Survivor's Guide To 2007: Business Strategy

IT is accustomed to mediating the conflict between accessibility and security. But the pressure from both sides is about to get more intense: Emerging technologies like SaaS (software as a service) and enterprise mashups are smashing traditional barriers, while scrutiny from regulators, auditors and compliance officers is getting more relentless. Our big challenge for 2007: Implement strategies to protect data without choking off business processes.

New software technologies are making that job harder. If your organization isn't yet investigating SaaS, for example, it likely will be. Thirty-nine percent of very large enterprises already use SaaS, according to Forrester, while 24 percent of large enterprises and 22 percent of midsize companies use or are interested in the strategy (see "SaaS Adoption Rates by IT Dept. Size" below, left). And, vendors are working to let even the smallest organizations get in on the fun.

Meanwhile, Web 2.0 technologies like mashups draw business users like moths to a flame. IBM created a proof-of-concept mashup for a home-improvement chain that combines real-time weather forecasting from the National Weather Service, Google Maps and the company's inventory database. If a snowstorm is predicted for a particular region, the retailer can tweak inventories of rock salt, shovels and generators for stores in that region. Try countering a sales pitch like that.

All this openness sounds great--until a breach happens. As if federal and state regulations aren't enough to worry about, industry requirements like the Payment Card Industry's Data Security Standard are getting tougher; new requirements for 2007 focus on application security (see graphic at right). Learn more about PCI.

Open Up And Say SaaS

Typical software deployment models, where IT owns responsibility for deployment and uptime, are giving way to alternative delivery methods, including hosting and SaaS. Gartner estimates that 25 percent of new business software will be delivered through services by 2011--a considerable increase over the 5 percent of software it says was delivered as a service in 2005.

Why the growth? SaaS promises faster deployment of applications and a lower capital outlay while freeing up IT resources that would otherwise be allocated to software maintenance tasks, such as patching and upgrades.

However, SaaS won't sideline IT. Far from it. Departments rolling out SaaS applications need our help in evaluating the provider's ability to deliver the service--including complying with internal and external privacy regulations. IT must also work with lines of business to evaluate the true TCO of a SaaS deployment. That means cutting through vendor hype to ensure the balance sheet reflects expenses beyond subscription costs, such as increased data storage capacity requirements and the internal work required to integrate the service into the organization.

Once the service is running, business groups will also call on IT for customization to accommodate specific business needs and to integrate services with other key applications.

Both software vendors and customers are investing in SaaS. This past November, Microsoft launched Office Live, which delivers Web hosting and business applications as a service for small businesses. It's also preparing to launch hosted versions of its CRM and ERP applications. Meanwhile, Oracle offers Oracle Database and Oracle Fusion Middleware; it will host these in its own data center or manage them onsite for customers. Oracle also offers a variety of Siebel, JD Edwards and PeopleSoft applications as hosted offerings or as services.

But the newest entrant to the SaaS market is a start-up called Workday, which is taking on Oracle and SAP by offering ERP as a service. The company, launched by former PeopleSoft CEO and founder Dave Duffield, is going after midmarket customers with 1,000 to 5,000 employees.

In fact, midsize and smaller companies are getting increased attention from software vendors that are adopting SaaS as a delivery model. Progress Software, for example, helps ISVs that serve vertical markets, such as health care, insurance and transportation, re-architect their software to offer it as a service. The company says SaaS is helping these ISVs reach new customers.

Even vendors outside the SaaS arena are looking to get in the game by integrating with SaaS applications. IP telephony vendor ShoreTel, for instance, recently launched an application that lets Salesforce.com users make calls by clicking on a customer name or icon, boosting the number of calls a sales rep can make.

As SaaS establishes itself as a valid option for application delivery, IT must address the data protection and compliance issues it raises. This is particularly true for SaaS applications, such as ERP, that deal with corporate financial information, salaries and HR records, and health care, which may include patient records and personally identifiable information.

Carefully vet SaaS deployments to ensure that sensitive information residing in databases outside of IT's control are properly secured by the provider, especially for multitenancy situations in which data from multiple SaaS customers resides on the same server. Consider encrypting data at rest and ensure that issues such as database access controls and auditing will satisfy internal and external privacy compliance policies.

Monster Mashups

2007 will also see a rise in Web 2.0 technologies, despite concerns about security (see "Danger 2.0"). In particular, mashups provide a way to create new applications that draw on data stores and Web services, both inside and outside the organization's boundaries. IBM launched a set of tools for creating enterprise mashups in June, and BEA Systems plans to have its own mashup infrastructure tools available in 2007.

