For a company's manager, the " digital transformation " strategy is the result of a new vision of its information system. From the design stage, it is broken down into four strategic axes " by design ":
*** security in the cloud, privacy, agility and mobility. ***
In this context, guaranteeing secure data sharing on the Internet
is becoming the major challenge of the company's digital strategy.
In a rapidly changing economic and technological environment, all
organization leaders have now understood that the success of their
" digital transformation " is strategic and even vital. But naming things is first of all defining them.
Moving from perimeter security to "security by design
The first observation is that the Internet and the cloud are now unavoidable. Since the invention of networks and the web, IT security in companies has been based on a vision of perimeter protection, which considers that only anything outside a protected network is the enemy. Protection is achieved through network control and supervision technologies: firewalls, intrusion detection systems (IDS), pass-throughs, bastions, network connection control, deep packet inspection (DPI), and a security management center (SOC).
At the same time, access to data from outside the company is achieved through
network encryption technologies such as virtual private networks (VPNs).
But this Maginot Line type of protection strategy is not enough.
It is inoperative in the face of new threats. And then, how to ensure at the same time the generalized access to the data of the company while certain countries prohibit or control the VPN?
The threats are mainly of two kinds:
- The data breach: Yahoo: 3 billion user accounts, Uber: 57 million customers and 600,000 drivers, the Pentagon: 1.8 billion messages or several TB of data;
- The unavailability of data, or even their corruption: NotPetya caused St Gobain to lose €250M in orders. The Director General of the ANSSI estimated at the 2020 Cybersecurity Forum that 4 out of 10 companies with less than 50 employees were victims of a cyber attack in 2019, while VSEs/SMEs represent nearly 99.8% of French companies.
Corporate IT security must now begin at the design stage of the information system, based on the principle that the main vulnerability is the user terminal. In other words, it is the terminal, including its human dimension, that guarantees the level of security.
For maximum security, the confidentiality and integrity of data must be based on the secrecy of private keys which, ideally, should not leave the user terminal. The public cloud ensures resilience and availability. Authentication, if necessary, should be strong multi-factor, which guarantees the legitimacy of the user.
The general principle is to integrate security at the design stage of the
information system or Security by design: analysis of the 3 main principles - Silicon. From now on, data confidentiality will have to be ensured exclusively by the client workstation, which is the only trusted entity. The encryption model will be " Zero knowledge ", with zero diffusion of
knowledge, which means that only the client will know the encryption keys.
Neither the administrator nor any other administrative authority will be able to
access the encryption keys.
This is why the system must be built on a triple trust:
- Trust in access: guaranteeing identity and associated rights
- Trust in transport: HTTPS offers an excellent guarantee
- Trust in sharing: manage private keys at the user level
Personal data protection and the RGPD or "Privacy by design".
The General Data Protection Regulation or GDPR is a European regulation. Unlike a directive that must be transposed into national law, it took effect in every national law as of May 25, 2018 in organizations with more than 250 people. In case of failure to comply, the penalties are up to 4% of the annual worldwide turnover.
The company becomes responsible for the processing, automated or not, of personal data, direct or indirect, concerning an identified or identifiable natural person.
The data controller is considered to be the responsible economic actor; this is the principle of accountability and as such, it is up to him to take the necessary measures:
- ensure the protection of personal data,
- determine the purposes,
- documenting treatments,
- collect explicit consents,
- provide access to data,
- allow their deletion or porting.
A second general principle is data protection by design or " Privacy By Design ». This principle joins the previous one at the level of system design.
The concept of Mobility By Design
4G and wifi are almost everywhere in the world.
Terminals have become massively mobile and this is the majority mode
of Internet consumption. Mobility has a direct impact on the organization of work, and the generalization of remote collaborative organizations leads to the disappearance of the physical boundaries of the company.
The consequence is that information systems will have to be natively " responsive by design "This means that their ergonomics will have to adapt naturally to the terminal, the basic rule of page design being the " user experience " or UX, which also includes accessibility standards.
"Agility By Design" and "Open Source" rather than Enterprise Resource Planning
A company that has built its information system in application bricks according to its business needs must manage, after 10 to 20 years, a heritage of several hundred, even thousands of independent applications processing mostly similar data, including personal data of users.
All these applications are generally built on obsolete "three-tier" or "client-server" architectures that have many security holes. It is impossible to plug all the holes.
In the best of cases, companies have organized their processes around integrated management software packages (ERP), which are supposed to cover all their functional needs, subject to business-specific configuration, but generally require numerous specific developments and a long, painful period of migration and change.
In the era of the digital revolution, continuing to organize your information system around software packages and application solutions is a strategic mistake and leads to multiple questions:
- How to ensure universal access to the company's information system?
- How can the information system be adapted on a daily basis to the company's strategy, to the processes and to the constantly changing organizations?
- How can we guarantee that all data of the same nature will be processed in the same way and in sync?
Faced with this observation, a winning strategy is, for example, that announced by Société Générale:
- Migrate your applications, middleware and infrastructure to open source solutions
- Generalize the use of open source software in new projects
- Gradually convert traditional applications to open source alternatives
- Turn your IT staff into active contributors
In the end, such a project will consist of completely rebuilding the information system from a platform of inter-system exchanges. This will be done on the basis of free bricks built, on the one hand, from business processes (the frontend), and on the other hand, on the basis of a business restructuring of data (the backend).
For the user, the transition will be smooth as the platform will integrate a cross-system messaging that will synchronize all legacy applications with the platform via application programming interfaces or APIs.
The choice of open source by an organization will ensure reversibility and sustainability. The opening of the code will be an additional guarantee that security flaws will be corrected more quickly.
The rapid adoption of Kubernetes, designed by Google to automate the deployment and scaling of applications, is another example of the strength of the open source model.
In summary: Digital transformation = Security + Protection + Agility + Mobility + Open Source
The " digital transformation " is based on a vision
The new information system is now divided into five strategic " By Design " areas
- Security in the cloud
- Protection of personal data
- Open source
For a company's manager, the "digital transformation" strategy is the result of a new vision of its information system. From the design stage, it is broken down into four strategic areas by design: security in the cloud, protection of personal data, agility and mobility. In this context, guaranteeing secure data sharing on the Internet is becoming the major challenge of the company's digital strategy.