It’s a well-known fact that digital companies create value by exchanging data in each of the ecosystems that they are connected to. However, with the growing adoption of cloud and mobile solutions in the workplace and massive trends that make business every day more digital, the challenges around exchanging data have increased.
Essentially, this has extended the enterprise edge beyond an organsation’s traditional four walls. Enterprises can no longer do with electronic security solutions that block access to their perimeter, because refusing access means refusing collaboration.
This is no easy task when you think about the omnipresent nature of data exchanges, the multiple forms they take and how they occur during every enterprise process. Moreover, each type of exchange has its own security constraints and requirements.
When it comes to security, every exchange should be covered and every exchange requires something customised to the particular exchange technique in question. There’s no one size fits all here. To be efficient, without being too weak or too strong, the security solution used must be adapted to each type of exchange.
Beyond infrastructure models based on gateways, DMZ (or perimeter network), reverse proxy and other devices available as appliances, governing flows of data can address exchange security problems in a well-reasoned, systematic way.
An application-to-application exchange within a company may seem trivial, but it has a number of constraints. Firstly, the two applications must have the necessary rights and access to exchanged data. Exchanged data contains private information including the likes of customers’ bank account information, so it’s essential that this kind of information is encrypted from end-to-end.
Finally, the exchange must be monitored so an alert can be triggered if the data is corrupted. Audit trails must also be created, which can be used to retrace every aspect of the exchange after it has taken place.
In order for organisations to meet the specific security requirements they face in governing the flow of data, they first need to ask themselves the following three questions:
1. Who interacts with whom?
Every participant in the exchange, be it an employee, customer, partner, an application in a corporate data center, on a mobile device, in the Cloud or at a partner’s facility has different security constraints, rights and authentication modes. The kind of services needed here, among others, includes Identity and Access Management (IAM), certificate lifecycle management, OAuth and LDAP.
2. What interaction is taking place?
Once the participants are identified, the type of interaction that needs to be managed must be defined and the reason for the interaction given (such as exchanging invoices or purchase orders). This definition can be limited strictly to the data exchange or can include exchange related processing. In terms of security, archiving, logging, encryption and human decision-making, specific steps can be added as needed.
Based on this information, instructions and rules associated with the exchange can be created and applied automatically. Services associated with this step include functions such as encryption, signatures, instructions and rule definitions and configuration studios.
3. Is the interaction proceeding properly?
A successful interaction is one that proceeds as expected and in accordance with all the definitions and constraints that it’s subject to. This involves defining alerts and reports that can be used to monitor the application of instructions and the flows of data. Tools such as dashboards and monitoring services come into their own at this stage, as do management of secure audit logs.
Once these three questions are addressed, the security requirements needed become immediately apparent and can be managed automatically.
The challenge for enterprises today to work alongside extended ecosystems isn’t an easy task. On the one hand, they need the means to exchange data quickly with participants in a variety of ecosystems and exchanges, some of which now involve API service publication.
On the other hand, they cannot treat all data exchange participants the same. They must offer the right service levels for access to data based on the contracts they have signed with each participant. However, if organisations can master the art of governing the flow of data then they will find themselves in a strong position to dynamically manage the data exchanges and meet the related security requirements.