Get security straight first at HQ

The concept of the "extended enterprise" - where your systems are connected to suppliers, partners and distributors - is an...

The concept of the "extended enterprise" - where your systems are connected to suppliers, partners and distributors - is an Internet phenomenon, writes Ross Bentley.

However, says John Frazier, director of infrastructure services at i2 Technologies, many of these e-business initiatives have stalled because of the potential security threats these projects have created.

"Extending the enterprise is great for business but a nightmare to secure," he says. "What companies should be doing is getting their own house in order before they open up their systems to the outside world. You can extend the enterprise easily but how do you control access once they are in? This is the biggest hurdle for many companies."

According to Frazier, one way that organisations can improve their internal security is by pulling together the multiple identity systems that exist in most companies so there is one central identity repository within the enterprise.

"If you need to find out where someone sits, you have to go to the facilities system. If you want to know something about their e-mail identity, you go into the e-mail system; and if you want to know who they are, you have to interrogate the human resources system.

"There are so many companies architectured like this. I recently spoke to one senior IT executive at a big aerospace organisation who said there were more than 50 HR systems within the company. How can you control an employee's identity and access to applications when each person has so many identities? The task is monumental."

Frazier says that once you have centralised control of the user's identities within a company, it is so much easier to control who has access to what systems and who has what user privileges. It is also simpler to attribute costs and codings to departments as an employee moves from one job function to another within the business. "And if someone leaves the company, it reduces the risk of littering your system with redundant but active passwords," he says.

By his own admission, Frazier was lucky when he came to i2 as "very little was established across the enterprise". He set about implementing what he calls an "e-provisioning strategy". "This provides a central hub where changes to a user's details or access privileges need be made only once. At the centre is a piece of enterprise software with connectors into each application. Any changes that are made are pushed through in real time.

"One area where it has been of particular use is in a travel application we've been using for the past six months. With our old travel application we used to dump a lot of user information into it once a month, but the new one updates in real time. Before, if someone changed jobs in the middle of the month there was a danger that his travel expenses would be attributed to the wrong department. This doesn't happen anymore.

The technology for the e-provisioning system comes in three parts: the provisioning software is supplied by Access 360; the identity software by Oblix; and Frazier's team have customised and developed some of their own applications.

He says that some companies have approached the issue of corporate IT security by mirroring their system outside the firewall. "From a security standpoint this is fine as it isolates the system. But it does present a headache for the IT department having to support another environment," he says. "It makes the job incrementally complicated."

But isn't there a danger that some companies will decide that e-business poses such a threat to IT security that they will write off any plans to extend their enterprise electronically?

"Maybe," says Frazier, "but the upside of e-business is too great to be ignored. People already know what can be achieved and technically it's really achievable. What presents the greatest difficulty is the soft-side: evaluating risk and making decisions based on that."

Read more on IT risk management