Thursday, June 26, 2008

Security-aware business... or business-aware security?

Much of the digitalization of business processes spawns from the desire of humans to minimize manual execution of repetitive tasks and maximize convenience. The field of Business Process Management (BPM) provides IT with tools for modeling business processes in a generic fashion to set frameworks for a variety of business applications, such as HR, procurement, medical, etc. This allows for more flexibility to address change in the business processes when needed as compared to changing code whenever business processes are changed.

Digital business processes cannot exist without human interaction; at the very minimum, a human actor must initiate a request for the automation of the business process to begin. Any human actor, by virtue of being human, will have identity information attached to him or her, and there exists a need to protect this identity information.

In order to participate in a business process, the consumer will have no choice but to leak some minimal identity information because the system needs to know who the consumer is. This identity information is necessary to the provider of the service in order to determine whether the service should be granted. However, the goal of the consumer is to receive the service and at the same time leak as little information as possible. The need to protect the consumer’s privacy to the maximum degree possible sets the context for identity management within business processes.

The provider cannot perform a service for a completely anonymous actor because access rights and privileges that a given consumer has for the system involved in the business process must be determined before the service is granted. Thus, the consumer’s desire for convenience and need for privacy must be balanced with access management, in order to maximize the security of the business process.

This constant three-way tug of war between convenience, privacy, and security presents a need for next-generation business process solutions that would provide business process modelers with embedded security controls.

Historically, the industry practice has been to implement business processes first, with no embedded access controls whatsoever, and then integrate the business process products with external access management products. One shortcoming with this approach is the cost of integration. Another limitation with external integration of security is that while it works well for course-grain security needs, external components do not have granular visibility into details of specific activities within business processes.

Despite their generic nature, BPM tools are no exception. Typically, they have basic access control and identity management capabilities sufficient for proof of concepts and small deployments. However, these out-of-the box capabilities are insufficient for large scale deployments with large user populations. When performance and scalability are required, IT professionals prefer to make sizeable investments into enterprise-level access management tools from security vendors. These access management tools must be integrated with the existing BPM tools.
The question that begs to be asked is: At which point should this integration take place? How do we, as IT vendors, make security business-aware and a business application security-capable, while improving time-to-value and minimizing integration budgets of our customers? It seems that the industry has come to the point where this integration can and should take place initially within BPM products themselves.

When it comes to build versus buy decisions, IT managers must have a choice between continuously funding integration projects with vague scopes and ever-changing deadlines and enterprise-level products from reliable vendors that blend best-of-breed BPM features with stable, tested, and well documented enterprise-level identity and access management capabilities within.

No comments: