Security demands have expanded beyond the IT organization's traditional role of protecting networks, servers, and endpoints. No longer is data security the sole domain of the IT administrator---today's regulations and government, risk management, and compliance (GRC) requirements have forced data security concerns to permeate every transaction and interaction from the boardroom to the customer. A comprehensive security program that addresses GRC is demanded by boards and by shareholders. As a result, corporate oversight and regulatory reviews are increasingly consuming scarce resources in the form of time and budget.
Unfortunately, many organizations have not modernized their security procedures and strategies. They continue to manage security with a strictly IT-focused mentality, and they are achieving diminishing security results. Hacker attacks, recovered media, misplaced laptops, mistakes, dishonest insiders, and overly distributed data are systemic problems that all too often become news headlines. These problems are avoidable, but prevention requires organizations to evolve their approach to data protection, so they can achieve security measures that meet GRC requirements and support business productivity.
Whether it is a brazen hacker attack on a Web application, a disgruntled employee with a plan to steal corporate assets, or an employee who innocently copies sensitive data to his laptop to work remotely---only to have the laptop stolen, the results of data compromise are the same: brand damage, loss of customer confidence, negative financial impact, and a burgeoning wave of regulatory penalties.
Faced with an ever-evolving threat landscape, IT is scrambling to implement products, services, and security practices at a frenzied pace. Viruses, worms, rootkits, phishing, customized application attacks, and user apathy constantly threaten to erode security. It seems that as soon as a new counter-measure is implemented, a new attack type once again reduces the level of security. IT cannot react fast enough to maintain the confidentiality, integrity, and availability of the environment. Information assets that must be secured are everywhere. Complexity is the enemy of security, and as complexity continues its inevitable rise, the effectiveness of current security measures diminishes.
Data Security Evolution and Challenges
From an IT perspective, positive security results have often been elusive and expensive. Despite their best efforts, traditional security measures have hampered user productivity and have not met organizational needs. The reasons lie in the way IT has approached security.
As the practice of information security has evolved, specific disciplines have emerged to address network, host system, client, database, and even product-focused security. Historically, security infrastructures were assembled to provide hard-coded security, and were managed within families of discrete components and related technologies. In the past, these distinct technology and security silos made sense, since there was often clear delineation of business processes within and between the silos. However, as applications began to permeate the organization, they naturally crossed silo boundaries and began interacting with everything from the user to disparate data served by the application.
This proliferation of applications has strained the organizational silos that were developed around components, technologies, and services within these silos. Without the silos working in concert, security for the organization and applications has been limited to the narrow set of security capabilities specific to the individual component or silo that is impacted. The problem is that managing today's complex application interactions using a hard-coded, silo-focused security approach does not provide the end-to-end control that results in security and regulatory compliance. Worse yet, this hard-coded approach is confusing to end-users, leading them to make misinformed decisions and poor security choices. Security measures are often too complex for the typical user, and either hinder their productivity or force them to work around overly restrictive security measures. Today's security and regulatory pressures demand a more holistic and comprehensive approach to application delivery.
Delivering Applications and Security
To affect security in today's highly distributed and complex environments, modern organizations must secure everything, without ultimately having control. Access from open home networks, personal PCs with less than optimal security, unsecure wireless networks in public places, and personal mobile devices have eroded IT control and changed the threat landscape. While it is no longer possible to secure every discrete component, we still spend precious resources trying. Now there is a better way.
In essence, security is about trust and control. It involves controlling aspects of confidentiality, integrity, and availability to provide the optimal balance between verified access and ease of use. Finding the correct balance is a necessary step in achieving the goals of the business---too little security and information assets are easily compromised, but too much security and it is impossible to get important work accomplished. A level of security that is appropriate for a top-secret government agency would likely be wrong for a retail store that must accept and interact with the general public. And as users have become accustomed to and, therefore, demand the seamless exchange of information and functionality, the ability to collaborate with application owners across the organization is fundamental to providing a great user experience. In response to these requirements, the business must prove that defined, sensitive information is protected from loss or compromise. Compounding the situation is the fact that security needs are constantly changing; it is apparent that an adaptive and prescriptive way to map security needs from the organization to the needs of users, applications, and data is critical.
Choosing the right level of information security, and adapting it to the constantly changing needs of the organization requires a comprehensive policy. This policy must address more than the needs of individual components, such as the network, endpoints, servers, and services; it must tie these disparate components together to act as elements of a policy-driven, holistic system. The policy must map the needs of the users and the applications to all of the individual components and services that comprise this system. It must also allow for regulations that dictate security measures, such as end-to-end encryption. Further, it must specify and enforce these measures, and be capable of proving compliance.
- Progressive IT organizations are adopting a novel approach to achieving this holistic security- and compliance-driven system. It is the adoption of a system that:
- Virtualizes applications for greater control over application usage and interaction
- Centralizes data, while ensuring defined, distributed access to data
- Leverages the security of individual components from the network to the application
- Addresses the complexity of overly distributed data and applications with their own security measures
This innovative approach to data security is achieved through application delivery infrastructure, whereby security is a fundamental and integral characteristic; in essence, security is delivered to applications and users.
By defining security as a function of the application delivery infrastructure, consistent results can be achieved, complexity can be reduced, and advanced security can be applied to all applications---including legacy applications. User productivity is improved, because each user is presented with the options appropriate to them, based on their unique access scenario. At the same time, a comprehensive organizational policy is implemented and easily enforced to meet the needs of the business and the regulatory landscape.
