Welcome!

Microservices Expo Authors: Pat Romanski, Liz McMillan, Stackify Blog, Elizabeth White, Yeshim Deniz

Related Topics: Cloud Security, Microservices Expo, @CloudExpo

Cloud Security: Article

Information Security from a Business Perspective

It must be designed and implemented as a core ingredient of the business strategy

As enterprises struggle to remain profitable in an ever-changing risk environment, the current economic crisis has elevated the need for effective business risk management. Information security is a key parameter that affects business risk. The academic definition of information security is the "preservation of confidentiality, integrity and availability of information." [1] Confidentiality is the preservation of secrecy of information (e.g., business reports, technical designs or financial projections) by ensuring that viewing is conducted solely by authorized people. Integrity is ensuring that information is accurate and consistent and has not been manipulated. Availability ensures that information is accessible to authorized people when needed.

Historically, information security has been addressed primarily as a technical issue. Preventive controls, such as firewalls, user access control mechanisms, encryption of data and communications, digital signatures, data backup systems, and detective controls, such as intrusion detection systems or security monitoring platforms, have formed the basic components of security architecture. Often, the technical controls are complemented by a set of security policies, procedures and guidelines aimed at controlling the actions of personnel.

This approach, though, has proven to be insufficient. Security incidents continue to rise and security problems remain unsolved while information security experts have been challenged to effectively communicate the value of information security to enterprise management. The root cause of these problems may be the definition of information security itself. There is a lack of consistency as each sector, industry and even enterprise has had to define information security uniquely, based on very specific business needs. This lack of consistency has contributed to a lack of understanding and a lack of appreciation for the value of information security.

Information Security Defined
To define information security in an organisation, one must understand its business objectives, identify stakeholders and link them to information protection attributes. Organisations have to be trusted to achieve customer acquisition and retention, which directly affect their revenue. This trust is a key success factor that is directly related to:

  • Business integrity-Each business decision is conducted as described in its official literature. It is fair to the customer and inspires trust. Information integrity (avoiding data manipulation) is a key information security component related to customer trust.
  • Customer asset protection-Customers need to be confident that their money, credit card numbers and bank account numbers are safe, especially in online transactions, where their funds are essentially electronic. Customers need to trust an organisation to secure their financial assets; confidentiality, integrity and availability are crucial security parameters.
  • Customer privacy-Customers provide their personally identifiable information (PII) to a whole host of ‘trusted' sources. As in customer asset protection, trust in the business is important for making them feel comfortable with sharing such information. Trust is particularly important when dealing with large amounts of money because customers have to feel safe and also that their personal data have been protected.

Providing services to the public also has societal and political facets. Businesses must adhere to a governmental regulatory and legal framework. The provision of secure and fair outlets to citizens is a matter of social responsibility. Moreover, the government is a shareholder of business (directly or indirectly through taxing); thus, business success affects the corresponding governmental revenue.

The aforementioned facts are clarified in relation to information security when the drivers of shareholders' trust are studied in more detail. For example:

  • Each licensed business has to comply with rules and terms of the license, which in turn have general or more detailed information protection requirements. These vary from general statements for fairness, antifraud rules and service availability requirements to more detailed technical controls such as network security rules, operating security policies or certification requirements. Shareholders need to be confident that a business complies with the license obligations and, more generally, the legal and regulatory framework, since this is a main corporate viability factor.
  • In competitive business environments, information security acts as a competitive advantage that, in turn, ensures customer acquisition. Shareholders trust a business if it operates as a competitive corporation, and due to the importance of protecting its information from breaches, information security becomes a competitive parameter.

In relation to the business role of information security, drivers should be:

-Shareholders' trust:

. Corporate viability, which is driven by compliance of license terms

. Competitive advantage, which ensures customer acquisition

. Brand name value preservation, which ensures customer retention

. Legal and regulatory compliance (e.g., the integrity of financial records and PII protection)

- Customers' trust:

. Business integrity

. Service availability

. Protection of the confidentiality of customers' sensitive information

Using this definition of information security for the business sector, a holistic approach is required for addressing the information security requirements of each unique organisation. This requires a detailed business analysis for embedding information security into the specific business processes and also for addressing the human factor and minimizing the uncertainty it introduces.  International security standards provide a solid base for information security from a business perspective.

