FREE DM Review Site Registration!
Sign-up today and access DM Review on the Web!

Your FREE registration entitles you to:
FREE email newsletters

FREE access to all DM Review content

FREE access to web seminars, resource portals, our white paper library and more!

   

Book Excerpt: Customer Data Integration and Master Data Management for Global Enterprise

This is an excerpt from Chapter 8: "Traditional and Emerging Concerns of Information Security" found in the book entitled, Customer Data Integration and Master Data Management for Global Enterprise, McGraw Hill, 2007.

In medieval times, commerce was conducted in city-states that were well protected by city walls, weapons and an army of guards and soldiers. In modern times, as commerce rapidly moved to a global marketplace, the goal of keeping potential participants out was replaced by the desire to invite and keep potential customers in.

In today's business environment we see a similar transformation - instead of keeping everything hidden behind proprietary secure networks protected by firewalls, commerce is done on the public Internet, and every business plans to take advantage of the potentially huge population of prospective customers. Denying access to corporate information is no longer a viable option - inviting new customers and enticing them to do business is the new imperative.

Clearly, this imperative brings with it a new set of security challenges - challenges that are reinforced by numerous pieces of legislation that promote various forms of e-commerce and even e-government and require new approaches to security that can protect both the consumer and corporate information assets.

What Do We Need to Secure?

The Internet has become a de facto standard environment where corporations and individuals conduct business, "meet" people, perform financial transactions and seek answers for questions about anything and everything. In fact, all users and all organizations that have some form of Internet access appear to be close (and equidistant) to each other.

The Internet has moved the boundaries of an enterprise so far away from the corporate data center that it created its own set of problems. Indeed, together with the enterprise boundaries, the traditional security mechanisms have also been moved outward, creating a new "playing field" for customers, partners, and unwanted intruders and hackers alike. As a result, enterprise security requirements have become much more complex.

One way to discuss these requirements is to look at what areas of the business environments need to be secured, and from what kind of danger. Figure 1 illustrates the areas of security concerns and corresponding security disciplines that are defined in the following section.

Layered Security Framework

The security domains can be organized into a layered framework that looks at security from "outside in:" perimeter security; network security; platform (host) security; and application, data and user security.

This model describes security "zones" that need to be protected regardless of whether the threat is originating from outside or from within the organization.

Figure 1: Layered Security Model

Technologies that enable the implementation of the layered security framework may offer overlapping functionality and can span several security domains. For example, the security disciplines of authentication, authorization and administration (3A) play equally important roles in securing the network resources, the enterprise perimeter, the computing platform, and the applications, data and users.

Perimeter Security

Perimeter security deals with the security threats that arrive at the enterprise boundary via a network. By definition, the perimeter security has to handle user authentication, authorization and access control to the resources that reside inside the perimeter. The primary technology employed to achieve perimeter security is known as firewalls.

A firewall is placed at the network node where a secure network (i.e., an internal enterprise network) and an insecure network (i.e., the Internet) meet each other. As a general rule, all network traffic, inbound and outbound, flows through the firewall, which screens all incoming traffic, and blocks that which does not meet the restrictions of the organization's security policy.

In its most simple form, the role of the firewall is to restrict incoming traffic from the Internet into an organization's internal network according to certain parameters. Once a firewall is configured, it filters network traffic, examines packet headers and determines which packets should be forwarded or allowed to enter and which should be rejected.

Network Security

Network security deals with authenticating network users, authorizing access to the network resources and protecting the information that flows over the network.

Network security involves authentication, authorization, and encryption and often uses technologies like Public Key Infrastructure (PKI) and Virtual Private Network (VPN). These technologies are frequently used together to achieve the desired degree of security protection. Indeed, no security tool, be it authentication, encryption, VPN, firewall, or antivirus software, should be used alone for network security protection. A combination of several products needs to be utilized to truly protect the enterprise's sensitive data and other information assets.

Network and Perimeter Security Concerns

A common approach to network security is to surround an enterprise network with a defensive perimeter that controls access to the network. However, once a hostile intruder has passed through the perimeter defenses, he, she, or it may be unconstrained and may cause intentional or accidental damage. A perimeter defense is valuable as a part of an overall defense. However, it is ineffective if a hostile party gains access to a system inside the perimeter or compromises a single authorized user.

