Views from the Marketplace are paid for by advertisers and select partners of MIT Technology Review.
Cybersecurity in the Age of Digital Transformation
As companies embrace technologies such as the Internet of Things, big data, cloud, and mobility, security must be more than an afterthought. But in the digital era, the focus needs to shift from securing network perimeters to safeguarding data spread across systems, devices, and the cloud.
Technologies such as big data analytics, the Internet of Things (IoT), blockchain, and mobile computing are reinventing the way companies handle everything from decision making to customer service. The automation of virtually all business processes and the increasing digital connectedness of the entire value chain create agility, but they also significantly raise cybersecurity risks and threat levels.
The key to addressing those risks and threats is building security into applications, as well as into interconnected devices, right from the start.
Running IT systems in the cloud supports organizational flexibility. To that end, companies are increasingly moving both data and business functions (e.g., human resources and procurement) between the cloud and on-premises legacy systems.
But as companies embark on their journeys of digital transformation, they must make cybersecurity a top priority, says Michael Golz, CIO, SAP Americas. “We have to maintain confidentiality, integrity, and availability of data in all these contexts: on premises, in the cloud, and in hybrid environments,” Golz says.
Both the value and the volume of data have never been higher, and end points are more vulnerable than ever. That’s especially the case with the IoT, which is still in its infancy. As the IoT is extended to everything from industrial equipment to consumer devices, attacks are growing not just in number, but also in sophistication. Next-generation devices are now deployed in potentially vulnerable environments such as vehicles, hospitals, and energy plants, vastly increasing the risks to human welfare. Concerns about such devices being hacked, turned into botnets, and used to attack targeted computers and organizations are growing as well.
“Any vulnerabilities in the supply chain now have a wildfire effect that results in millions of dollars being lost and trust being destroyed on impact,” says Justin Somaini, global CSO, SAP. “It used to take a while to exploit these weaknesses. Nowadays, it’s very fast and the damage is immediate.”
With the stakes so high, senior IT leaders, including both CIOs and CSOs, need to adopt a more proactive approach to securing critical data. Forensic analysis of what went wrong after a breach won’t be enough to save lives—or C-level careers.
Focusing on Both Applications and Data
Cybersecurity professionals are accustomed to securing access to their networks and applications. But digital transformation leads to an explosion of connected environments where perimeter protection is no longer enough. Attackers and other malicious individuals will continue to compromise weak links, resulting in deep access to companies’ networks, systems, and data.
In a digital world, the classic, contained enterprise network no longer exists. For that reason, security must be embedded into all applications as the first line of defense, Somaini says. To achieve that level of security, SAP favors the “security by default” approach, in which an application’s embedded security controls are, by default, set at the highest levels of protection. “The idea is to build in security, rather than asking users to opt in,” he says. That’s one of the hallmarks of being more proactive in securing data: protection is the default posture.
So-called “self-defending apps” are another example of proactive security. This active-protection technique provides applications with advanced access-control capabilities, allowing them to react to malicious source-code modifications and debugging at runtime. Encryption of all data in transit is another core tenet of preemptive cybersecurity, according to Somaini. SAP HANA, for example, features encryption services for data both at rest and in flight.
Among the most important factors for heading off insider threats are two-factor authentication (which verifies a user’s identity via two different methods) and role-based access controls (which limit the user’s access to data by job role), Golz says. “The insider threat is very real. There are a lot of data breaches today by people who have a legitimate authorization that is too broad. They get to see more than they are entitled to. Two-factor authentication dramatically increases the security of the communications.”
Bringing Two Worlds Together
The cybersecurity issues raised by digital transformation are driving the need for a better understanding between the organization’s cybersecurity professionals and those who provide application security. “Traditionally, those groups don’t speak the same language and don’t understand what the other side is doing,” Golz says.
Today, responsibility for cybersecurity is generally shared by the application team, which tends to focus on hardening and securing enterprise applications, and the cybersecurity professionals, who handle aspects such as access controls and firewalls. “Those are different roles, and they use different technologies and terms,” Golz says. Going forward, with the focus shifting from traditional network-perimeter security to securing application data, those two worlds need to join forces to prevent issues from falling through the cracks, he adds.
Digital transformation makes it essential that the cybersecurity and IT teams find a common understanding, a shared terminology, and a unified approach to securing applications and data. “Systems are being opened in ways that they weren’t before,” Golz explains. “There is more direct connectivity with suppliers, partners, customers, and consumers. There are tighter connections between a company’s Web presence and back-end systems. The seamless process flows mean more things can go wrong.”
When it comes to digitally transforming a company’s business, cybersecurity must be part of that conversation from the start. As a case in point, many companies now sell software along with their products. For example, a large industrial vendor such as GE today provides not just the equipment used in production environments but also subscription-based monitoring and maintenance services to ensure that equipment does not experience an unexpected outage. “That means all the challenges and requirements a software company faces now apply to you. The way you protect the data is paramount. It’s a whole set of new challenges,” Golz says.
As one of the top providers of business-critical applications, SAP will continue to build security into the heart of its applications and to secure cloud operations to protect content and transactions, Golz says. “We are working to help customers define, plan, and execute measures for their secure digital transformation.”