For company directors, the "digital transformation" strategy is the result of a new vision of their information systems. Right from the design stage, it can be broken down into four strategic areas "by design": security in the cloud, protection of personal data, agility and mobility. In this context, guaranteeing the secure sharing of data over the Internet has become the major challenge of a company's digital strategy.
From perimeter security to "security by design
In today's fast-changing economic and technological environment, all business leaders understand that the success of their "digital transformation" is strategic, even vital. But to name things is first to define them.
The first observation is that the Internet and the cloud are now inescapable. However, since the invention of networks and the web, corporate IT security has been based on a vision of perimeter protection, which considers that only what lies outside a protected network is the enemy. Protection is provided by network control and supervision technologies: firewalls, intrusion detection systems (IDS), pass-throughs, bastions, network connection control, deep packet inspection (DPI), security management center (SOC). At the same time, access to data from outside the enterprise requires network encryption technologies such as virtual private networks: " The Internet and the cloud are now indispensable".
Countering new threats
But this "Maginot Line" protection strategy is not enough.
It is inoperative in the face of new threats. And then, how can we ensure widespread access to company data when some countries prohibit virtual private networks?
But this "Maginot Line" protection strategy is not enough. It is ineffective in the face of new threats. And then, how can we ensure widespread access to corporate data at a time when some countries are banning virtual private networks? There are two main types of threat:
- on the one hand, data breaches (Pentagon case: 1.8 billion messages, i.e. several TB of data attacked);
- and on the other, data unavailability or even corruption (as in the case of the NotPetya ransomware cyberattack, which caused Saint-Gobain to lose e250m in orders).
Thinking about safety from the start
From now on, corporate IT security must start at the information system design stage, based on the principle that the main vulnerability is the user terminal; in other words, it's the terminal (including its human dimension) that guarantees the level of security.
In this case, data confidentiality is based on the secrecy of the private key, which must not leave the user terminal. The public cloud will ensure resilience and availability. Authentication, possibly strong multi-factor authentication, will guarantee the user's legitimacy.
The general principle is to integrate security at the design stage of the information system, or "security by design".
1) From the client workstation
From now on, data confidentiality will have to be ensured exclusively by the client workstation, which is the only trusted entity. The encryption model will be "zero knowledge", meaning that only the client will know the encryption keys. Neither the administrator nor any other administrative authority will have access to the encryption keys. Historization will enable you to see what changes have been made to the data, and restore the content to a previous version.
2) A three-level construction
The system must be built on triple trust:
- confidence in access to guarantee identity and associated rights;
- confidence in transport, for example by using the HTTPS protocol, which offers an excellent guarantee ;
- trust in sharing, which implies managing private keys at user level.
3) A European framework for data protection
The General Data Protection Regulation or GDPR is a European regulation. Unlike a directive, which must be transposed into national law, it takes effect in every national law from May 25, 2018. In the event of non-compliance, penalties range up to 4% of worldwide annual sales. The company becomes responsible for the processing, automated or otherwise, of personal data, direct or indirect, concerning an identified or identifiable natural person.
The data controller is considered to be the responsible economic player (accountability principle), and as such is responsible for taking measures to guarantee the protection of personal data: determining purposes, documenting processing, obtaining explicit consent, providing access to data, and allowing data to be deleted or ported.
The general principle is "privacy by design". This principle ties in with the previous one at system design level.
4) Mostly mobile terminals: "mobility by design
4G and wifi are virtually everywhere, and in Lisbon in December 2017, the members of 3GPP - the international cooperation that sets telecommunications standards - agreed on the specifications for 5GNR (New Radio). Terminals have become massively mobile, and this is in fact the majority mode of internet consumption.
Mobility has a direct impact on the organization of work: the widespread use of remote collaborative organizations means that the physical boundaries of the company are disappearing.
As a result, information systems will have to be natively "responsive". Ergonomics will therefore have to adapt naturally to the terminal; the basic rule of page design being user experience, this also includes accessibility standards.
5) Avoid enterprise resource planning (ERP) software
After 10 to 20 years, a company that has built its information system in application bricks according to its business needs must manage a legacy of several hundred or even thousands of independent applications, most of which process similar data, notably personal data relating to users.
All these applications are generally built on obsolete "three-tier" or "client-server" architectures, which are riddled with security holes. It's impossible to plug all the holes.
In the best of cases, companies have organized their processes around integrated management software packages (ERP), which are supposed to cover all their functional needs, subject to business-specific configuration, but generally require numerous specific developments and a long, painful period of migration and change.
In the age of the digital revolution, continuing to organize your information system around software packages and application solutions is a strategic mistake. How can we ensure universal access to the company's information system? How can the information system be adapted on a daily basis to the company's constantly evolving strategy, processes and organizations? And how can we guarantee that all data of the same kind will be processed in the same way and in sync?
Open source: a winning strategy
"Faced with the disadvantages of integrated software packages, a winning strategy is, for example, the one announced by Société Générale at the Paris Open Source Summit 2017: migrate its applications, middleware and infrastructure to open-source solutions. This involves natively generalizing the use of "open source" in new projects; gradually converting traditional applications with their open source alternatives; and turning its IT staff into active contributors.
In the final analysis, the best approach is to rebuild the entire information system on the basis of an inter-system exchange platform, using open bricks built on the one hand from business processes (the frontend), and on the other, from a restructuring of business data (the backend). For the user, the transition will be smooth, since the platform will integrate an inter-system messaging system that will synchronize all legacy applications with the platform via application programming interfaces or APIs.
An organization's choice of open source will ensure reversibility and longevity, and the openness of the code will be an additional guarantee that security flaws will be corrected more quickly.
The rapid adoption of Kubernetes, designed by Google to automate the deployment and scaling of applications, is another example of the strength of the open source model.
A new vision of the information system
The conclusion could be written as an equation:
" Digital transformation = Security + Protection + Agility + Mobility "
This digital transformation is the result of a new vision of the information system, which is now broken down into four strategic areas "by design": security in the cloud, protection of personal data, mobility, agility and open source.