In this issue we take another Business Attribute from the SABSA Business Attributes Taxonomy, looking this time towards the future. What kind of security architecture shall we need to align with new and upcoming business models as they evolve? How shall we be ready for the future? In the previous issue we pointed to the emergence of ‘everything as a service’, the changing attitudes of ‘Generation Y’, the need to be more business-process centric and what is commonly referred to as ‘The New Way of Working’. Now we examine some of the specific developments and how we should address them.
It is helpful to list the current trends: cloud services; smart personal hand-held devices, green IT driven by the desires of society to conserve both energy and materials (by moving to more home working with fewer office buildings and less use of transport), massive roll-out of Wi-Fi including 4G (enabling mobility on a scale never before possible), and a high demand for ‘bring your own device’ (BYOD).
Traditionally ‘security architecture’ has been based on a system-centric view. The aim has always been to secure a series of systems, and the very concept of a system implies a boundary between the system and its environment – in the majority of cases a physical boundary. Even when we began to deal with ‘distributed systems’ this physical notion of the system was sustainable because then we had a series of physical sub-system islands interconnected by networks that could be secured by logical means. The main characteristic was that we still knew where everything was to be found. The introduction of ‘service oriented architecture’ meant that this physical visibility was removed to a lower layer in the stack, but nevertheless we could still draw a series of physical diagrams that would locate every component of our architecture. That is what is changing.
In the cloud you no longer know where your data is being stored and processed. In the Wi-Fi environment with portable devices you no longer know where your users are situated. All physical control disappears and all you have left is logical control. That means that the security and assurance policies to be applied to your data must travel with it and must be applied to it wherever it lands. Similarly user security and assurance policies must be bound to the people and their mobile devices, irrespective of where they travel. So as well as a system-centric view of security architecture (yes, we shall still need that) we must now also conceive of a data-centric view and a person-centric view, with detailed mobile security profiles that will be articulated in the form of Business Attribute Profiles that travel with the data and the person/device. This three-pillar conceptual security architecture is shown in the diagram.
There remains one more major issue – trusted execution. In the end there must be an execution platform that is trusted to abide by and enforce these mobile policies, and we no longer know where it is or who owns it. Anyone, any time any place is our new mantra. So how will this work? We predict the emergence of a new market place for trust services, offered by trust brokers who fulfill the role of the traditional ‘trusted third party’ and who arrange for our services to be provided by a global network of trusted service providers. ‘Trust-as-a service’ (TaaS) will be a major new component of the services market place and the foundation stone of our future security architecture. It is immature at present but without this development it is difficult to see how the present trends will be sustained. It remains to be seen who will be the leading players in this new market, but one thing is for sure – we shall need the Business Attributes profile as means to communicate our detailed requirements for securing and assuring our data and its use in a common, machine readable, XML-based language.