22 November 2015

Velocity: Integrity of Enterprise Architecture...

Operational Risk Management (ORM) is a discipline that requires several elements to remain effective.  Whether you are working on the deck of the USS Gerald R. Ford (CVN-78) or analyzing data from the corporate Security Operations Center (SOC), your tasks continuously rely on achieving "Trust".

At the core of these decision-making roles, are the processing of rapidly changing data on a split second basis.  The sensors or tools we use day-by-day to assist our quest for greater levels of safety and security, are interdependent minute-by-minute, second-by-second, on the trust of data.  It is imperative at the early stages of process and product development, to effectively test and improve these tools and sensors.  Why?

The "Quality Assurance" phase of any process whether in design, assembly, manufacturing or implementation is based upon a foundation of the quality of trust.  You are reading this now on a device connected to an Internetwork, that has layers of business rules and technology rules that are executed according to industry standards.  The process and the rules have been implemented utilizing QFD and Mean-Time-Between-Failure (MTBF).

There are three vital components of building digital trust in this scenario, for the systems in play and the requirements of end users:
  • Authentication
  • Data Integrity
  • Encryption
All three must be present to provide you with the highest level of assurance, that you are working with a trusted system.
  1. How can you be sure that the party you are communicating with, on the other end of the line, is who they claim to be?
  2. How can you be sure that the data has not been altered, deleted or changed in transit?
  3. How can you be sure that no one can intercept and understand the information being transferred?
All three of these vital components must be present all the time, in order to build integrity and assure your level of trust.  They must be consistent and persistent from end-to-end.  In essence, we are protecting against our adversaries from listening in, tampering with the data and impersonating the destination.

Are you operating any vital component of your business operation, where any of these three components are absent?  Are any of the three not persistent, 100% of the time?  If so, then you are in jeopardy of an erosion of trust with your stakeholders and the increased likelihood of an adverse event.  With your customers, your reputation and probably both.

So what?  How does this translate to your role and the work that you are in charge of, within the operations of your enterprise?  The short answer is, "Velocity and Wealth".  You see, the business rules, technology rules and the legal rules are all connected.  Your job, is to make sure that you understand, your organizations unique "Operational Risk Enterprise Architecture" (OREA).

The velocity at which your business process can execute transactions with integrity, versus your competition or adversary, can mean the difference between victory or defeat.  The margin or profit that you are able to gain by successfully executing millions of your transactions, can mean the difference between prosperity or disadvantage.

Is your organization advertising on Internet web sites?  Is the business model for your company, based upon revenue from advertising?  The trustworthiness of your systems operating with the goal of generating ad revenue, are now at stake.  Informationweek DarkReading explains:
'Xindi' Online Ad Fraud Botnet ExposedBillions of dollars in ad revenue overall could be lost to botnet that exploits 'Amnesia' bug.

Online fraudsters have amassed a botnet of millions of infected machines that exploits a security flaw in a digital advertising technology in order to execute phony online ad impressions.

The so-called Xindi botnet was designed to exploit a known vulnerability called Amnesia (CVE-2015-7266) in implementations of the Open RTB Internet advertising protocol. Unlike most online ad fraud attacks, it doesn't use clickjacking-based click fraud, but rather, generates large numbers of phony ad impressions. According to researchers at Pixalate, which published a report today on the botnet, some 6- to 8 million machines at more than 5,000 enterprises are at risk of being used as bots in Xindi.
Jalal Nasir, CEO of Pixalate, says his firm has spotted traffic from the IP addresses of major Fortune 500 firms, government agencies, and universities, associated with Xindi. While it's unclear if the IP addresses are spoofed or legitimate, he says the IP addresses used by Xindi are owned by those organizations, which include Citigroup; General Motors; Lowe's; Marriott; Wells Fargo; California State University's Office of the Chancellor; Columbia University; the University of Maryland; and many other big-name corporations and colleges. 
The Quality Assurance of the Online Advertising enterprise is in jeopardy.  The trustworthiness of e-commerce and the digital business models executing the rules for producing revenue, are now in question.  How effective is your enterprise in understanding the true business problem and then solving it?

"Bob Liodice, president and CEO of the ANA, whose membership includes more than 640 companies with 10,000 different brands that spend more than $250 billion in marketing and advertising, says the more than $6 billion of losses to advertisers is actually on the low end of estimates. He estimates the number may be closer to $10 billion."

"Achieving Digital Trust" and the "Trust Decisions" to create wealth require that we begin with a sound architecture.  It continues with the widely adopted information governance processes and three factors.  Authentication, Data Integrity and Encryption.  The "Advertising Industry" is not the only business segment at risk.  The next time you open that piece of mail with a new credit card that utilizes the EMV chip, you will begin to understand the true business problem.

You are in control of the velocity of the process of change with your current state. The opportunity for the future state of "Trust Decisions" is now coming into the light.  In your country, industry, company and DevOps team.