Security ROI: Web Application Security as a Business Enabler
Most companies today continue to think that the role of network
security is primarily to protect against threats, not to help facilitate
business and stimulate growth. Simply put, companies continue to
think of security initiatives as "how to keep out the bad guys"
rather than "how to let in the good guys." But the good
guys must be allowed in for any network-connected business to thrive.
Because the threat philosophy is deep seeded, security is often
viewed as a project burden. In fact, industry analyst Gartner commented
There is a change from security being viewed as a nuisance
to being viewed as an enabler. Those companies that do security
well will be the organisations people choose to do business with.
Leyden, Security software sales soar, vnunet.com, April 20, 2000
This white paper proposes how businesses can use return on investment
(ROI) models to justify web application security expenditures, rather
than viewing them as cost expenditures. To do so, the paper explores
the benefits of using access management software to deploy secure,
business-enabling web applications more quickly and cost-effectively.
A new security model
The Internet has been a fertile environment for technology vendors
to create point products to keep intruders (and their viral children)
out of private networks. Firewalls, intrusion detection software,
and anti-virus products are well-known examples. These security
products primarily work at points of contact with private networks.
Yet, to get anything useful done, applications must be available
that reside behind the contact points. Furthermore, because these
products address threats, IT organizations usually justify acquisition
and implementation through risk avoidance: "If we spend $X
on this security technology, then well mitigate the firms
risk of loss and downtime by $Y. Unfortunately, these risks
may be difficult to quantify until suffered.
The result is that most security projects are still done based
on a commitment from upper management to make their network business
initiatives secure. While 9/11 has facilitated these security commitments,
the economic downturn has also revived the controller's demand that
all IT initiatives be based on ROI. As a bi-product, network security
is still perceived as a cost center and other projects, which promise
quantifiable revenue and customer satisfaction returns, are more
Within all businesses, three organizational roles interpret, implement,
and manage business security policies:
- IT security, which focuses on securing the
network infrastructure often using point products such as firewalls
to protect against threats.
- IT operations, which works with the business
units to define and manage valid users (customers, partners and
employees) of IT resources.
- Application developers, which enforce the
appropriate level of access for each user within applications
they create for the business units.
These roles may be staffed by large departments in big companies
or shared by individuals in small and midsize businesses. The company
and staff size is not important. What is important is that the complexity
of the security issues in a network-connected business can be enormous
without tools and a well-defined security infrastructure. Moreover,
as businesses continue to move on-line with web applications, content,
and portals, they increasingly expose more internal resources. Given
these dynamics, how can the perception of security be transformed
from a cost center into a true business enabler?
discussion of web application security management
While point security products work well for IT security, they do
not usually solve the organizational needs of IT operations and
web application developers, who are left to manually implement security
policies. Within IT operations, administrators often manually obtain
approvals and then create and administer user identities and privileges
across manually provisioned resources. This approach has been in
practice for decades, despite the fact that it causes three fundamental
problems for IT operations:
- Long cycles for getting users online and productive. Manual
approvals, resource provisioning by those not in the direct line
of responsibility, and creation of multiple accounts for each
user, cumulatively increase the time it takes to get new users
- High costs for administering users. Users with multiple accounts
can lead to a high number of help desk inquiries for forgotten
passwords and other common administrative tasks.
- High total cost of ownership (TCO) for user management. Although
most security policies don't change substantially over time, users
relationships to the policy do. If each web application, portal,
and server is populated with customized user definitions and access
rules, each relationship change must be manually coded within
each customized security model. The result is on-going management
costs that grow proportionally with the number of deployed resources.
Application developers (who often have little security expertise)
end up coding the customized user definitions and security rules
within each web application. In fact, developers sometimes create
security enforcement models that replicate lists of users and access
privileges that IT operations has already defined elsewhere. The
result is a network of security islands
or silos that must be independently
managed and maintained. This situation creates additional business
problems for organizations:
- Long deployment cycles for business initiatives. As developers
code customized user definitions and security rules in each application,
they can take a long time to develop, test, and deploy initiatives.
This is especially problematic when deploying on-line business
initiatives, where time-to-market is usually critical for success.
- High costs for developing web applications. Entering customized
user definitions and security rules increases the amount of code
that must be written for each application. With todays challenging
economy, meeting each web applications development budget
has become an important factor and customized security
coding can significantly increase the risk of exceeding a budget.
- High TCO for application development. Because each web application
is deployed with customized user definitions and security rules,
each relationship change must be manually updated within each
web applications customized security model. This added management
cost can grow proportionally with the number of deployed web applications.
These inefficiencies also open the door to potential security exposures.
When the three distinct groups within an organization manually implement
security policies, differences and omissions in policy implementation
across each web application, portal, and server inevitably occur.
For example, it might take several days, weeks, or months for a
terminated employees access rights to be removed from all
systems, resources, and web applications. These procedural and human
pitfalls are the primary cause of security violations.
as a business enabler
Because application developers often don't have time or security
experience, many of inefficiencies and problems mentioned are created
during application development time. