Application Management, Security and Privacy By Design - Threats, Vulnerabilities and Risk Management
Tuesday, March 31, 2015
Recent events have heightened public awareness of threats, vulnerabilities and risks.
"Apps" have become the users' front door to business, information and IT services using mobile, wireless and wired devices. User confidence and trust are increasingly critical to service success.
While the App is perceived to be the functionality on the access device, we need to manage the "application" as the end to end set of business transactions, system transactions and component interactions between the user and the target service. For example, mobile banking, web banking, ATMs and payment card devices are access devices that provide apps to connect me to my bank services. While they are separate access channels (using different devices, Apps and connections) they will share some enterprise application infrastructure (connections, workflow, application components and data) and update my bank accounts. They are all part of the set of banking applications I use to debit and credit my bank account. Multi-channel access presents new risks to enterprise applications and data by potentially exposing cross channel vulnerabilities.
Application management, security and privacy need to be designed and built into the App. Design needs to consider the end to end context, behaviour and security of both the application and the underlying infrastructure (Application Service Platform, Application Infrastructure Services, Infrastructure Services, and Network Services).
Security requirements overlap with application management requirements. For example,
Timely alerts that an application component service has failed or been compromised is essential to managing incidents and meeting service level targets, but also could be instrumental in early detection of Denial of Service Attacks.
Transaction performance and integrity are key application management components, but are now critical to maintaining customer trust and satisfaction.
The ability to start and stop a service based on alert triggers is critical to both application management and security
Application design needs to integrate services (apps, devices, connections, transactions, component interactions, workflow and data), and layer protection and management mechanisms (controls, audit, reporting, monitoring, alerts and incident management) into an effective end to end security and management solution for the application and the Apps which access it.
For this reason, we continue to recommend assessing security threats, vulnerabilities and risks from a defense in depth perspective for information management and flow based on user context and authenticaton across all services used to provide the target application.
416 580 7857
Fred Nagy, CMC, PMP, ITIL
Solutions in Context – “Strategic Design and Risk Management
Each Public Sector Program is accountable for the information it uses, discloses, retains
from collection through to destruction:
Public Sector Services collect, use, disclose, retain, and destroy information
Typically involve the public, other jurisdictions, partners, other program areas within the jurisdiction and shared support services
Could involve multiple Private, Community and Public Clouds
Managed Cloud Services for Public Sector need to deliver integrated solutions for Relationship Management, Information Management, Privacy and Security requirements.
Most public sector program service activities are generic and common across government programs. Only a small portion is specific to the Program’s service outcomes. To increase Program agility and reduce costs, cloud based Program Infrastructure Services (E.g. shared services, processes, resources) should be used to create and operate a Public Sector program. Most of these Program Infrastructure Services should be generic & shared.
A Hybrid cloud strategy is needed to manage Program services and information. It should leverage:
Community Clouds (e.g. Cross Jurisdiction, eHealth, Shared Service(OSS, OPS ITS)) to share IT software, platforms and infrastructure
Public Sector partner clouds
In my presentation on Cloud Information MAPs, I proposed a different view of Public Sector Clouds based on a managed service view:
1. “The Cloud” is made up of clouds with different Trust levels:
Maximizing the value of using and providing managed services requires systematic investment and decision making by Business and I&IT working together.
To share service, you must share some business infrastructure - Strategies, Systems, Processes, Rules, Infrastructure, Support, Relationships, Applications, Information.
Critical success factors are business leadership, joint service planning, an agreed service business plan, and effective governance (e.g. to decide what to share, what to control, when to roll out change...).
The evolution of your Managed Services needs to be managed as a strategic business program leveraging continuous improvement with periodic injections of strategic disruptive change.
Here is a link to a presentation I made to the OPS Architecture Open house in 2008 about strategy, architecture and program management for Business and I&IT services.
"Maximizing Program Investment Value and Decision Making Through Enterprise Architecture"
I&IT Service Puzzle - Effective Delivery and Management
Wednesday, February 4, 2015
The real puzzle continues to be how to effectively deliver and manage I&IT services of value to users.
I&IT organizations in North America are focusing on delivery of services as a utility over a hybrid network (partners, suppliers, people, processes, technology). Consultants can assist Organizational I&IT with:
1. “Keeping the Lights On” - I&IT needs to ensure productions services are available and work properly all the time. Most I&IT organizations are working their way up the infrastructure, platform, application, ITSM and business process levels. Non-functional requirements and new business service solutions are needed to balance service stability, resilience, agility, and economic value.
2. “Simple, Anywhere, Anytime, Any Device” - Consumer devices have raised the bar and are challenging the approaches for IT- User service. Service Solutions need to be more elegant.
3. “Integrated but Protected” - Service integration is increasingly complex, while tolerance for customer information breaches continues to drop. I&IT organizations need security architecture and solutions for end-to-end information protection.
4. “I&IT Business Value” - I&IT organizations regularly need to justify their business existence and their Department’s future. They need to effectively integrate the user application, personal device, managed service, shared service, cloud computing, partner and outsourced models of service delivery to provide measurable business value.
5. “Effective Program and Project Management” - All projects are “business” projects, not just “IT” projects, and must be able implement tangible business change – either directly to the organization’s business or to the business of I&IT in the organization. Planning and managing business change is still a critical challenge for most I&IT organizations
Fred Nagy, CMC, PMP, ITIL
416 850 7857
Solutions in Context - "Business/I&IT Service Strategy & Integrated Execution - getting the right process, information and IT things done"
Public Sector Service Strategy - The Hybrid Enterprise Journey
Monday, February 2, 2015
The Ontario Public Sector has been adopting hybrid enterprise service solutions - combinations of alternate service delivery models, virtual organizations with partners, Enterprise solutions (COTS, Cloud, Managed Services), third party services, and shared services (business and I&IT) as part of an innovation agenda to get better value for the people of Ontario.
The result is a greater need to regularly and easily release sets of integrated change (business, information, IT and security services) into Ontario.
Business and I&IT Service transformation needs to be managed as a continuous, responsive, controlled and natural process within business operations.
Business and I&IT Services need to adopt both continuous step-wise improvement, and periodic disruptive change (e.g. due to strategic shifts) in discrete steps that add value to the People of Ontario.
The Business and I&IT Service transformation processes should:
Define and enable step-wise improvement through regular releases of static and dynamic combinations of business, information, IT and security products, processes, services, and relationships.
Improve end to end service management across organization, relationship, geographic, jurisdiction, technology, vendor, and role boundaries.
Successful execution of integrated Business and I&IT Service Strategy requires a business model that embraces:
Continuous Business Innovation Program - Supports strategy execution as a multi-year journey which is undertaken in discrete steps that release change into the business
Hybrid Enterprise Business Service Model and Relationships - Supports public, community and private combinations of clients, customers, partners, other stakeholders and staff to deliver and manage service
Business Service Release Management - Stages evolution through semi-annual release of changes to client/customer services through dynamic, loose-coupling of end to end managed services provided by business partners and suppliers (includes business and IT, internal and external)
Business Service Platform - Integrated business, information, technology and Security capability which enable service release over time through combinations of partner and supplier services
Supplier Service Platform - Integrated combinations of process, information, application, application platform, and infrastructure to enable partners and suppliers to participate in service releases
Enabling the first or next release of an enterprise business and I&IT service is really about establishing the go-forward service management organization and providing it the business model and tools to enable the journey required to execute the enterprise service strategy.
Fred Nagy, CMC, PMP, ITIL
416 580 7857
Solutions in Context - "Service Strategy and Execution - Getting the right things done"
Please use the comments feature on this blog to provide feedback on the topic and/or presentation and/or ask questions. We would appreciate your thoughts on the usefulness of architecture in ensuring project success.
Fred Nagy, BMath Co-op, CMC, PMP, ITIL
Solutions in Context - "Strategic Design, Implementation and Risk Management"