trend is to build it into the application delivery controllers. ADCs are designed to natively deliver applications securely to end-users.
In today’s context, ADCs act as secured gatekeepers to the applications: They prevent unauthorised access and are able to add on capabilities to mitigate complex application-level attacks such as those defined by OWASP (the Open Web Application Security Project).
However, the situation is growing more complex. CIOs (chief information officers) are increasingly faced with the task of balancing the needs of a younger, empowered and demanding Gen Y workforce who want the freedom to work from their device of choice, as well as the ability to switch seamlessly between their social and enterprise networks.
The CIO challenge is how to protect the company’s business assets in the face of increasing and more complex threats. Add to this the desire to leverage the cloud for cost control and scale, and the security considerations can potentially spiral out of control.
The situation calls for innovative security solutions that can understand the behaviours of enterprise applications as well as users, and be able to enforce corporate security policies effectively with minimum impact on user experience.
Security is a trust business. Having the right process and policies trumps choosing a vendor. It is the policies and process that determine the required solution, not vice versa.
Kunaciilan Nallappan is Asia Pacific marketing director at F5 Networks, which helps organisations seamlessly scale cloud, data centre, and software defined networking (SDN) deployments to successfully deliver applications to anyone, anywhere, at any time.
How to reduce policy accumulation and improve security
Security as a business enabler, not a bottleneck
Securing enterprise mobility in Malaysia’s BYOD world
As mobile usage grows, so should security: IDC