THE INFORMATION SECURITY STANDARDS LANDSCAPE
In 2006, the Security and Risk Management Committee of the World Lottery Association (WLA)2 published the most recent version of its Security Control Standard (SCS). This standard describes a number of information security controls (technical and procedural) tailored to the lottery sector. Indicatively, it includes rules regarding the management of lottery draws and protection of prize money and Internet gaming systems.

The Security Control Standard (SCS) is an extension of the globally recognized information security standard ISO 27001 of the International Organization for Standardization (ISO), which is related to the establishment of information security management systems (ISMSs). Such systems provide the framework for managing information security from planning to implementation, monitoring and improvement.

ISACA has published a set of information technology (IT) auditing standards and the Risk IT:  Based on COBIT framework, which provides a set of guiding principles for effective management of IT risk. Risk IT complements COBIT, a comprehensive framework developed by ISACA for the governance and control of business-driven, IT-based solutions and services. In 2009, ISACA published An Introduction to the Business Model for Information Security, the first publication  released under the Business Model for Information Security (BMIS), which addresses information security from a business perspective, and in 2010, the full model was published as The Business Model for Information Security.

Other standards include the Payment Card Industry Data Security Standard (PCI DSS), a set of requirements for enhancing payment account data security, and the Special Publications (800 series) of the US National Institute of Standards and Technology (NIST), which are documents of general interest to the computer security community. The aforementioned standards provide an indicative view of the information security standards landscape. Other standardization bodies and associations provide their own guidelines in the field. In addition, technical security best practices of system vendors provide additional guidelines.

The modern business sector has to select the information security standards to use as a basis for its security architecture, and it must customize this selection according to its specific business needs.

 

Case Example from the World Lottery Association
In this particular example the ‘customer', so defined by the business model, is identified as the ‘player'. In this situation the definition of information security, specific to the lottery model, also becomes altered. ‘Business integrity' becomes ‘game integrity', ‘customer asset protection' becomes ‘player asset protection', and ‘customer privacy' is therefore ‘player privacy'. In terms of security the needs of a customer and player are much the same; however, due to the proactive nature of a ‘player', whose object is to win prizes rather than conduct typical transactions, the model of risk management must be appropriately tailored. Trust is again the key factor. When a member of the public makes the transition from ordinary citizen to ‘player' on a gaming site, it is vital to ensure that they are aware of the official rules of the specific game. Payouts and prizes, and the procedure for claiming them, must fully conform to the official literature set out by the gaming site. There should be no cases of ambiguity as this is a sure-fire way of discrediting a brand and losing player trust and thus, their custom.

To become an online participant in lotteries and other gaming sites an individual must disclose their sensitive details; this is very often the only means by which one can become a ‘player'. Being able to trust a lottery or gaming site with sensitive details should, therefore, be the foremost concern of a player as there is little point in worrying about payout procedure when compromised details could mean a bigger loss than any potential gain.

The WLA's Security Control Standard takes the above factors into consideration- perfectly illustrating how the security of data can be adapted to a unique business situation.

BASIC PROCESSES
Studying the information security standards horizontally, a number of basic processes/steps that lead to the identification of information security requirements are:

  • Step 1: Business impact analysis-Each business process is recorded and analyzed in terms of business impact from the realization of a possible security threat.

The business must answer a number of questions to calculate the impact of security breaches, including:

- How much would this cost the business in monetary terms?

- What would be the indirect costs (e.g., from reputation loss) if information is sold?

- What would the legal implications be?

Business processes are then prioritized based on an impact scale that identifies the most critical issues.

  • Step 2: Risk analysis-During this process, the possibility for the occurrence of a security incident is calculated, based on a database of security weaknesses. The risk analysis takes into account technical and procedural parameters, such as:

- Are there technical controls in place to safeguard customer data?

- Do procedures exist to complement the technical security controls?

  • Step 3: Risk management-The result of the risk analysis is a prioritization of risk in relation to the impact level (the result of the business impact analysis) and the identification of possible security measures for addressing the risk. The risk management process-the selection of appropriate security measures for addressing the risk or for risk transferring or acceptance-is determined by the management of the organisation.
  • Step 4: ISMS implementation-After the controls have been selected, they should be correlated under a common information security management system (ISMS). This correlation requires deep understanding of the operation of the organisation; consideration of human, cultural, technical, business and external factors; and continuous improvements.