Besides a defensive perimeter approach, an alternative network security model is the model of mutual suspicion where every system within a critical network regards every other system as a potential source of threat.

Platform (Host) Security

Platform or host security deals with the security threats that affect the actual device and make it vulnerable to outside or internal attack. The platform security issues include the already-familiar authentication, authorization, and access control disciplines, and the security of the operating system, file system, application server and other computing platform resources that can be broken into or taken over by a hacker.

Platform security solutions include security measures that protect physical access to a given device. For example, platform security includes placing a server in a protected cage; using sophisticated authentication and authorization tokens that may include biometrics; using "traditional" physical guards to restrict access to the site to the authorized personnel only; developing and installing "hardened" versions of the operating system; and using secure application development frameworks like the Java Authentication and Authorization Service (JAAS). (JAAS defines a pluggable, stacked authentication scheme. Different authentication schemes can be plugged in without having to modify or recompile existing applications.)

Application, Data and User Security

Application, data and user security concerns are at the heart of the overall security framework. Indeed, the main goal of any malicious intent is to get a hold of the protected resource and use it, whether it is information about a company's financial state or an individual's private activities, functionality of the electronic payment of funds transfer, or as the case may be, the identity of a person the intruder wants to impersonate for personal, political or commercial gains.

The security disciplines involved in this are already familiar: the 3As (authentication, authorization, administration), encryption, digital signatures, confidentiality, data integrity, privacy, accountability and virus protection.

End-to-End Security Framework

To sum up the discussions in the previous sections, when we talk about security, we may want to look at the entire security space from outside in, using the diagram in Figure 1. An important point that needs to be emphasized here is that neither of the disciplines taken separately - network, perimeter, platform, application, data and user security - could offer a complete security assurance.

The events of recent history and the heightened awareness of the real dangers that can be exploited by various terrorist organizations and unscrupulous opportunists have taught us that in order to be and feel secure, we need to achieve "end-to-end security" - an environment that does not intentionally or by omission expose security holes, and that can provide the business benefits of security - privacy, confidentiality, integrity and trust (see Figure 2).

Only a strong understanding of potential security vulnerabilities and an effective combination of various security technologies and disciplines can ensure that this goal can be achieved.

Figure 2: Security and Business Value Dimensions

Traditional Security Requirements

Today's business environment has different security requirements than traditional commerce. Enterprise networks are no longer defined by the physical boundaries of a single company location but often encompass remote sites and include mobile and remote users all over the world. Also, organizations often use many contractors who are not employees and thus do not undergo employee-level screening and vetting, but may have similar or even greater access than many employees.

Traditional security requirements include:

Authentication. The ability to verify that an individual or a party are who they claim they are; authentication is a verification component of the process known as identification.

Authorization. A business process of determining what information and computing resources the authenticated party is allowed to access; authorization processes and technologies enforce the permissions expressed in the user authorization entitlements. An authorization mechanism automatically enforces entitlements that are based on a security policy dealing with the use of the resource, and in general, the policy could be roles-based, rules-based or a combination of the two. Clearly, authorization is driven by and depends on reliable authentication (see the discussion on various authorization concerns later in this and the following chapters).

Confidentiality. A business requirement that defines the rules and processes that can protect certain information from unauthorized use.

Integrity. A business requirement that data in a file or a message traversing the network remains unchanged or that any received data matches exactly what was sent; data integrity deals with the prevention of accidental or malicious changes to data or message content.

Verification and nonrepudiation. This requirement deals with the business and legal concepts that allow a systematic verification of the fact that an action in question was undertaken by a party in question, and that the party in question cannot legally dispute or deny the fact of the action (nonrepudiation); this requirement is especially important today when many B2C and B2B transactions are conducted over the network.

Traditional paper-based forms are now available over the network and are allowed to be signed electronically.

Recently adopted eSign legislation made such signatures acceptable in the court of law (see section on eSign law later in the chapter).

Either form should be OK as long as it's consistent.

Auditing and accountability. The requirement that defines the process of data collection and analysis that allows administrators and other specially designated users, such as IT auditors, to verify that authentication and authorization rules are producing the intended results as defined in the company's business and security policy. Individual accountability for attempts to violate the intended policy depends on monitoring relevant security events, which should be stored securely and time-stamped using a trusted time source in a reliable log of events (also known as an audit trail or a chain of evidence archive); this audit log can be analyzed to detect attempted or successful security violations. The monitoring process can be implemented as a continuous automatic function, as a periodic check, or as an occasional verification that proper procedures are being followed. The audit trail may be used by security administrators, internal audit personnel, external auditors, government regulatory officials, and in legal proceedings.

