Boosting Business Agility with Security by Design

December 27 2016

0 comments 0
security by design

A convergence of digital forces – notably mobile, SaaS, cloud, big data, IoT and social – is creating massive disruption in the market and pushing businesses to move at much faster speeds. However, with a fixed set of resources and a constrained capacity to deliver on new projects, IT is often accused of holding the business back rather than enabling it.

The resulting IT delivery gap is exacerbated even further when IT resorts to shortcuts that get projects done on time and on budget. While the shortcuts might solve for the near-term, these point-to-point connections create tight dependencies between applications, making any future changes costly and time-consuming. When everything is hardwired together, nothing can move without breaking everything else.

The rise of shadow IT

Despite the delivery gap paining IT, the business still needs to keep going forward. Now viewing IT as a blocker rather than a business partner, the broader business too frequently decides to take matters into its own hands. Departments like marketing, sales and finance start producing and procuring their own solutions outside of the central IT department, creating the rise of shadow IT.

Exacerbating the problem further is the proliferation of cloud-based mobile applications, which increase the exposed surface area of the organization. Each new application requires and enables access to organizational data and assets. Unless the security team is directly involved in an application’s creation, acquisition and delivery – anyone can gain access or expose it without the IT team’s knowledge.

Furthermore, the challenge of visibility is compounded by the lack of standards by which organizational data and assets are shared and exposed. Different business units may adopt their own approach to security, if they take one at all. This makes the CIO’s job of propagating security best practices unwieldy.

Interestingly, the principles behind the formation of shadow IT aren’t necessarily negative. The business needs all of its parts to be thinking in an agile and innovative way. A strategic integration discipline, like API-led connectivity, harnesses the impulses behind the creation of shadow IT and turns them into business assets.

Enforcing security through API-led connectivity

There simply isn’t enough time or resources to have one person or team create security for the entire business. Instead, organizations need to adopt an API-led connectivity approach, which defines methods for connecting and exposing assets with .

Rather than connecting things point-to-point, every asset now becomes a managed API, making it discoverable through self-service without losing security and control. Each of these API nodes, designed and built by the teams that need them, will have security best practices built in at the point of design – creating the concept of “security by design.” These nodes are connected through APIs, which are standardized, well-defined entry points that are easy to visualize and thus secure.

As services are connected and exposed as APIs, the broader organization can then discover and reuse them. As more services are built out and connected, it’s not a case of creating more and more connections, but reusing existing ones that are already known to and managed by the security team. This approach to IT architecture allows the business to go faster, while naturally getting governance and compliance thanks to the API.

In this approach, security isn’t imposed top-down like a service-oriented architecture (SOA) initiative. Instead, every group that is developing a service is doing it in a standardized, well-defined way that allows security to actually happen.

For example, when a team is starting a project that requires connecting services or building new ones, they should be disciplined into thinking ‘What assets currently exist that I can reuse and build on top of?’ As a result, future projects can then make use of those assets again and again. Additionally, others feel encouraged to contribute more API nodes to the network that securely expose critical assets while enabling full visibility into what information is accessed, used and shared.

The application network

What emerges out of this “security by design” approach is an application network that is structurally more secure. It’s organized around well-defined building blocks that are linked to the application network via APIs. is built-in because IT has defined a door through an API and, as a result, cleanly defined the organization’s inside and outside.

With an application network, security teams have many options for controlling who has access to particular systems, what information they have access to and what authentication is required to get in, among a number of other options. With an application network, these doors are built into an organization’s integration fabric, making it more secure.

This is especially important as more and more businesses join new value chains by unbundling their core services and recomposing them into higher forms of business value used by partners and third parties. Security is no longer something that can be thought of as “just within” the company but needs to be thought of “throughout” the value creation chain and broader business environment.

Another advantage of this security by design approach is developers don’t have to be security experts, and security experts don’t have to worry about what developers might be doing. This gives CIOs the confidence that the network can flex to meet the changing demands being placed on it, at a speed which will keep the organization at pace with market forces.

Successful companies today not only need to embrace change, but they need to do it quickly. As business demands continue to grow at an accelerated pace, CIOs must increase the clock speed of their organization and, with fixed resources, figure out how to make IT scale to match.


This article previously appeared on Infosecurity Magazine.


We'd love to hear your opinion on this post