Value is subjective. If you see an index card lying on a table as you enter my house, you may write it off as an insignificant piece of paper with little value, but as it holds my late grandmother’s hot sweet mustard recipe, I think it’s priceless. Same index card, two completely different interpretations of its value. All digital assets are like this index card. Their value is subjective to each company, but the key point is they have value. Digital assets with value—again, recognize I mean all of them—need to be protected.
While a zero-tolerance policy for risk has often been a security approach for businesses, mature digital enterprises recognize a risk versus reward approach to security is better. With brick-and-mortar stores, a risk versus reward approach is easy to see in the way they organize and protect their products for sale. Low-value (ahh, that word again) items are easily available to customers whereas high-value items are placed in locked display cases. Ease of access improves customer experience and likelihood to purchase while simultaneously increasing the ease of theft and potential loss. But while assigning value to physical products and digital assets with monetary equivalencies is easy, assigning value to intangible digital assets presents more of a challenge.
The protection of a company’s intangible digital assets—their proprietary code, operational and customer data (telemetry), machine learning (ML) models, etc.—is just as important as securing their system, ecommerce site, and customer transactions. A breach on these intangibles is akin to a breach of a knight’s honor in medieval times. While honor doesn’t hold the same tangible value as gold and gems, knights would protect it with their lives because it allowed them to compete in tournaments, attend court, and earn favor with ladies of nobility.
A breach on a business’ digital assets damages brand reputation and exposes the company to loss of development opportunities or sourcing of new methods of income. Take for example American retailer, Kroger, building derivative value from their customer data to open revenue streams with other companies. Were this digital asset easily accessible by threat actors, Kroger wouldn’t be able to monetize the subsequent insights on customer shopping habits and purchasing motivations that they derive from it. But a broad sweeping firewall isn’t necessarily enough to consider the digital asset secure.
The methods of protection businesses employ to secure their digital assets will come back to the earlier discussion of value. Continuing with the Kroger example, their insights are clearly high value since it is directly related to a revenue stream. The data as a supporting digital asset may not be locked behind a door guarded by a knight inside your castle with a moat and drawbridge, but it’s also not something you want outsiders to have access to steal or corrupt. This means you need to determine how valuable you find it and protect it accordingly, which brings us back to shifting to a risk versus reward security approach, all of which is enabled by modern enterprise architectures.
Modern enterprise architectures embrace security that provides a framework of protection. Deterministic enforcement tools, like authentication and access control, are utilized along with layers of situational awareness and risk-aware remediation policies.
To learn how to make deliberate risk-aware choices for modern application security and create a framework for digital asset protection, read “Moving Beyond Fight or Flight,” a chapter by distinguished engineer Ken Arora in our O’Reilly book, Enterprise Architecture for Digital Business.