Availability. This requirement provides an assurance that a computer system is accessible by authorized users whenever needed.

Security management. This requirement includes user administration and key management:

  • In the context of security management, user administration is often referred to as user provisioning. It is the process of defining, creating, maintaining, and deleting user authorizations, resources, or the authorized privilege relationships between users and resources. Administration translates business policy decisions into an internal format that can be used to enforce policy definitions at the point of entry, at a client device, in network devices such as routers, and on servers and hosts. Security administration is an ongoing effort because business organizations, application systems and the users are constantly changing.
  • Key management deals with a very complex process of establishing, generating, saving, recovering and distributing private and public keys for the security solutions based on PKI.

These traditional security concerns apply to any software system or application that has to protect access to and use of information resources regardless of whether the system is Internet-based or is a more traditional client-server design. However, as businesses and government organizations continue to expand their Internet channels, new security requirements have emerged that introduce additional complexity into an already complex set of security concerns.


Mr. Berson is an internationally recognized expert, author, and educator in various areas of information technologies. Throughout his professional career, Alex Berson has held key technology and management positions in several major corporations including BearingPoint Inc., Merrill Lynch, Entrust, enCommerce, Dun & Bradstreet, PricewaterhouseCoopers, Solomon Smith Barney, and others.

Mr. Berson holds graduate and postgraduate degrees in Computer Sciences and Applied Math, and focuses his professional activities on Identity Management; Information Security, Risk and Compliance; Master Data Management (MDM), Customer Data Integration (CDI), and Customer Relationship Management (CRM); data warehousing and data mining; Web Services, service-oriented architectures; and middleware and enterprise application integration.

Mr. Berson is a member of Standard & Poor's Vista Research Society of Industrial Leaders (SIL). He is also an active member of professional associations in the industry, such as the IEEE Computer Society, ACM, and Aberdeen Group's Technology Forecasting Consortium; standards organizations including OASIS, OMG, and Open Group; and various industry consortia including Securities Industry Middleware Council (SIMC) and the Data Warehousing Institute. Alex Berson sits on the advisory boards of several technology and financial services companies. He has published numerous technical articles and direction-setting white papers in trade magazines. He is the author of a number of best-selling professional books including Building Data Mining Applications for CRM, Data Warehousing, Data Mining and OLAP; Client/Server Architecture; SYBASE and Client/Server Computing; and APPC: Introduction to LU6.2.

Mr. Dubov is a recognized expert and thought leader in the implementation of complex business-driven technology solutions for financial services, banking and pharmaceutical verticals with the primary focus on Customer Data Integration (CDI), Master Data Management (MDM), Customer Relationship Management (CRM), data warehousing and operational data stores. He has gained both depth and breadth of technical knowledge in multiple areas of Customer Data Integration and Master Data Management including data and solution architecture, customer recognition, customer-centric data transformations, data stewardship and information quality. He has developed a strong holistic vision of the CDI problem domain and CDI implementation methodology based on practical experience gained through successful project implementations. He is a recognized speaker on the topic of Master Data Management and has participated in a number of MDM-CDI conferences.

Larry has held senior technology and management positions with consulting companies BearingPoint and FutureNext ZYGA. Larry formerly worked as an independent consultant for a number of companies across various industry verticals.

The list of Larry's clients includes Fortune 1000 companies and established mid-size organizations: Merrill Lynch, Bessemer Trust, Washington Mutual, Cenlar Bank, Merck, Johnson & Johnson, Hoffmann La Roche, Aventis, Estée Lauder, AT&T, and Daimler-Benz.

Larry spent two years at Princeton University as a visiting research scientist working on mathematical models for optimal control of molecular processes. Earlier, during his career in Russia he gained a strong scientific background with Ph.D. and Dr.Sci. degrees in Mathematical Physics. Larry is the author of over 70 publications.

A combination of multiple backgrounds - science (physics, chemistry, and advanced math), deep knowledge of Information Technology, and understanding of business processes - helps Larry see unique approaches to complex business problems and offer their solutions.

For more information on related topics, visit the following channels:



Industry Vendors