Mashups are popular because, by using pre-existing Web services and tools such as Ajax, developers can put these applications together much more quickly than in a conventional build. But the downsides are also significant.

Ajax toolkits don't interoperate, and Ajax's full impact on servers, desktops and network infrastructure have yet to be accounted for--an office full of employees running Ajax-enabled apps may bring systems crashing to a halt. There also are security implications. Unlike SOA, Web 2.0 technologies don't have the underlying protocols that provide security basics, such as authentication and encryption. Without tight control, Web 2.0-based applications could well violate policies or regulations by exposing sensitive data, such as personally identifiable information, to people who shouldn't be allowed to see it.

"Security concerns about the visibility of personal information, access to underlying business logic, are going to be manifested in some real exploits," said Jesse James Garrett, the man who coined the term Ajax, in a recent NWC Interview. "Somebody's going to get burned."

Protection Racket

At the same time that IT is being asked to make information and services more flexible and open, they are also under considerable pressure to ensure the privacy of corporate data. Although it's difficult to estimate the full cost of a breach, earlier this year the FTC levied a $15 million fine against ChoicePoint, a data-aggregation company that was responsible one of the first widely publicized breaches of personal information. ChoicePoint exposed approximately 145,000 records, which comes to a per-record tally of about $103 from the fine alone. Other costs, such as lost business and the time and money spent notifying consumers and setting up free credit monitoring services, get added to that total.

It's no surprise then that data security is top of mind for many businesses. According to Ernst & Young's 9th Annual Global Information Security Survey, regulatory compliance and privacy protection will be the top two drivers of information security practices in the coming year. Unfortunately for IT, however, many of the mechanisms put in place to protect corporate data focused on external attacks, not privacy protection. According to the Ernst & Young survey, slightly less than 25 percent of companies interviewed have privacy projects under way.

Data protection strategies are coalescing around three general areas: preventing unauthorized access to, or misuse of, information stored in databases; preventing information from leaving the enterprise through common communication channels; and addressing the security of laptops and removable media.

All good ideas, but each has its limitations. For instance, database monitoring products from companies such as Applications Security, Guardium, Imperva and IP Locks raise the bar against a malicious insider looking to get access to valuable data. Administrators can create rulesets to limit the activities of authorized users and applications, alert security staff about suspicious behavior, and in some cases halt unwanted activity. Database-monitoring products also provide an independent auditing mechanism that is outside the control of the database administrator.

On the downside, however, these tools and techniques add a monitoring burden to the IT security staff, require training, can generate false positives and, depending on the architecture, may miss malicious behavior entirely.

ILP (information leak prevention) systems monitor content being sent outside the enterprise through common methods such as e-mail, Web mail and FTP. They are useful for protecting sensitive information that resides in Word documents and spreadsheets, and can be configured to detect information such as Social Security numbers. These products are useful for enforcing corporate policies about the kind of information that can be transmitted outside the organization. They can also help discover where sensitive information resides throughout the enterprise--a key feature in the age of distributed data.

However, these systems aren't foolproof: An insider could simply bring home sensitive data on a laptop, or copy it to removable media. And, the system will only be as effective as the data profiles it's configured to look for. Finally, a human analyst is required to investigate when the system detects information being sent out of the enterprise, which will require IT resources.

Laptops and removable media are key sources of data loss, as evidenced by the May 2006 theft of a laptop and hard drive containing 26.5 million records of U.S. military veterans. Enterprises can deploy encryption software to secure specific files or even the entire hard disk. Companies such as PGP, PointSec and SafeBoot provide encryption capabilities to ensure that lost or stolen laptops or thumb drives don't lead to information exposure.

On the downside, as we found in our recent review (see "Lock Down Loose Cannons" ), these solutions can be expensive to deploy to a large number of users, and they come with all the usual helpdesk headaches, such as password resets. They also address a very narrow segment of the privacy protection puzzle.

In addition to finding technological solutions, enterprises must assess their business processes to understand where the greatest risks for data exposure and loss exist. Once again, ChoicePoint serves as an excellent case study--identity thieves set up a fake business to pose as legitimate customers, and ChoicePoint simply sold them the records. Thus, the breach was a failure of the company's business processes, not an attack or a disgruntled insider.

In addition to reviewing business processes, companies must also understand where the protection strategies they employ will (and won't) meet regulatory or industry requirements. Without these steps, 2007 will look a lot like 2006.

Technology Editor Andrew Conry-Murray can be reached at [email protected]/a>.