The Triple-A Approach to Enterprise IT Security
Feb 4, 2013 5:00 AM PT
Most companies tend to relegate information and technology security concerns to the IT department. After all, aren't they the ones who make sure you change your password every few months?
It might seem like IT staff are the only ones who care about such matters, and security measures might seem like a necessary evil in today's business environment in order to protect proprietary and confidential information, but there is another side to security -- a non-techie, business side.
It might come as a surprise that enterprise IT security stakeholders exist outside of IT. The reason for this is that security is not just about preventing bad things from happening. It's also about enabling and empowering business success. To do this, a company's security must align with the AAA best practices framework -- authentication, authorization and accounting.
How It's Done
This means that how you are protecting your data is as important as doing so in the first place. In fact, AAA, which might be thought of as extraneous to the core business, is actually a key pillar for fulfilling business objectives and should, therefore, be of critical concern to executive management.
Before we dive into the heart of the business value found in enterprise IT security, let's lay out the basics of the AAA best practices framework.
- Authentication is the principle that users must prove their identity by means of a password or other log-in credentials to gain access to a system.
- Authorization is the principle that authenticated users can only see the information they're supposed to see within the system.
- Accounting is the principle that the authenticated users' activity within the system is recorded and documented for audit purposes.
So how then do AAA best practices for enterprise IT security align with core business values? There are three key areas -- separation of concerns, effectiveness and compliance -- and while they each roughly map to authentication, authorization and accounting, they are also so interconnected with each element of AAA that, much like three legs of a stool, if you try to remove one, the whole thing topples.
Basic but Important
Separation of concerns might seem like such a basic concept that it's not even worth mentioning; however, in reality its implications are far-reaching. Within any organization, a strong imperative exists to segregate information so that those who should access it can and those who should not cannot.
The most obvious example of this might be personnel information about salary and annual reviews, since it is apparent to most why only certain authorized individuals within a company can access such data.
These important separations exist at many levels throughout an organization, such as business, technology and geographical divisions. While seemingly elementary, they serve to enforce the business rules, processes and hierarchy that exist at the heart of the enterprise. In many ways, separation of concerns is really foundational and interrelated to the other business values of AAA detailed further in this article -- effectiveness and compliance.
Put simply, if this principle is not established as a fundamental IT standard, confidentiality and business authority are seriously compromised, weakening a company's core. Furthermore, from a technology standpoint, as we increasingly move into a more digital world, if IT doesn't manage who has what access, achieving business goals is put at serious risk.
The Right Information
Effectiveness is really just another way of saying efficiency. Without authorization, companies would experience one of two equally inefficient situations. Users might have to scroll through pages and pages of irrelevant content or hunt to find the functions and information that relate to their particular job -- an obvious waste of time and money. The other option would be a proliferation of disparate, unconnected systems -- a technology and collaboration nightmare that would significantly impede productivity.
Instead, IT needs to uniformly deliver shared services that provide relevant information and functionality to users in order to achieve maximum operational efficiency.
Compliance is a natural by-product of the appropriate separation of concerns. If unauthorized users see content they shouldn't, the consequences are unpredictable and potentially explosive. Knowledge is power, and therefore regulating access to information is a critical piece in maintaining order and control within a company to prevent unnecessary liabilities. In fact, in some instances and in some industries, the unauthorized disclosure of particular information might even be illegal and result in punitive measures.
This is particularly true in the healthcare sector, with regulations such as HIPPA, that restrict access to data and -- for the most severe violations -- are punishable with jail time. In addition, being able to account for user activity through an iron-clad audit trail mitigates risk and helps diagnose compliance vulnerabilities at the source long before they become more significant liabilities.
For businesses that are active in mergers and acquisitions or for those that play in multiple industry verticals, a uniform enterprise IT security strategy following AAA best practices is critical. Rapid growth presents its own unique set of challenges, but following a solid IT standard that supports the business's core objectives will ultimately reduce the cost of delivery and promote agility even as new groups or companies are assimilated.
As such, the separation of concerns, effectiveness and compliance are fundamental drivers of business success.