Johannesburg, 02 May 2007
The push for ever-greater access to information by an increasingly larger base of business stakeholders is driving application security concerns to a higher level.
With myriad users - including staff, clients and suppliers - accessing corporate data via different applications and communications channels, organisations are scrutinising the security built into the applications and demanding protection at the data layer.
"Applications that provide a comprehensive foundation to address security concerns make provision for addressing authentication, access control, data-level security, the installation of an application firewall and encryption," says Christo Nel, services solution manager at Cognos SA. "These provisions will ensure greater control over data and finer management of user access, a reduction in complexity and administrative costs, and the lowering of risk to the organisation."
According to Nel, primary security considerations organisations should bear in mind when considering applications, include:
Authentication: A key security criteria is that applications contain pre-built integration with leading security providers and APIs for custom security systems to enable simultaneous user authentication and logon to any number of namespaces. While some application vendors still rely on their own security maintenance, applications that enable customers to leverage best of breed security solutions reduce the complexity, time and costs of administering and maintaining multiple security systems.
Access control: The establishment of granular user access rights from within applications (or via a third-party security provider to which an application can integrate) enables centralisation of authorisation to simplify administration of diverse user communities. This lifts the IT administrator's burden of managing multiple security schemes. As a result, IT can grant or deny permissions, perform BI activities, and track/audit usage for select users, groups and roles. Companies can leverage this control to ensure government and industry compliance requirements and reduce IT costs for maintaining authorisation to BI capabilities.
Data-level access rights: Applying security to objects and information (including folders, subject areas, individual reports, analysis, metrics, scorecards and dashboards, events and alerts, portal pages, data connections, etc) at a granular level eliminates the need for maintaining different information models per user group. It also reduces report proliferation as one report can display different content depending on data security settings for different users. In addition, data-level security enables standardisation of a centralised or hosted solution/application, ensuring different user communities only have access to the information they need.
Application firewall: An application firewall will prevent unauthorised access to certain services available via the application. It also monitors and interprets protocol traffic between application services to help prevent hostile attacks and service interruption, and logs any denied traffic. This approach balances open services with stringent security to give organisations confidence for global and external deployment.
Encryption: Applications should protect all data and transmissions using industry-standard encryption algorithms such as Triple DES and AES. This encryption approach limits data vulnerability, securing communications and protecting information from data source to data presentation (through a dashboard, scorecard, report, spreadsheet, etc).
"Business applications represent not only a core part of business operations but a primary conduit for business information and means of access to sensitive corporate data. As part of a holistic security strategy, the architecture and frameworks of applications must thus be scrutinised carefully and weaknesses shored up," concludes Nel.
Share