By George V. Hulme

For centuries, security has been about keeping out the enemy. From moats, high castle walls and thick iron gates to today's firewalls and intrusion detection systems, security has been a barrier. But there's a flip side: Whether it's 16th century England or modern e-commerce, free trade and a flourishing economy can't exist without a security strategy.

Yet, for the past decade, many executives have viewed IT security as merely a necessary evil. In this view, security is a wall that separates partners, suppliers and customers from the criminals. But a growing number of CIOs are taking the opposite view. They believe that optimizing information security actually offers new opportunities to help their organizations become more competitive, strengthen bonds with customers and revitalize relationships with key partners.

To deliver on this promise, CIOs need to examine new ways of approaching IT security management. For CIOs who don't adjust their strategic security operations, the consequences could be disastrous. In fact, 85 percent of midsize to large businesses spanning various industries have experienced a data security breach in the last 24 months, according to a survey of IT professionals conducted by the Ponemon Institute. And only 37 percent of those surveyed believe their companies can effectively detect data breaches.

What's more, the challenge of IT security grows even more complex as CIOs expand access to their applications and databases to more partners, suppliers and customers. Compounding the challenge, this expanded access makes IT infrastructures more difficult to manage.

Indeed, CIOs may have to struggle to hold onto the job of securing the enterprise. While most members of the business-technology community take it as an article of faith that IT security employees will ultimately report to the CIO, that's not what market analyst IDC has found. Instead, IDC says, in a growing number of cases, responsibility for securing information assets is shifting outside of IT altogether. It's moving instead to CFOs, chief risk officers, even the heads of legal and compliance.

The ranks of these security employees is likely to grow, too, compounding the challenges of managing them effectively. The number of IT security jobs will grow at a compounded average annual rate of 7.8 percent through the end of this decade, IDC predicts.

Adding to the complexity of security is the quick rate at which IT executives are deploying such new technologies as smartphones, wireless PDAs and mobile e-mail readers. Virtually any device capable of running a Web browser can now access enterprise applications, conduct transactions and collaborate from anywhere. As a result, CIOs hope to proactively manage the impact on the business of these new devices and the extended access the devices enable. For those who get it right, the benefits are great, including improved efficiencies, increased user satisfaction and better business continuity.

Banking on Mobility
At the same time, the challenge of securing networks is growing. Consider the projected growth of mobile banking, or m-commerce. This wing of the extended enterprise could increase dramatically over the next few years. Research firm Celent predicts that 35 percent of online-banking households will use mobile banking by 2010 — up from only 1 percent today. "Consumers are adopting wireless payments and financial services more than ever before," says David Cox, an independent payments consultant. "As PDAs and cell phones become more technology-enabled, they're increasingly replacing PCs as Internet-connected devices and becoming devices with limitless m-commerce possibilities."

But it's not just payments. Mobile devices are also used to access enterprise applications, such as CRM, inventory and supply chain. While there's plenty of concern about the security of mobile devices, experts say that most organizations are taking the same approach to securing information resources as they would take for any other application over the Internet: SSL encryption for the data in transit, and usernames and passwords or PINs to provide authentication for access.

Still, more devices and ways to access mean more users, more accounts, more complexity and more risk. The modern network "perimeter" is wherever users happen to be — and the reach of any device that happens to be in their hands. While this pervasiveness provides users with greater convenience and simplified access to information, for CIOs it significantly complicates IT management. It also blurs the distinctions between security, business-technology architectures, compliance, and network and systems management.

'Porous and Vulnerable'
The need to secure the extended enterprise is gaining interest, especially in industries that depend on sensitive data. "Financial systems are increasingly remotely accessed across the globe by third-party suppliers, partners and customers," says Steve Steinberg, project manager for the Securing the Extended Enterprise special interest group (SIG) of the Financial Services Technology Consortium (FSTC), which focuses on collaborative technology research and development for the financial services industry. (Steinberg is also managing director of Chatsworth Solutions, an IT projectmanagement consultancy based in New York City.) "Without the proper levels of governance and technologies in place, these extended systems are at risk of becoming porous and vulnerable," he adds.

The SIG was created recently to help CIOs in financial services find long-term security solutions. CIOs and CSOs who understand the scope of these security issues can gain the upper hand in identifying and defeating these threats as they occur. The benefits of better management and security initiatives include easier compliance, improved customer confidence and increased service availability. Successful security strategies also can help CIOs stay within budgetary constraints and increase operational efficiencies.

Further, the FSTC SIG will explore ways that financial-services firms can improve security and attain the higher levels of governance increasingly demanded by the extended enterprise. "These are difficult problems to solve," says Dan Schutzer, FSTC's executive director. "How do you ensure that the entire extended value chain is in compliance; that partner agreements for security and privacy are being enforced; that proper management practices are in place; and that management has the information it needs for decision making?"

Financial services firms are not the only ones seeking open access to their applications and putting into place solid IT-governance frameworks. Michigan's Oakland County, whose IT department supports 82 divisions of government that serve more than a million residents in 62 cities, faces similar pressures. "Every day we work to extend our application access outward," says Scott Oppmann, the county's manager of application services. "One of our critical functions is to build business applications that widen access and automate business functions that are extended out to residents and users."

