Few things are more precious to an enterprise than information. Using it effectively — which oftens means sharing it efficiently — can provide a competitive edge, helping separate winners from also-rans.
But data is precious in another way: It must be protected, not only against outside threats, but increasingly against unauthorized use by employees and other insiders. Internal breaches may be due either to sloppiness or to intentional employee theft of customer lists or other sensitive documents — and they can prove disastrous. A stark example came to light last week, when employees at an H&R Block office in suburban New York were charged with stealing customers’ identities and illegally obtaining false credit cards in their names.
To ensure data security, firewalls now must be configured not only to bar outsiders, but also to filter traffic inside the enterprise. Policies restricting data access must be put in place and enforced, and the concept of blanket trust must be permanently retired. But these steps seem utterly opposed to the goal of data integration, which aims to remove obstructions to data flow across corporate departments and among various enterprises.
Is it possible to have both completely secure data and seamless integration? Not yet, say experts, noting that until security becomes more closely integrated into overall business functions — rather than an add-on or afterthought — data will have to be put at risk in order to be shared effectively. As a result, CIOs and other IT decision makers must constantly re-evaluate their corporate data policy in an effort to strike the right balance between these two vital goals.
Cash Is King
Mike McClaskey, chief information officer at Perot Systems (NYSE: PER), told the E-Commerce Times that security measures like biometrics, which can provide information about who accesses data, and why and when they do so, are expensive and complex to implement for most corporations. Therefore, major investments in such technology are an unlikely prospect at a time when flat or slowly growing IT budgets are the rule, he added.
“It’s a real balancing act,” McClaskey said. In addition to its own 8,500 employees, Perot Systems is often responsible for the data of many of its 400 clients. “Most companies probably don’t have enough in terms of security. But we tend to balance on the side of the data as a driver of business growth and efficiency.”
McClaskey also noted that the balance point between information security and data integration varies by industry sector. For example, healthcare companies, which face regulation in the United States under the Health Care Insurance Portability and Accountability Act (HIPAA), and financial services companies are most likely to err on the side of securing data.
Some analysts believe that although technological solutions now exist or may exist in the future to help keep data both safe and freely flowing, the real task facing enterprises is to establish clear policies that spell out who — down to the individual employee, rather than merely a workgroup or department — can access stored data.
Aberdeen Group vice president Jim Hurley told the E-Commerce Times that questions about how to secure data will grow even more complicated as emerging Web services technology enables enterprises to share more data with one another. He believes encryption and other methods will be only part of the eventual solutions, which are still being developed by several groups wrestling with the Web services security riddle.
“There is no one-size solution or answer,” he said. “It depends a lot on whether an enterprise is approaching security as an afterthought or as something that was part of the architecture from the start.”
Dave McCandless, CIO of e-business software maker Fortel, which sells data integration products and services and was listed in Software Magazine’s Software 500, told the E-Commerce Times that the responsibility for determining the proper balance between data security and systems integrations falls to the CIO of an enterprise.
For instance, requiring employees to provide credentials whenever a document or other data is accessed will guarantee security but will also slow down business. “That process is expensive and obtrusive,” McCandless said. The goal, he explained, is to provide just enough control and security to make the risk level palatable to the organization.
“As a CIO, this requires knowing the security infrastructure, the business risk, and how to find a compromise between the two,” McCandless said.
What lies ahead for CIOs walking the fine line between security and integration? Perot Systems’ McClaskey said he thinks the future will entail more monitoring of employee movements within databases, rather than a focus on firewalls or even passwords.
“It will be too complicated in the future to build walls around systems or applications,” he noted. “It will be more about watching what people are doing.”