The issue of data security is exacerbated by the increase of information copies inside the organization. Mergers and acquisitions, the growth of line-of-business IT, and the proliferation of data sources outside the organization mean that key data records, such as customer, product/part, and supplier, exist in hundreds or even thousands of different formats, attached to hundreds of different applications, each with its own security. This lack of data security standardization invites attack on the "weakest link," especially when that link's datum copy has a separate firewall. Master data management efforts and enterprise repositories that give a global view of data do not automatically apply standardized security to that data.
The answer to the problem is to complement network-based security with "information security." In this approach, fine-grained access controls guard all copies of each data item and travel with that item inside and outside the firewall. Recent IBM developments give
Information security: Vision to reality
What would a good information security system look like? First, the unit of information would not be just one copy of a single field, but a group of related fields encompassing all format variants and copies. Access control is applied to this group as a whole -- you have the same access rights whether the customer record contains a first name or an entire life history. All applications and users must pass through a single access point to get at this data. Practically speaking, this means a set of standardized code, like a Web service producer front end, for all data access programs.
Second, a good information security system would automatically detect and "securitize" new data. This "securitization" would also handle cases in which data is moved outside the corporate firewall so that new groups of users can access it. The access control would be based on roles, not people, so that when one person leaves the company, his replacement can continue to use the data.
Third, the information security system would be integrated with corporate application- and network-based security. For example, if a datum was available via an application inside the firewall, it should continue to be so; but if it was unavailable inside the firewall, it should not become available by being moved outside the firewall.
How would such an information security system be implemented? I see three key requirements.
- An enterprise-wide metadata repository and attached auto-discovery utility. The repository would allow representation of data at the information unit level described above and attach role-based corporate standard security to each unit. The utility would carry out storage of metadata that supports the auto discovery, classification, and linking with all variants and copies of an information unit.
- Common-code middleware attached to all data access software that enforces the security policies defined in the repository.
- Utilities to semi-automatically change access controls as data changes or moves to a new location.
The mainframe's role in information security
As in the past, the mainframe remains a leader in traditional network-oriented security. Moreover, there are extensive provisions for encrypting data that travels over internal and external networks. IBM recently implemented software that allows the mainframe to extend this network-oriented "umbrella" across the enterprise: full implementation of cross-platform Tivoli on the mainframe that incorporates mainframe security schemes; an increasing ability to virtualize applications (and therefore application security) across platforms; and the necessary middleware to allow the mainframe to act as a security hub, coordinating distributed security functions from a central server.
IBM has also started supplying the products needed to implement information security on the mainframe and across platforms. Its recent acquisition of a global metadata repository firm means that it can now provide an enterprise-wide view of data for security purposes. Its strong commitment to service-oriented architecture (SOA) gives users a "choke point" to monitor data access if they implement standardized Web service producer code for access to all data. However, the actual implementation of common data access code and creation of the tools to monitor and update access controls are left up to the user.
Obstacles to information security
The real barrier to implementing information security today, via the mainframe or another method, is today's IT spending. A blog post by the Burton Group's Anne Thomas Manes states that many SOA implementations are considered failures because, despite repeated advice, users chose to implement common Web service provider and consumer code only on a per-project basis and only for new applications. A recent survey by Laura Didio shows that most IT shops now focus primarily on cost containment and long-term cost reduction, with no mention of implementing new infrastructure (except server virtualization) among the top priorities. Ironically, the same survey shows that security spending has survived the recession, with only 3% of respondents indicating a decrease. And other initiatives that might aid in creating an information security architecture, such as implementing a private cloud or using a public one, are far down on users' priority lists.
To put it bluntly, such an approach is penny-foolish and pound-foolish. Failure to spend on information security will erode overall security as users implement new Web-oriented competitive advantage apps that expose more company information (oh yes, that's still a priority). Also, spending on network-centric security today is less cost-effective than spending on information security (because information security protects data inside and outside the firewall).
The few, the proud, the mainframe
It is also true that a few users continue to implement SOA well, are willing to invest in technologies like cloud, have a master data management effort in place, and understand the value of the mainframe in delivering information security. For these users, IBM's recent efforts to provide the basis for the mainframe as an information security hub represent an opportunity to widen the profit margin gap with competitors.
Assuming that IT does implement common data access code and monitoring utilities that use this information, the mainframe as a security hub can spread not only robust network-based RACF-type security but also better data security across the enterprise and beyond to public clouds and supply-chain partners. Today's wasted IT spending caused by piecemeal attempts to "open the kimono" to partners/outsourcers without giving away company secrets can be greatly reduced, adding to profit margins.
Moreover, let's face it: Security is the primary reason that large enterprises have been hesitant to embrace Software as a Service and the cloud concept, despite the potential cost savings. (Although Amazon's recently publicized problems with cloud robustness may now play a role in users' hesitation.) With a strong, standardized information security architecture in place, many of these concerns go away.
At the same time, neither IBM nor any other vendor has yet provided all of the software infrastructure it could to aid in such an effort, even for leading-edge users. Administrative utilities for information security monitoring and access control are obvious areas for improvement, as are policy engines to translate corporate standard information policies into real-world virtualized data security.
Meanwhile, the action item for all mainframe users is to begin to re-orient security spending toward information security. A fable by Patricia McKillip seems apropos here: Once there was a king who hired a wizard to provide perfect security in his castle. No one was to be able to breach the "firewall" and hurt him. When the castle was finished, he paid the wizard and rested secure inside his new domain until he found that with no vulnerable doors in the wall, he couldn't get out. Information security will allow you to compete outside your firewall securely, and the mainframe is an excellent hub for such a purpose.
ABOUT THE AUTHOR: Wayne Kernochan is president of Infostructure Associates, an affiliate of Valley View Ventures. Infostructure Associates aims to provide thought leadership and sound advice to vendors and users of information technology. This document is the result of Infostructure Associates-sponsored research. Infostructure Associates believes that its findings are objective and represent the best analysis available at the time of publication.
What did you think of this feature? Write to SearchDataCenter.com's Matt Stansberry about your data center concerns at email@example.com.
This was first published in February 2010