AdNovum Security Update 2014 Security in an Extended Enterprise
An increasing number of media reports is dedicated to IT security. What are the typical points of attack and scenarios? And how can companies protect themselves and us more efficiently? These and other issues were discussed at AdNovum's «Security Update» for media representatives on Monday, March 3.
The NSA affair triggered by Edward Snowden was last year's major IT security topic in the media. The extent of that affair almost made forget about the daily attacks targeted to IT systems. Although insiders are not the least suprised by the NSA's activities, the dimension and uncompromising approach were striking. The main lesson learned from this affair is that insider attacks (as the one by Snowden himself) may have fatal impacts and that any threat models in IT security have presumably been too optimistic to date. After all, standardization bodies, nations and producers have generally been considered trustworthy players until today. This assumption has turned out to be wrong. An example of how IT standards and IT products are weakened is Apple's «gotofail» bug made public only last week. Irrespective of whether such a bug occurs by order of a secret service or by accident, it will become public knowledge and be capitalized on by unfair players short or medium-term.
What is the risk situation for companies today and how can they protect themselves? In the past, companies were usually closed organizations with clearly defined interfaces to the outside world. Today, it is common for partners, brokers, customers, suppliers and even competitors to be directly involved in the business processes. This is also known as Extended Enterprise (see Tim Cole, Unternehmen 2020. Hanser, München/Wien 2010). The cooperation with these stakeholders results in sensitive data leaving the company and feeding data that may be contaminated back into the organization.
The erosion of a company's traditional security perimeter has an influence on how security measures are defined. Today, it takes more than building a protective wall around the organization and guarding the doors. In addition to the guardians at the door, internal patrols are required. In other words: measures ensuring the company's internal security such as intrusion and anomaly detection are becoming increasingly important. At the same time, it is also more and more important to involve external players in security measures, e.g. via identity federation, IAM as a Service or trust delegation. Kept in a number of applications and at different organizations, sensitive data such as passwords and credit card information may fall into the wrong hands due to leaks, data theft or profiling.
Secure handling of identity data
Secure handling of identity data is supported by technical solutions such as privacy by design, life management platforms and records management. This ultimately means that in addition to devices, places, applications and companies, also sensitive data as such needs to be protected.
By giving a live demonstration of the OAuth 2.0 protocol for open authorization, software engineer Stephanie Stroka showed how such protection may look. A free and open protocol, this IETF standard allows granting a third-party secure access to web resources, without having to assign a password or register.