I'd like to dispel a myth - that Enterprise Security is more likely to be compromised or weakened through the adoption of situational applications and enterprise data mashup technologies. If IT leaders were to let users roam free on all of their data through a poorly thought through Enterprise Mashup Platform THEN MAYBE, but then, how likely is that to happen?
The logic behind the argument that 'mashups are a security threat' is usually this: that mashups are about empowering information workers to consume web services (sourced from back office systems and via online public sites) and, if you all this to happen, then several new potential threat areas emerge:
- Poor security regimes mean that users usurp identity management and access control systems so either back-doors are created to data or administrative systems become more complicated with multiple user identity directories emerging that could create errors in monitoring user identities.
- Users (knowingly or unknowingly) gain access to data that they shouldn't be seeing (or in the worst case editing) by giving power users the ability to create their own applications
- Enterprise Mashup Architectures may not be as secure as traditional enterprise portal suites and so by adopting them organizations might be letting their guard down.
Firstly, it's important to remember that in most organizations today, the most widely adopted mashup application is Microsoft Excel. Business professionals use spreadsheets to capture data, gather data, analyze data and share data. The popularity of spreadsheets to still discharge all of these roles after 30 years of faithful service is testament to their invention. But spreadsheet systems are a high risk option. They mean that most organizations have hidden pots of business critical data on laptop and PC hard drives that almost nobody is aware of that can disappear at any moment. They also mean that people can inadvertently add the wrong data to the wrong cell or change a formula that can instantly result in high threat compliance issues.
Secondly, the Enterprise Mashup Platforms I've encountered so far integrate seamlessly with incumbent User Identity Management and Access Control systems like Active Directory used by corporations today. This isn't rocket science; most of these systems rely on a table of UserIDs, email addresses and passwords that are easily inherited by third party systems when properly designed.
Thirdly, it would be wrong to assume that incumbent Enterprise Portal Suites are more secure than the Rich Internet 'Enterprise Mashup' platforms displacing them. To my knowledge, none of the leading portal products can trace the movement of enterprise data from every single field of every single silo to every single portal and every single user - but platforms like Encanvas do.
Debates on the future of Enterprise security have moved away from the concept of protecting the enterprise by keeping everyone on the outside of the Firewall except 'trustworthy employees'. Organizations are slowly realizing that data breaches are most commonly the result of employees activities rather than unknown 'baddies'. It's also dawned on IT leaders that people in business expect to collaborate and share data - subcontractors, outsourcers, customers, channel partners all have very reasonable arguments for being able to access enterprise data. So the future of Enterprise security is about protecting the data and the intellectual property rather than the container that houses it.
In 2010 we're going to see a big push towards the virtualization of enterprise systems and cloud computing. We're going to see lots of business social networking tools entering via the backdoor of organizations to serve 'departmental needs'. And security will become all about monitoring the activities of individuals (and the groups they belong to). What better system to do this than the enterprise mashups portal platform that serves them with the data?
No comments:
Post a Comment