Core Security Patterns: Best Practices and Strategies for J2EE, Web Services, and Identity Management

Making Security a "Business Enabler"

Economic pressures compel businesses and organizations to look for technology solutions that reduce costs and improve efficiency. They seek to do this, of course, without sacrificing the quality and productivity of the existing system. The heightened risk of security not only relates to the security of the assets involving buildings and people, but also relates to the security of the organizational technology and its managed business processes. Ironically, investing in security is often considered as a capital investment and is not considered as a contributor to business productivity. More interestingly, IT architects and developers focus on the technical elegance of new security technologies as a defensive mechanism to protect the applications and infrastructure without realizing the potential cost benefits from them. From an IT management and business investor's perspective, security infrastructure and solutions for a business case is not justifiable without reference to how security contributes to overcoming technological and economical obstacles and risks faced by an organization.

With security gaining significant importance in every business and organizational process, it is often challenging to explain how security addresses an organizational goal such as improving operational efficiency or reducing costs. Equally difficult to explain is how security contributes to Return On Investment (ROI). Let's take a look at some examples of security measures and how they function as "business enablers" in an organization.

Case 1Justifying Identity and Access Management

Identity and access management provides compelling business benefits by reducing costs, risks, and complexity in the enforcement of organizational security policies and practices. In a nutshell, an identity management solution facilitates an organization by the following:

  • Centralized management of identity and policy information.

  • Centralized or decentralized authentication and authorization services.

  • Delegated identity administration and control.

  • Ability to securely exchange data across trusted networks of partners, suppliers, and customers.

  • Enforcement of single sign-on capabilities over heterogeneous applications and services.

  • Federated sign-on and sign-out capabilities over trusted networks of partners, suppliers, and customers.

  • Automated processes and instant change in identity privileges and relationships.

  • Elimination of duplicate user accounts.

  • Visualization of who has access to what resources at any given time.

  • From an organization cost benefits and ROI perspective, a typical identity and access management solution would offer the following:

    - The time required for registering a user to access his or her privileged application is significantly reduced.

    - Enforcement of single sign-on capabilities offers dramatic reduction of help desk calls for resetting passwords and time savings for help desk administrators.

Case 2Justifying Proactive Security Approaches

McLean and Brown in their ROI study for security (refer to [McLeanBrown] for details) discuss an ROI estimation model for security architecture investment. Table 1-1 shows a slightly modified version to illustrate potential ROI with implementation of end-to-end security for J2EE and Web services applications. In this example, a medium-sized firm intends to estimate the cost of implementing J2EE and Web services security architecture using single sign-on architecture. The firm has some existing security infrastructure in place. To simplify the sample scenario, we present a list of assumptions following the table. We have used a three-year cost estimate to compute the ROI per year. Note that the financial exposure is likely to be greater than the security investment, and we estimate an ROI of $683,333 per year. Thus, it is justifiable to implement a proactive security architecture design using J2EE and Web services technologies.

Table 1-1. Sample ROI Estimate for Justifying Proactive Security

Potential threat

Description

Estimated Loss US$

A. Financial Exposure (Qualitative)

  

Denial-of-service attacks, or single point of failure

Access to network, system resources, and application resources is denied due to hacker attacks, or system unavailability due to system failure.

$1.4 million

Man-in-the-middle attacks or replay attacks

Security attacks by spoofing the business transactions in the network, or replaying the business transactions with tampered transaction information.

N/A

B. Inefficient Processes (Quantitative)

  

Password resets (that is, no single sign-on capability)

The cost of resetting user passwords or user administration as a result of not having single sign-on capability.

$25,000

C. Intangible Cost (Qualitative)

  

Loss to public image, loss of reputation, denial to network resources

Loss of confidence of reputation due to publicized security breach.

$25,000

D. Total Security Exposure Cost (yearly)

A + B + C

$1,450,000

E. Investment in Security (One-time)

  

Infrastructural platform security

Investment in firewall, proxies, and directory server.

N/A

Intrusion detection

Cost of implementing and executing intrusion detection system to monitor any suspicious network activities.

N/A

Antivirus protection

Cost of antivirus software to protect network and system resources against viruses.

N/A

Implementing J2EE and Web services security

Internal cost for implementing J2EE and Web services security.

$1,500,000

Implementing single sign-on architecture

Additional hardware and software cost of implementing single sign-on architecture.

$1,000,000

Reengineering inefficient security administration processes

Internal cost of addressing the inefficient security administration processes.

N/A

 

Total one-time investment

$2.5 million

F. Annual Maintenance Cost Hardware and software

This includes the single sign-on architecture only.

$100,000

G. Total Security Cost for 3 years

E (one-time) + F (annual) * 3 years

$2,300,000

H. Estimated Return

ROI = D (E/3) F

 

First year cost

$766,666

 

Second year cost

$766,666

 

Third year cost

$766,666

 
 

ROI per year

$683,333

Assumptions

  • Only denial-of-service attack is included in this ROI estimate. The cost estimate of the denial-of-service attack assumes the average cost per incident (refer to the CSI report in [CSI2003] p. 20 for details).

  • Most of the investment in security is already in place. This includes infrastructure platform, intrusion detection, and virus protection.

  • Ten percent of the workforce require password reset (1,000 cases per year), assuming $25 per password reset incident will be incurred by the outsourcing data center.

  • Intangible security cost for loss to public image, loss of reputation, and denial to network resources assumes five days of lost sales, amounting to $25,000.

  • Maintenance cost assumes 10 percent of the hardware and software cost.

  • As a simple illustration of the ROI concept, this example does not calculate and display the present value of the security investment and returns. In a real-life scenario, the present value would be used.

Case 3Justifying Security Compliance

Security compliance is a strong business enabler in terms of enhancing consumer confidence and improving the operational efficiency of an organization's information systems and processes. It also ensures an organization will follow an auditable process and use reporting mechanisms that help protect them from errors and fraudulent practices. For example, in January 2004 the Bank of Scotland was fined about $2.5 million for failing to keep proper records of customer identification as stipulated by the UK Financial Services Authority's money laundering regulations [ExpressComputer].

By achieving compliance, the organization can meet its responsibilities as specified by the government regulations and avoid issues related to negligence and compliance failuresfines, sanctions, and jail terms for corporate executives and board members. Achieving security compliance also helps organizations to do the following:

  • Evaluate and test their organizational security practices and controls.

  • Mitigate the risks.

  • Implement safeguards and countermeasures.

  • Increase operational efficiency and cost-effectiveness.

Compliance with regulatory requirements often drives the need for implementing effective security procedures and identity management solutions that provide proof of compliance. It also improves organizational productivity and customer trust.

Related

Категории