Subscribe

Embracing the app economy

As end-users jump in with both feet, practical guidelines to ensure security and privacy should be remembered.

Eren Ramdhani
By Eren Ramdhani, principal consultant with CA Southern Africa.
Johannesburg, 08 Jun 2015

As the second half of 2015 approaches, concepts like mobility, BYOD, IOT and multichannel, including the proliferation of mobile apps, have become the disruptive trends that were predicted over the last couple of years. If anything, there has been an acceleration of these trends due to the quick adoption of the concepts specifically by the end-users themselves, who have now embraced the application economy.

Some companies have reacted positively by being early adopters, trying to maximise and leverage the value of these new cohesive capabilities. However, many are still grappling with striking a balance between providing dynamic, flexible and constant access, but restricting it to appropriate users and devices.

The reality is the app economy is already here, and technology professionals need to define pragmatic approaches that permit them to embrace it, but also to maintain convenience, security and privacy.

Primary forces

Firstly, there has been an increased demand for quicker release cycles for new apps and solutions, and a rapid change in velocity in the demand for purpose-built software compared to packaged software. With this, there has been an increase in considering in-house controls aimed at protecting identities plus data and legacy application context. These elements were traditionally protected within the corporate firewall, but have now been shifted outside the firewall as part of an unwired enterprise that interacts with partner and customer ecosystems.

Secondly, there has been a proliferation of datasets being exposed outside the firewall, referred to as ambient data, which need to be created, transformed, aggregated, shared, published and reported on as part of big data initiatives. Locking down information as part of the security of "no" now needs to shift to the security of "know". This is where data is more valuable as a true information asset, as it collaborates with other data, transitions from on-premises into the cloud via mobile devices, and sensors that act as autonomous sensors that interrogate and update data in real-time. This translates into an opportunity that needs careful planning and strategy to unleash the value of this data.

There is also additional complexity and challenges, with rogue states being a threat to nations; industrial espionage due to increased competitiveness; and disgruntled employees posing a risk to organisations. This definitely warrants serious consideration of more modern techniques such as predictive analytics and multi-factor authentication - including fingerprint and voice biometrics, which can be used easily on smartphones.

This plays an important role, as most businesses are now moving rapidly from the traditional high touch bricks-and-mortar approach to the invisibility of e-commerce, where the same levels of user experience (if not higher), customer satisfaction and response times are demanded. If this is not achieved, customers simply abandon the transaction and move on to another service provider.

Treating security as the traditional moat around the castle will have to be redefined, as companies now have to intentionally build several bridges that directly cross the moat into the company. This is a scary but realistic notion, as an increased number of edge devices access and interact with systems like ERP, HR, and collaboration systems which include the network itself.

Treating security as the traditional moat around the castle will have to be redefined.

Legacy applications like mainframe and modern ERPs are now being opened up to be accessed externally, thanks to restful application program interfaces (APIs). Fortunately, API management capabilities have evolved from being a foundational services-oriented architecture (SOA) framework into a fully capable application development, governance and security capability, which is able to: expose, describe, transform, monetise and secure data plus transactions from the back-end into mobile-ready formats without the overhead of re-coding.

Vendors are finally providing a platform for developers to collaborate with each other, share their work and even meter and throttle usage of their APIs.

Degrees of trust

There will be a move from bolting on security at the end of the development process to having it built in during the app development process. This implies moving away from solely concentrating on infrastructure security like next-generation firewalls, IPS/IDS, malware detection, encryption, and Web content management, which definitely have a part to play in a defence in-depth strategy, but need another layer that brings the shift closer to the application itself.

Information security, specifically application security, is evolving from a mere tick-box exercise to one where security is "baked in" and, more importantly, is a business differentiator by leveraging trends that currently are not harnessed in log files, SIEM solutions, etc. This would require a mindset change from security personnel having a traditionally defensive approach to a more offensive approach by collaborating with the likes of business product managers, marketing departments, etc.

One-size-fits-all policies can often "over-comply" and stifle business agility. Security will now need to be involved in product development much earlier in the product life cycle, where offensive knowledge can be shared in terms of what identities are attempting to engage with the organisation, the channels frequently used, from where and, more importantly, by whom.

Security must help to define the most suitable vessel to transport the wealth of data back and forth within an organisation and beyond the boundaries over the different form factors that customers and internal users are embracing. Ultimately, creating degrees of trust becomes the most important discussion based on an identities, context, behaviour and past interactions with organisational assets and data.

Share