With growing numbers of organisations embracing digital transformation as a means of boosting efficiency and productivity, the role IT security plays is becoming more important, writes Content Security’s Ken Pang.
Digital transformation involves replacing conventional business processes with digital equivalents. Just as e-mail transformed paper-based communication and websites transformed access to information, new technologies now promise similar benefits in a host of other areas.
In all cases, security plays a critical role. Both e-mail and the web are used by criminals to defraud, disrupt and blackmail businesses. However, the value created by such digital transformations was so great that business leaders were willing to invest in additional security to keep the benefits of the transformation.
Indeed, security is not just a prerequisite for successful digital transformation — it can also be used to simplify transactions. For example, federated identity systems can allow citizens to have just one login for many government agencies such as Medicare, Centrelink and the Australian Tax Office (ATO).
For both public and private-sector organisations, effective IT security can aid and accelerate digital transformation in three key ways: by providing confidence in digital processes, by making interactions easier, and by enabling previously impossible processes.
How security provides confidence
There tends to be a general perception that digital processes are less secure than traditional processes; however, this is really only a perception.
It’s possible to make digital processes just as secure as manual processes — if not more so — and this needs to be explained to all parties involved, including staff, customers and senior management.
The two areas of concern most often raised are that digitised processes will reduce confidentiality, and that digitised processes are more likely to be targeted for fraud. While both concerns are legitimate, they can be managed using effective security.
Traditionally, confidentiality has been maintained by authentication. If you work in an office, few people will question what you were doing with a file.
As processes have become digitised, a similar process applied. If someone had a business reason to use information, they were given unrestricted access, enforced using passwords and network perimeters.
As digital transformation expands its scope, however, these controls are no longer sufficient. Passwords can be stolen, and cloud-based data stores accessed from anywhere in the world. For this reason, a data-centric security model is required that restricts not only who can access data but what they can do with it.
By designing security strategies that strictly limit the use of data to its approved business purposes and nothing else, a high level of confidence can be offered.
When it comes to the issue of fraud prevention, this too can be mitigated through security. Controls can be put in place that ensure proper identification of people accessing or using data and services, avoid the misuse of authorisation, and prevent logic abuses.
Improper identification can occur because current ID processes are static and, therefore, easily copied. Whether it is a password that is guessed or stolen, or a scanned copy of a driver’s licence, these are trivial for a criminal to obtain and use to commit fraud.
Technology can help bridge some of these problems, by deviating away from static and easily copied identification.
Techniques include the use of voice print identification and dynamic ID data such as asking a customer the approximate current balance of their bank account. This means that, even if passwords are stolen, protection remains in place.
Authorisation misuse can be overcome by looking at the underlying risk and then designing controls that best mitigate that risk. This could be achieved by incorporating sophisticated controls and rules that will flag any suspicious transactions or activities for close human inspection.
Meanwhile, logic abuses can be overcome by carefully designing and reviewing each digitised business process through the prism of security. Systematic questioning of assumptions can ensure logic abuses are less likely.
How security makes interactions easier
As well as lowering the risk of digital transformations, effective security can also make digital interactions easier and more reliable. Cryptography, biometrics, and using dynamic identifiers that can’t be guessed or stolen all make the process both easier on the end user, and more certain for the organisation.
One example is through the use of identity federation, where people can authenticate themselves on multiple websites using just one set of credentials such as their Facebook or Google ID.
Integrating this federated identity into an e-commerce platform can enable true “one-click” purchasing, driving up impulse buying and reducing cart abandonment.
Another example is the use of smartphones as both identification and authentication.
Banks are now rolling out cardless ATMs using smartphones, and phones can now be used as everything — from loyalty cards to secondary factors of authentication. No more copying 6-8-digit, one-time passwords; if you have your phone on you, you simply answer “Yes” when you want to log in.
How security can enable previously impossible processes
Digital security can go beyond enhancing traditional processes and support entirely new ones. What was not possible or practical without digital security becomes easy with it. Examples include:
- Blockchains: While bitcoin is the highest-profile example, blockchains have potential in many areas of business. If any process requires a high degree of integrity and accountability, and public sharing of information, blockchain is likely to be able to enable or transform it.
- Smartphone-based digital identities: A mobile phone can be a proxy for a real human, thereby supplementing, supplanting, or simply enabling processes which were previously too risky. As a device that is usually in the possession of the real owner, and capable of collecting and processing security relevant information, the mobile phone is the link between a digital identity and a physical person.
- Biometrics: Biometrics has already started changing the way we identify ourselves, but it is capable of more than identification. Biometrics can be used to track an individual’s movements and activities without identifying them, such as recording foot traffic through public places. They can be used to improve customer experiences, by remembering preferences such as favourite coffees or previous purchases. Truly anonymised big-data collection is possible using biometrics without associating each profile with a person.
Security is traditionally thought of as risk reduction; however, when used creatively, security technologies can deliver much more. Security can enable the transformation of laborious manual processes, reduce risk, and even create brand new capabilities.
Having a skilled team in place that can use security technologies in these ways will ensure your organisation can derive the most potential benefits from your digital transformation strategy.
Ken Pang is the chief technology officer at Content Security.