Business Model for Information Security
One of the most recent information security frameworks that addresses information security from a business point of view is ISACA's BMIS.

The following definitions of the BMIS elements (derived from An Introduction to the Business Model for Information Security) are necessary for understanding how BMIS works:

  • Organization design and strategy-An organization is a network of people, assets and processes interacting with each other in defined roles and working toward a common goal.
  • People-The people element represents the human resources and the security issues that surround them. It defines who implements (through design) each part of the strategy. It represents a human collective and must take into account values, behaviors and biases.
  • Process-Process includes formal and informal mechanisms (large and small, simple and complex) to get things done.
  • Technology-The technology element is composed of all of the tools, applications and infrastructure that make processes more efficient.

To understand the operation of BMIS in practice, it is important to study the links connecting organization design and strategy, people, process, and technology.

CONCLUSION
Information security will be understood, provide added value and effectively contribute to the operation of an organization only if it is designed and implemented as a core ingredient of the business strategy. Stakeholder, shareholder and customer trust are the key ingredients of information security; organizations from all sectors should identify such key ingredients in order to provide a business definition to information security.

More Stories By Christos K. Dimitriadis

Christos K. Dimitriadis, Ph.D., CISA, CISM, is international vice president of ISACA and head of information security at INTRALOT S.A, a Greece-based multinational supplier of integrated gaming and transaction processing systems.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@MicroservicesExpo Stories
SYS-CON Events announced today that Fusion, a leading provider of cloud services, will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Fusion, a leading provider of integrated cloud solutions to small, medium and large businesses, is the industry’s single source for the cloud. Fusion’s advanced, proprietary cloud service platform enables the integration of leading edge solutions in the cloud, including cloud...
There are two main reasons for infrastructure automation. First, system administrators, IT professionals and DevOps engineers need to automate as many routine tasks as possible. That’s why we build tools at Stackify to help developers automate processes like application performance management, error monitoring, and log management; automation means you have more time for mission-critical tasks. Second, automation makes the management of complex, diverse environments possible and allows rapid scal...
Cloud promises the agility required by today’s digital businesses. As organizations adopt cloud based infrastructures and services, their IT resources become increasingly dynamic and hybrid in nature. Managing these require modern IT operations and tools. In his session at 20th Cloud Expo, Raj Sundaram, Senior Principal Product Manager at CA Technologies, will discuss how to modernize your IT operations in order to proactively manage your hybrid cloud and IT environments. He will be sharing bes...
This talk centers around how to automate best practices in a multi-/hybrid-cloud world based on our work with customers like GE, Discovery Communications and Fannie Mae. Today’s enterprises are reaping the benefits of cloud computing, but also discovering many risks and challenges. In the age of DevOps and the decentralization of IT, it’s easy to over-provision resources, forget that instances are running, or unintentionally expose vulnerabilities.
DevOps is often described as a combination of technology and culture. Without both, DevOps isn't complete. However, applying the culture to outdated technology is a recipe for disaster; as response times grow and connections between teams are delayed by technology, the culture will die. A Nutanix Enterprise Cloud has many benefits that provide the needed base for a true DevOps paradigm. In his Day 3 Keynote at 20th Cloud Expo, Chris Brown, a Solutions Marketing Manager at Nutanix, will explore t...
SYS-CON Events announced today that CollabNet, a global leader in enterprise software development, release automation and DevOps solutions, will be a Bronze Sponsor of SYS-CON's 20th International Cloud Expo®, taking place from June 6-8, 2017, at the Javits Center in New York City, NY. CollabNet offers a broad range of solutions with the mission of helping modern organizations deliver quality software at speed. The company’s latest innovation, the DevOps Lifecycle Manager (DLM), supports Value S...
SYS-CON Events announced today that Peak 10, Inc., a national IT infrastructure and cloud services provider, will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Peak 10 provides reliable, tailored data center and network services, cloud and managed services. Its solutions are designed to scale and adapt to customers’ changing business needs, enabling them to lower costs, improve performance and focus intern...
SYS-CON Events announced today that Linux Academy, the foremost online Linux and cloud training platform and community, will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Linux Academy was founded on the belief that providing high-quality, in-depth training should be available at an affordable price. Industry leaders in quality training, provided services, and student certification passes, its goal is to c...
