SECURITY IS A CONCERN FOR EVERY ENTERPRISE, and a known issue to almost all managers. Everyone has heard of hackers infiltrating corporate systems via the Internet and stealing credit card numbers or severely disrupting operations. Stories of stolen corporate secrets are also common. What is not widely known is that internal employees are most often responsible for the majority of security breaches. Sooner or later every organization is faced with employee misbehavior, including malicious destruction of data, misuse of information, embezzlement, and the taking of corporate secrets to new employers. A good firewall will help defend against hackers, but does little to prevent the majority of security breaches.

Application Security
Technology departments commonly believe that application security is not important when strong database security is present. This is incorrect, and is one of the major security mistakes companies make. Application security is required to adequately secure an enterprise. Database security alone is too inflexible, and not adequate for data-intensive web applications. Database security is also more difficult to administer, especially for applications with multiple databases, and databases supporting multiple applications. Strong database security is important, but strong application security is equally important.

Companies often fail to provide adequate application security for important functions, such as issuing mass e-mails to clients or entering a purchase order listing another employee's name. A secure database does not prevent the inappropriate use of dangerous application functions; only adequate application security will prevent these abuses. This is especially important for businesses moving to Web Services to expose enterprise application functionality to clients and partners over the Internet. Application security is critical; failing to “lock-down” dangerous functions from external users can have disastrous results.

Common Security Inadequacies
Unfortunately, application security is often poorly understood or overlooked by application designers not fully trained in enterprise security architecture. Third-party enterprise applications, such as accounting, CRM or ERP packages are often too limited in the security they provide. Many industries, such as banking, healthcare, and travel have stringent security requirements, and customizing these off-the-shelf packages to provide adequate security can be expensive, or even impossible. Strong application security is most important for modern applications built with an n-tier, distributed architecture. Examples include eCommerce, supply-chain integration, CRM, ERP, and any web-service enabled system. Security issues for these applications are much more complex than for desktop, client-server or legacy application architectures. Other common security problems include conflicts between database and application security, and the inevitable appearance of decentralized, poorly managed “islands of security.” These are caused by incompatible security models that require multiple passwords for each user resulting in a maintenance headache and leading to lapses in password security.

The Right Approach
Security should be a central concern in all enterprise architecture efforts. Enterprise network-, data- and software architects—whether employees or consultants—should be trained in current enterprise security practices and policies. Larger organizations should have a dedicated security architect responsible for defining, documenting, and implementing security processes throughout the enterprise. An independent party should conduct regular security audits, and a security breach prevention and recovery plan should be developed and tested for all common security breach scenarios. Clear lines of responsibility are a must for solid enterprise security.

Enterprise applications should have centralized business logic with integrated role-based security. This allows contextual control of access rights to individual application functions. For example, a salesperson should not have access to items in another salesperson's pipeline. However, a regional aggregate forecast may need to be accessible by all salespersons. To ensure access to the pipeline items only in the aggregate requires contextually aware application security. An application's security model should be customized to exactly match how an organization does business. Third-party applications, databases and network components with inadequate security should be avoided. Applications dealing with sensitive information should always include a detailed audit trail—the common practice of simply storing “Last Modified By” information is woefully inadequate for enterprise systems.

With the advent of web services and a heightened threat of cyber-terrorism since 9/11, enterprise network and application security are more important than ever. Yet the return on investment for security is difficult to calculate. What is it worth to prevent a major public embarrassment? Or prevent a competitor from receiving trade secrets from a disgruntled employee? Don't diminish security for the sake of projects with a clear ROI. The best security goes unnoticed, so be vigilant against complacency.

A.J. Singh is the president and CEO of ModularIS, which he founded in 1999. Prior to founding ModularIS, Singh was a Software Architect at Whittman-Hart and was involved in several industries including B2B eCommerce, Transportation, and Manufacturing. Singh received his Masters in Mechanical Engineering from the University of Illinois.