Last weekend I contemplated the idea of finally designing and building my own website for my little photography business. I realized I had outlived the basic photo hosting service I had been using for so long.
At the very least I knew I needed different user profiles for my customers and the ability to grant them selective access, I also wanted to implement a better shopping cart experience and offer print services in different countries. This functionality seemed to make sense and was not that difficult to implement.
Then I started thinking about security.
It seemed that I’d need a user access management solution to maintain the different profiles I was looking for. For example, how should I handle password management, especially since more and more customers want to use their mobile devices and come from networks and locations that cannot be considered secure, per se. So, I also had to consider the myriad of network threats that could compromise my hosting solution.
Then, when I started to think about accepting credit card payments, the PCI DSS light bulb went on in my head, because at the end of the day I am still an IT Security Architect.
The bottom line of this little “I want my own website” venture came down to the decision that I am probably far better off staying with my current photo hosting service where all of the security issues are being handled in a central way and protect the complete environment without me having to “architect” my own solution.
But, how do you approach an overall IT Security Architecture? There are so many aspects and angles to it that it seems almost dreadful to undertake this adventure. Let’s look at some of the key factors to keep in mind.
First of all, you need to look at the business aspect of security – I know, security seems awfully technical to me, too. But almost everything we do in security, or rather what we don’t do, has a direct impact or connection to the business.
Security Framework
Organizations rely on Information Security (IS) systems more than ever to detect threats to intellectual property, reputation, and privacy. As such, organizations often adopt a piecemeal or technology-driven approach to security. Using this approach alone does not provide sufficient protection for business processes and assets against these business risks as it may overlook key, cross-discipline aspects.
As the pace of globalization continues and new technologies emerge, traditional boundaries between organizations continue to disappear. The ideal response involves planning and assessment to identify risks across key business areas, including people, processes, data, and technology throughout the entire organization. It is important to take a holistic approach that can facilitate a business-driven security blueprint and strategy that can act as an effective defense for the entire organization.
Organizations should build business services that are secure by design, meaning that security is intrinsic to their business processes, product development, and daily operations. Security should be factored into the initial design, not bolted on afterwards. This enables an organization to securely and safely adopt new forms of technology, such as cloud computing and mobile device management, and business models such as tele-working and outsourcing can be more safely leveraged for cost benefit, innovation, and shorter time to market.
With these security domains, capabilities, and services in mind, I had the opportunity to work with a brilliant team of security experts from around the world to update an IBM Redbooks publication that addresses a detailed overview of the IBM Security Framework, the IBM Security Blueprint, and the IBM Security Maturity Model.
If you want to find out more about a product agnostic approach to build and design a holistic and complete IT security architecture make sure you visit our website and download the IBM Redbooks publication: Using the “IBM Security Framework and IBM Security Blueprint to Realize Business-Driven Security”
IT Specialist, Software Security Architecture