It has never been a better time to be a developer! Thanks to cloud computing, deploying our applications is much easier than it used to be. How we deploy our apps continues to evolve thanks to cloud hosting, Platform-as-a-Service (PaaS), and now Function-as-a-Service. FaaS is the concept of serverless computing via serverless architectures. Software developers can leverage this to deploy an individual "function", action, or piece of business logic. They are expected to start within milliseconds...
DevOps at Cloud Expo – being held October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA – announces that its Call for Papers is open. Born out of proven success in agile development, cloud computing, and process automation, DevOps is a macro trend you cannot afford to miss. From showcase success stories from early adopters and web-scale businesses, DevOps is expanding to organizations of all sizes, including the world's largest enterprises – and delivering real r...
We all know that end users experience the internet primarily with mobile devices. From an app development perspective, we know that successfully responding to the needs of mobile customers depends on rapid DevOps – failing fast, in short, until the right solution evolves in your customers' relationship to your business. Whether you’re decomposing an SOA monolith, or developing a new application cloud natively, it’s not a question of using microservices - not doing so will be a path to eventual ...
One of the biggest challenges with adopting a DevOps mentality is: new applications are easily adapted to cloud-native, microservice-based, or containerized architectures - they can be built for them - but old applications need complex refactoring. On the other hand, these new technologies can require relearning or adapting new, oftentimes more complex, methodologies and tools to be ready for production. In his general session at @DevOpsSummit at 20th Cloud Expo, Chris Brown, Solutions Marketi...
SYS-CON Events announced today that HTBase will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. HTBase (Gartner 2016 Cool Vendor) delivers a Composable IT infrastructure solution architected for agility and increased efficiency. It turns compute, storage, and fabric into fluid pools of resources that are easily composed and re-composed to meet each application’s needs. With HTBase, companies can quickly prov...
@DevOpsSummit at Cloud taking place June 6-8, 2017, at Javits Center, New York City, is co-located with the 20th International Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time to wait for long developm...
With 10 simultaneous tracks, keynotes, general sessions and targeted breakout classes, Cloud Expo and @ThingsExpo are two of the most important technology events of the year. Since its launch over eight years ago, Cloud Expo and @ThingsExpo have presented a rock star faculty as well as showcased hundreds of sponsors and exhibitors! In this blog post, I provide 7 tips on how, as part of our world-class faculty, you can deliver one of the most popular sessions at our events. But before reading the...
The purpose of this article is draw attention to key SaaS services that are commonly overlooked during contact signing that are essential to ensuring they meet the expectations and requirements of the organization and provide guidance and recommendations for process and controls necessary for achieving quality SaaS contractual agreements.
SYS-CON Events announced today that OpsGenie will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Founded in 2012, OpsGenie is an alerting and on-call management solution for dev and ops teams. OpsGenie provides the tools needed to design actionable alerts, manage on-call schedules and escalations, and ensure that the right people are notified at the right time, using multiple notification methods.
The first step to solving a problem is recognizing that it actually exists. And whether you've realized it or not, cloud services are a problem for your IT department. Even if you feel like you have a solid grasp of cloud technology and the nuances of making a cloud purchase, business leaders don't share the same confidence. Nearly 80% feel that IT lacks the skills necessary to help with cloud purchases-and they're looking to cloud brokers for help instead. It's time to admit we have a cloud s...
According to a recent Gartner study, by 2020, it will be unlikelythat any enterprise will have a “no cloud” policy, and hybrid will be the most common use of the cloud. While the benefits of leveraging public cloud infrastructures are well understood, the desire to keep critical workloads and data on-premise in the private data center still remains. For enterprises, the hybrid cloud provides a best of both worlds solution. However, the leading factor that determines the preference to the hybrid ...
In this modern world of IT, you've probably got some new colleagues in your life-namely, the cloud and SaaS providers who now hold your infrastructure in their hands. These business relationships-yes, they're technology-based, but cloud and SaaS are business models-will become as important to your IT team and your company as the hardware and software you used to install. Once you've adopted SaaS, or inherited SaaS, it's on you to avoid price hikes, licensing issues and app or provider sprawl....