“"Embracing a risk-reward approach to security requires a significant shift in how we think about digital assets. But it is a necessary shift given the rapid evolution of digital threats and the inability of existing security models to mitigate them." ”
Value is subjective. If you see an index card lying on a table as you enter my house, you may write it off as an insignificant piece of paper with little value, but as it holds my late grandmother’s hot sweet mustard recipe, I think it’s priceless. Same index card, two completely different interpretations of its value. All digital assets are like this index card. Their value is subjective to each company, but the key point is they have value. Digital assets with value—again, recognize I mean all of them—need to be protected.
While a zero-tolerance policy for risk has often been a security approach for businesses, mature digital enterprises recognize a risk versus reward approach to security is better. With brick-and-mortar stores, a risk versus reward approach is easy to see in the way they organize and protect their products for sale. Low-value (ahh, that word again) items are easily available to customers whereas high-value items are placed in locked display cases. Ease of access improves customer experience and likelihood to purchase while simultaneously increasing the ease of theft and potential loss. But while assigning value to physical products and digital assets with monetary equivalencies is easy, assigning value to intangible digital assets presents more of a challenge.
Today’s treatment of “intangible digital assets”
The protection of a company’s intangible digital assets—their proprietary code, operational and customer data (telemetry), machine learning (ML) models, etc.—is just as important as securing their system, ecommerce site, and customer transactions. A breach on these intangibles is akin to a breach of a knight’s honor in medieval times. While honor doesn’t hold the same tangible value as gold and gems, knights would protect it with their lives because it allowed them to compete in tournaments, attend court, and earn favor with ladies of nobility.
A breach on a business’ digital assets damages brand reputation and exposes the company to loss of development opportunities or sourcing of new methods of income. Take for example American retailer, Kroger, building derivative value from their customer data to open revenue streams with other companies. Were this digital asset easily accessible by threat actors, Kroger wouldn’t be able to monetize the subsequent insights on customer shopping habits and purchasing motivations that they derive from it. But a broad sweeping firewall isn’t necessarily enough to consider the digital asset secure.
Securing digital assets within modern enterprise architectures
The methods of protection businesses employ to secure their digital assets will come back to the earlier discussion of value. Continuing with the Kroger example, their insights are clearly high value since it is directly related to a revenue stream. The data as a supporting digital asset may not be locked behind a door guarded by a knight inside your castle with a moat and drawbridge, but it’s also not something you want outsiders to have access to steal or corrupt. This means you need to determine how valuable you find it and protect it accordingly, which brings us back to shifting to a risk versus reward security approach, all of which is enabled by modern enterprise architectures.
Modern enterprise architectures embrace security that provides a framework of protection. Deterministic enforcement tools, like authentication and access control, are utilized along with layers of situational awareness and risk-aware remediation policies.
To learn how to make deliberate risk-aware choices for modern application security and create a framework for digital asset protection, read “Moving Beyond Fight or Flight,” a chapter by distinguished engineer Ken Arora in our O’Reilly book, Enterprise Architecture for Digital Business.
About the Author
Related Blog Posts
At the Intersection of Operational Data and Generative AI
Help your organization understand the impact of generative AI (GenAI) on its operational data practices, and learn how to better align GenAI technology adoption timelines with existing budgets, practices, and cultures.
Using AI for IT Automation Security
Learn how artificial intelligence and machine learning aid in mitigating cybersecurity threats to your IT automation processes.
The Commodification of Cloud
Public cloud is no longer the bright new shiny toy, but it paved the way for XaaS, Edge, and a new cycle of innovation.
Most Exciting Tech Trend in 2022: IT/OT Convergence
The line between operation and digital systems continues to blur as homes and businesses increase their reliance on connected devices, accelerating the convergence of IT and OT. While this trend of integration brings excitement, it also presents its own challenges and concerns to be considered.
Adaptive Applications are Data-Driven
There's a big difference between knowing something's wrong and knowing what to do about it. Only after monitoring the right elements can we discern the health of a user experience, deriving from the analysis of those measurements the relationships and patterns that can be inferred. Ultimately, the automation that will give rise to truly adaptive applications is based on measurements and our understanding of them.
Inserting App Services into Shifting App Architectures
Application architectures have evolved several times since the early days of computing, and it is no longer optimal to rely solely on a single, known data path to insert application services. Furthermore, because many of the emerging data paths are not as suitable for a proxy-based platform, we must look to the other potential points of insertion possible to scale and secure modern applications.