Security: At the Heart of Digital Transformation
Any meaningful, sustainable, and high-impact digital transformation that is built on SMAC technologies (Social, Mobile, Analytics, Cloud) as its skeleton and has an engaging user experience as its soul must have security at its heart. In an era where devastating customer data breaches are widespread, and advanced persistent threats enabled by zero-day exploits are the new normal, any digital transformation journey must include security, all the way from design through execution and into post-deployment monitoring. Joining me as co-author for this article is Dr. Pandurang Kamat, my colleague at Persistent Systems and an information security expert.
Typical elements of digital transformation, such as BYOD and cloud, expose wider attack surfaces to hackers and create new security (e.g., cross-network, cross-system access) and compliance (e.g., privacy in analytics) challenges. Here are some important considerations from a holistic secure design perspective to address these and other security challenges arising from digital transformation.
Security is imperfect: Recognize that, despite best efforts, it is quite likely that your systems will be breached and some user data compromised. Create explicitly written data retention policies as well as data breach disclosure and end-user notification processes.
Identity and Authorization: If the transformation involves systems with different identity stores, create a plan to merge and de-duplicate the identities and create singular authentication and role-based access control mechanisms.
Secure APIs: APIs are the plumbing of digital transformation projects. Providing secure access to the functions and data allows the enterprise to build a successful platform strategy to exploit new channels of customer access or product delivery. Use secure API concepts – such as API Keys and stateless encrypted calls – to protect your system against common exploits such as replay attacks, cross-site scripting, or cross-site request forgery attacks.
Privacy in data analysis: Analytics-driven insights and intelligence are often the driving force behind digital transformation. When leveraging data, especially across previously siloed systems, be acutely aware of its security, privacy, and compliance requirements. For example, a system performing analytics on the transaction history of users does not need access to the user’s personally identifiable information.
Mobile App security: Delivering services to the end-user on multiple mobile devices is typical of digital transformation and exposes you to additional security concerns, which you must address. (A recent study shows an alarming lack of security in mobile apps.)
As the end-user is often accessing sensitive information over insecure or public networks, the app must ensure end-to-end security of such information flow.
Ensure that any access tokens and other app data stored locally on the end-device is stored securely (and preferably encrypted), so even an OS-level exploit does not let it fall into the hands of rogue apps.
These devices are likely to be stolen or lost, risking unauthorized access to enterprise services and data. Typical mitigation in case of highly sensitive applications such as banking and healthcare is to have a PIN or password to access the app each time.
Cloud security: Digital transformation often involves leveraging the cloud as a cost-efficient and innovative service delivery model. Architect the cloud application and deployment as an extension of the secure enterprise model.
Encrypting data in transit is basic hygiene. In cases of cloud deployments, consider encrypting all cloud-resident data (not just the sensitive pieces) at rest as well.
Ensure compliance with the data residency regulations of the countries where the solution will operate. This sometimes involves ensuring that customer data from a given country or region is not stored outside its geographical boundaries, having different retention and privacy policies for different regions, managing data replication policies, etc.
Enterprises typically deploy Data Loss Prevention (DLP) solutions that look for unauthorized exfiltration of sensitive data across the enterprise perimeter. With a cloud deployment, extend such a DLP system to also monitor the enterprise and customer data in the cloud.
Cross-network and external access: Digital transformation often opens up internal services to vendors, customers, partners, and third party developers. This can create new data access and movement pathways that transition across unsecure to secure network segments. Continually monitor network security events, and have advanced threat detection systems raise alarms when unusual network activity is detected. In case of at least one high-profile retailer data breach last year, there was a clear cross-border access from a network segment that deployed a vendor-accessible application to the highly secure, PCI-DSS compliant network segment handling payment processing.
As you embark on your Digital Transformation journey, we hope these points resonate with you and become an integral part of your digital roadmap.
In a future post, we will get into how to protect the enterprise against advanced threats and the security vs privacy balancing act. Let us know, in the comments section, what security topics you are interested in reading about.