"These are traditional government applications that now are extended out so they can be accessed online," Oppmann says. These county applications range from systems that provide construction permits to online access to court documents. Another project in the works is a public Wi-Fi system that eventually will serve county residents in an area of more than 900 square miles.

To ensure that their extended enterprise stays as secure as possible, Oakland County officials now include security checkpoints as part of their application development process, which, in turn, is managed in CA Clarity™ Project & Portfolio Manager. "We have internal standards groups for application level security, and we enforce checkpoints along the way for reviews, which include security and performance," Oppmann says. "Security is about putting in place the appropriate levels of controls, hardening applications and enforcing a security model."

Securing the Network
Another crucial area for securing and governing the extended enterprise environment is identity and access management (IAM), that is, knowing who is accessing systems and enforcing rules that limit which systems they can access. This, in turn, requires systems that can authenticate and authorize both users and devices. In addition, full auditing and reporting of all security and access-related events is essential for a strong compliance posture.

It's an area that's growing rapidly, says Carmen Garcia, information security officer at service provider EDS Spain. She has seen enterprises that may have had a couple of thousand employees logging on to networked applications a decade ago grow into hundreds of thousands of identities that need to be managed today. "This is especially true at large banking entities," Garcia says. "This is a big challenge for them."

EDS Spain is helping clients establish extensive governance frameworks. "The clients first need to establish their security objectives, and have security policies and procedures in place that will provide them with an acceptable level of risk," Garcia says.

One place to start is with a solid identity and access management framework, as well as comprehensive directories that establish and allow for the proper management of those identities. Businesses need to know who each individual is — and what he or she is allowed to access. That's a tall order, considering that most organizations today run on multiple operating system platforms and hundreds of applications, each with its own proprietary methods for handling security.

To better support authentication, authorization, auditing and entitlement management, analysts and security experts say it makes sense to remove the authentication, authorization and administration processes completely from individual applications. Instead, experts advise, CIOs should move them onto a centralized identity and access management platform.

The platform, in turn, runs as a shared service in front of each application. This can dramatically simplify the management of end-user entitlements. "This removes many of the burdens associated with managing users' accounts, credentials and access privileges to the enterprise's different applications," says Dave DeCamp, VP of technical sales at CA and the company's chief solution architect. "Privileges would be stored in a centralized server accessible by any application through Web services standards. This single management interface allows application-specific rules to be created, maintained and enforced without having to modify application codes." In this way, DeCamp adds, "not only is management of entitlements simplified, but also the delivery of new applications and services is accelerated."

Integrated Simplicity
Simplification also is achieved by greater integration between traditional network and systems management systems and IAM applications. In fact, vendors already are integrating traditional identity-management solutions with security technologies like security information management applications. Their goal: to unify security information and governance efforts.

For example, integration has increased between CA Wily Introscope® and CA SiteMinder® Web Access Manager. The goal is to monitor performance as well as troubleshoot problems, taking into consideration an enterprise's entire Web infrastructure. "We are seeing increased information sharing and integration," says Matthew Gardiner, CA's senior product marketing manager. "Plenty of network and application events occur that relate to security, and certainly events that are captured by IAM systems can help correlate those."

In this configuration, if the enterprise has a performance problem, the CA Wily solution can use collected information to identify whether the problem is with the back-end database, Web server or other applications.

Information sharing can also improve both security and governance. This efficiency comes from security event managers that centralize real-time security data from networked devices, applications and security systems. Correlating these different data sources makes it easier to display the data as actionable intelligence. "The more you know about what is going on in your systems — and the more you can correlate events across those systems — the more likely it is that you can spot security problems you wouldn't be able to recognize in the absence of a centralized way of analyzing and correlating this information," says Sumner Blount, director of security solutions at CA.

That's especially true at financial services firms, which typically will have millions of events occurring in their networks, applications and security systems — only a handful of which could be indicators of important problems. That means being able to correlate and parse information so that only the most important items are displayed to IT managers. While security managers may not want to see all application logons, they certainly will want to be notified if there are, say, 300 failed logon attempts a minute to a specific account, or a series of failed logon attempts at several PCs in the same office building within minutes of each other. "Those definitely could be signs of an attack," says Gardiner. The security policy would call for those events to be displayed on the SIM dashboard, so that the compliance and security offices would be notified.

That's what governance is all about. "It's about getting detailed information you can use to effectively manage existing resources, make good investment decisions, and control costs and risks. And the only way to do that is to properly analyze events occurring throughout the enterprise," says Blount. "Without a way to automate and correlate this information, it's just impossible."

What's more, as more devices, users and applications continue to access corporate networks, the challenges are likely to intensify. "More devices, more resources, more online applications, more users — all of these things are generating security events," Blount says. "As the number of devices and users increase, so do the potential attack vectors."

Bottom line? CIOs and security managers need to be prepared with proper security checks, systems, policies and governance strategies to manage the rising tide of people, organizations and devices that need to access their enterprise systems. With the recent history of e-commerce as a guide, the expansion of the extended enterprise isn't likely to wane anytime soon. "There's no way it's going to slow down," says Oakland County's Oppmann. "It's only going to accelerate."

George V. Hulme is a Minneapolis-based freelance writer who has covered business and technology for nearly 20 years.