Enterprises are currently experiencing a period of dramatic change to the way information is stored and accessed. In this new world of continuous connectivity, organisations are required to be ‘Instant-On’ and have technology embedded in everything they do to serve customers, employees, partners and the public with whatever they need – instantly.
It is little surprise then, that this need for continuous connectivity is driving more organisations, both public and private, to embrace new and increasingly open ways of linking with customers through mobile applications, social networking and cloud services. But, with this volume of information becoming virtualised, security has become a major concern for many.
According to HP’s 2010 Top Cyber Security Risks Report, there has been a significant increase in the volume of organised cybercrime targeting data centres and networks.
While there were more attacks recorded in 2010, the number of discovered vulnerabilities remained relatively stable, but high. The report indicated that while the majority of attacks are against known and patched security weaknesses, many high-profile attacks target new vulnerabilities before issues were fixed.
Web application vulnerabilities represent half of all security vulnerabilities and continue to plague enterprises, according to the data generated. Third-party plug-ins to content management systems were identified as a leading cause of web application vulnerabilities, with blog-hosting and online discussion forum applications, such as Wordpress, Joomla and Drupal, among the most frequently attacked systems.
Protecting your business
With this increased level of vulnerability, how can enterprise organisations implement security policies that reduce the possibility of network breaches that could lead to financial loss or put business operations at risk?
The modern security model is holistic, connecting all layers of security to each other, and then connecting security to IT. This model is proactive and risk-based, providing the data and analysis needed for organisations to respond appropriately.
The challenge faced by chief information officers (CIOs) and chief technology officers (CTOs) is to achieve these enterprise security needs without constricting the flow of information between enterprises and governments, and their customers or citizens. IT must develop integrated security approaches that protect business assets while making them available to authorised users.
The approach to security solutions needs to help businesses and governments protect data, defend resources and manage risk, as well as drive innovation. To fully achieve this, enterprises need to approach their security requirements by considering six important steps:
Assess – Understand the organisation’s vulnerability to external and internal threats, then start building a plan to address those threats within the context of enterprise priorities. Organisations can see where they are being attacked and where they are weak, empowering them to proactively address potential issues before they become problems. The objective is the free and secure exchange of information across the organisation, with customers, partners, employees or the public.
Transform – Optimise enterprise risk management by integrating security into the very fabric of an organisation’s IT: Infrastructure, applications, information and identity as well as access management.
Prioritise – Identify where organisations need to spend their time and money to get the most return on investment. This includes researching areas of threat and vulnerability. Proactive pattern detection and advanced algorithms correlate items from both security and system operations sources.
Manage – Provide visibility, context and remediation of threats across the enterprise. This requires appropriate software and services to proactively monitor real-time activity, intelligently assess the risk to business operations and automate rapid correction to provide reduced risk and greater legislative compliance.
Respond – Through visualisation and prioritisation, enterprises can proactively and automatically respond to the most important security issues and compliance requirements. This allows organisations to remove the top vulnerabilities in critical applications before deployment, automatically block attack sources based on worldwide threat data, base decisions on accurate data and take action cost-effectively.
Functional versus Non-Functional Requirements – Distinguishing between functional and non-functional security requirements is also crucial. While functional requirements may define features, non-functional requirements define concepts that development organisations must adhere to when writing code. Both of these are critical when it comes to understanding security, and creating Enterprise software with minimal security defects.
By following these steps, enterprises can develop security requirements that strike the right balance between being high-level enough to make the requirement viable across an organisation, and technical enough to make it useful when it is critical to map out a testing strategy for pass/fail.
When executed well, this balance acts as a brilliant business-based mechanism to ensure that applications are developed with minimal security defects. Well-defined security requirements can be an organisation’s most effective tool in protecting their assets. And it is through integrating and utilising these methodologies that enterprises can achieve measurable gains in software security assurance.