SOA and Information Risk Management
Clive Gee, an experienced IBM SOA Practitioner, describes how IT securing the networks has evolved into what he refers to as Information risk management. As the collaboration space increases with application integration and service oriented systems, he examines the risk management of the increased the surface area of threats and vulnerability.
SOA magnifies risks associated with information assets by exposing those assets more readily to a broad audience. While this is beneficial to business operations, it is cause for greater concern for security and risk management professionals. It is critical that the SOA governance team partners with risk management teams to assess risks that are brought about or intensified by SOA.
Managing risk requires an understanding of vulnerabilities, threats, probability of risk manifestation, and the impact should a risk be realized. Decisions are ultimately made to avoid, accept, mitigate, or transfer the risk. Risk management practitioners must weigh the potential cost to the company should the risk be realized against the cost of managing the risk and the associated opportunity costs.
Taking a deeper look at threats and vulnerabilities, he cautions on the possibility of information being compromised without proper safeguards in place
[…] information is at risk of being exposed to unauthorized parties through a lack of proper controls and even criminal activity. The business benefits of readily and broadly sharing information can quickly be undone should the wrong information be compromised.
Part of a risk assessment should include capturing and cataloging the types of information that are vulnerable to attack and the potential threats against them. Once the threats are cataloged they can be assessed and classified according to probability of occurrence and potential impact.
He categorizes vulnerabilities into:
- Intellectual property (IP) – […] Depending on the nature of a company's business, IP can represent a firm's most valuable assets or at least those that significantly influence its competitive position.
- Regulatory Compliance -- Ensuring that the organization complies with relevant laws and regulations (or managing the penalty imposed if caught against the cost of implementing controls). […] Violating such regulations can result in significant fines, sanctions, and lost business opportunities.
- Business Relationships -- Information is at the heart of business-to-business and business-to-customer relationships in today's economy. Companies must safeguard customers' personal and financial data. They must securely and cost-effectively exchange information with business partners.
[…] and threats into:
- natural threats - hurricanes, floods, earthquakes, etc.
- environmental threats - power failures, water damage, pollution, etc.
- human threats -- industrial espionage, virus infection, denial-of-service attacks, etc.
He goes on to list the risk management concerns and discusses various frameworks and processes to mitigate them at various levels in the architecture stack For e.g. Confidentiality, Authentication, Authorization etc. on the application layer. Protecting the physical premises against unauthorized access, the various development processes and operational procedures. He prescribes security classification schemes to establish levels of risk management such as identifying information as Public, Sensitive, Confidential, and Private and suggests the use of processes to establish controls via policy and compliance framework, as a necessary part of information risk management. The kinds of controls he recommends are
• Administrative Controls - Definition and maintenance of policies, procedures, standards, and guidelines that govern information risk concerns.
• Operational Controls - Implementation and enforcement of the administrative controls.
• Audit Controls - Assurance of compliance with administrative controls and effectiveness of operational controls.
• Business Continuity and Disaster Recovery - Ensuring the continued operation of a business in the event of power outages, natural disasters, or other such disruptions is the goal of business continuity programs.
Clive reiterates that the key to the success of such initiatives is a buy-in from the stake holders in the organization and that is not possible to successfully execute the risk mitigation actions without an organizational structure to support it. “Once we understand the concerns of information risk management”, he says “and the practices required to address them, we must ensure that the organizational structures needed to execute those practices are in place.”
As with most large-scale initiatives, an organization's board of directors and executive management must support and fund the risk management organization. They must ensure that risk management policies and procedures align to overall goals and strategies.
He concludes his article emphasizing that, over time organizations change in terms of employee promotions, transfers and exits the information access control privileges must be re-evaluated and appropriate action taken at each those events.
The original article was published online in the SOA magazine. Be sure to check out the original article and share your experiences with the community on this forum as well.
Ronny Kohavi Dec 12, 2013