As Hyper-Extended Markets Grow, So Do Security Risks

RSA
August 4, 2009 | COMMENTS

Businesses are rapidly embracing new tools and technologies, including cloud computing, social networking, virtualization, and mobile communications, accelerating the breakdown of the traditional boundaries that surround organizations and protect their data assets. The result is the “hyper-extended enterprise.” Although this evolution is helping companies achieve strategic goals such as cutting costs, boosting innovation, and improving internal and external communications, it's also potentially exposing them to information security risks.

• A recent survey by IDG Research Services examines these risks and suggests how companies can assess and address them. Key findings include:
• Although nearly half of respondents say they have adopted Web 2.0 technologies or plan to do so in the next year, a significant number have no strategies to assess the risks involved, and some have even deployed the technologies without informing corporate IT security.
• More than 8 of 10 respondents are concerned that pressure to cut costs and generate revenue has increased their exposure to security risks. More than 7 of 10 say they have experienced a security issue in the last 18 months.
• Only 44% have created employee “acceptable use” policies for social networking tools and sites.
• The majority of respondents agree that they need to improve their approach to enterprise security strategy to accommodate the realities of the hyper-extended enterprise.

Leaping Before They Look

The “hyper-extended enterprise” is defined as one that uses new web and communications technologies to exchange more information with more constituencies in more ways and in more places than ever before. Hyper-extended enterprises typically use these technologies internally across their global enterprises and externally to integrate customers, partners, suppliers, and other third parties into their operations. Nearly 3 out of 4 respondents believe that their organizations meet this definition or will soon.

However, the survey results suggest the accelerating trend toward hyper-extension is causing many company leaders to act in one of two extremes: either overly eager or overly cautious.

Some companies are so excited about the potential of these new technologies that they are leaping into adoption without doing the due diligence needed to ensure their critical processes and data will be secure. Cloud computing provides a dramatic example. Among all survey respondents, 31% have already moved at least some enterprise-wide or departmental applications to the cloud, and another 16% say they plan to do so in the next year. More than half of this group says they are unsure how they will ensure data integrity and compliance as they use shared infrastructure services. A majority do not clearly understand how potential cloud computing vendors will protect their data or how their enterprise security team will meet compliance obligations once data moves to the cloud. More than 40% say they worry about not being able to trace the geographic location of their data. Most surprisingly, more than a quarter (29%) say business units have used cloud computing services without involving or informing corporate IT.

And yet, even though only 17% of this group have actually established a cloud computing security strategy, 70% of them feel “very confident” or “somewhat confident” that they're ready for widespread adoption of enterprise cloud computing from a security perspective.

This disconnect holds true across the web and communications technologies that define the hyper-extended enterprise: Only 43% of survey respondents say their IT security team works with business in all cases to develop a risk assessment and mediation process, while 35% report gaps, and 16% say security only gets involved after a problem arises. What's more, some respondents admit their organizations are adopting these technologies without security's awareness.

On the other hand, other respondents are actively avoiding these technologies, thus passing up opportunities to reduce costs and improve business flexibility, productivity, and ability to innovate.

The sensible way to enable the hyper-extended enterprise without excessive exposure to risk is to aim for the middle ground. This means shifting the focus of the enterprise security strategy to policies and practices that accommodate data sharing while still protecting its confidentiality, integrity, and availability. This new approach must be more proactive and more collaborative, starting with a focus on safeguarding data regardless of where it's stored or who accesses it.

The issue of protecting data becomes even murkier when companies start to move critical information and processes into the cloud. Survey respondents' top concerns for cloud computing in particular include these issues:

• Lack of transparency for vendor security processes (51%)
• Immature technology (47%)
• Protecting data integrity (45%)
• Lack of security standards (40%)
• Risk of non-compliance (40%)

Identifying risk after the fact or only in the event of a security breach is, frankly, a gamble few organizations can afford. Yet organizations are still racing to adopt new technologies without full attention to the security issues they create. Given this disconnect, organizations clearly need to prioritize and increase their ability to assess and mitigate risk before adoption.

The need to be increasingly flexible and responsive to changing market conditions means the hyper-extended enterprise is here to stay. As enterprises adopt these technologies for competitive advantage, capitalizing on new opportunities while minimizing risk requires them to formulate a new approach to information security. To do so, consider these steps:

• Ask the business side how they expect to use a given technology and why, and then make decisions based on actual business needs rather than potential benefits and presumed threats.
• Test the technology and make decisions based on it actual performance.
• Ask vendors for their opinions. As vendors learn to support products beyond the traditional boundaries of the enterprise, they can increasingly share customer stories, both successful and otherwise.

This is an executive summary from RSA's white paper entitled “As Hyper-Extended Markets Grow, So Do Security Risks.” RSA, the security division of EMC, is a provider of security solutions for business acceleration. Download the complete white paper for free at http://www.cio.com/white-papers.