Technology and business teams must come together to address the risks to systems and software that increasingly reside in cloud-based environments.
At their core, virtually all government agencies are process-driven, and this is especially true in direct citizen- and business-facing agencies. Systems and software that are driven by business processes are increasingly being implemented on top of service-oriented or cloud-based infrastructures, and they are becoming intertwined with security and privacy compliance.
Too often in government, business and security risk assessments are conducted as formalities and in a rather disjointed fashion. Information security/technology teams usually do not know the business processes and therefore focus their risk assessments on specific threats and "cool" technologies streaming out of industry. Consequently, in investment review board meetings, CIOs are unable to justify the need for new security protections or products in business terms.
Conversely, agency business process managers and executives often know their processes and what data is important for them, but they most likely lack knowledge of the underlying technologies. As a result, risk-centered vulnerabilities get lost in the discussions — until a significant security event happens.
To resolve the disconnection, agencies must do a better job of integrating data security specifications into business process execution via rules, algorithms and models. They must also understand how certain business-based rules can address service delivery efficiencies but introduce high risks that essentially compromise security and/or privacy. On the other hand, applying unnecessarily burdensome security measures to a low-risk business process can result in unneeded expense and poor customer service. Finding the right balance is challenging in a security paradigm that must understand the nuances of interactions among the users, business processes and business object layers in public, private and hybrid cloud environments.
Recent high-profile security breaches reveal the serious nature of unexamined business rules that drive data access. In a recent Ponemon Institute survey of major U.S./European companies, 71 percent of users said they had access to data they should not see. "Employees commonly have too much access to data, beyond what they need to do their jobs, and when that access is not tracked or audited, an attack that gains access to employee accounts can have devastating consequences," the report states.
To help close the security gap, we suggest four critical action steps:
- Make sure executives understand and support the need for proper security. Build relationships between the business and security teams, and gain an understanding of their roles. Make joint decisions on appropriate measures for the business processes.
- Don't reactively bolt security onto your business operations. Create management approaches that integrate security/privacy impact assessments into the development cycle of digital business processes. Express the risks in business terms, and don't gum up the interaction with technical or overly complex procedures. A few timeless questions are essential: Do you know how someone could break into your systems? Could you detect it and how quickly? Do you know what the worst impacts would be on your business and its customers?
- Stay informed! Conduct ongoing risk assessments and continuous monitoring exercises that jointly engage and inform business process managers and security/privacy managers. Remember that situations change when process rules change and/or new software-driven digital services are introduced. Increasingly focus your efforts on analytical capabilities that use automated continuous monitoring tools.
- Require evidence-based controls testing. Although security audits and certifications have become commonplace for cloud-based IT environments because of security/privacy challenges, focus on the near- or real-time capabilities of the security steps in your business process execution. A reliable and independent third-party assessment organization should be able to help you with that.