Many modernization projects involve migration from legacy platforms where the security paradigm needs to change to reflect a new architecture and align to the modern threats that are prevalent in today’s corporate ecosystem. Often legacy systems either provided their own security implementation (which was custom and confined to that particular application) or leveraged an external identity and access management (IAM) system that is inflexible and based on typical usage that has been outmoded by advancements in architecture and platforms such as social media and mobile in recent years.
According to our NTT Data IT security expert, Todd Pagden, there are a few security considerations when implementing a modernization project:
Legacy systems, due to either their monolithic (or integrated) nature, often did not account for deep extension of the security model. Due to the low level of flexibility inherent to many of the IAM solutions, the business often was forced to make sacrifices in functionality or usage. While this proved to be manageable (but not optimal) with employees, organizations are offering more of their services externally and must cater to customers who will not tolerate significant overhead to their usage.
One often overlooked point was how difficult it was to develop to (and with) applications that were gated with traditional IAM systems, often resulting in a slowdown in development, configuration, and setup. Many projects circumvent the controls, and develop habits or techniques that have, on occasion, found their way into production. The IAM infrastructure was so cumbersome and poorly understood, it often became an impediment to security as staff would avoid sound practices or miscalculate the capabilities of the product.
According to Todd Pagden, up until relatively recently, coarse-grained authorization remained the primary approach to the protection of applications. With coarse-grained authorization, resources are protected on the level of URLs and complete “resources,” where assets are protected in their entirety (e.g. either a user can access the entire page/screen or they are completely blocked from the page/screen). Traditionally, the architecture consisted of agents that reside on the presentation servers, intercepting requests for pages and sending the evaluation to a focused (and often simplistic) policy server.
Unfortunately, coarse-grained authorization revolves around perimeter defense. Employees would come to work, log into an ostensibly secure environment, perform their work and log out. Legacy systems often mirrored this dynamic, protecting the external world (the Internet) as a front-line defense, with the focus on corporate-owned and controlled assets. Currently, employees are leveraging devices that move freely between the employer’s network and various highly exposed environments, while leveraging services not directly owned by the organization (e.g., SaaS). This scenario has only been exacerbated by the consumerization of IT, where employees bring their own devices to the workplace. Based on the above, Todd Pagden suggests that a standards-based, robust entitlement processing server is critical to CIOs strategies in security modernization. With the rise of mobile applications and working environments, the method of communication across multiple environments needs to be standard and open rather than a closed, custom and/or proprietary format inherent to many legacy systems.
Often the primary focus of IAM suites has traditionally been on the enterprise environment rather than the “Internet.” With the rise of API and SOA-based environments within an enterprise (not to mention distributed cloud environments), users are leveraging assets from a multitude of clients in various settings and network connections. Many of the newer technologies and devices simply aren’t supported by traditional IAM stacks, where the architecture is often heavyweight, proprietary and authored for a specific platform.
It is critical for CIOs to focus on more distributed environments when planning for security in their modernization effort. It is important that the shifts to trends such as consumerization of IT as well as BYOD are taken into account when developing the security regime and architecture.
While this by no means is an exhaustive list of security strategies that need to be considered to ensure success in a large-scale modernization project, consideration of the above strategies can definitely help establish the right building blocks to a sound security roadmap as part of the CIO’s modernization initiative.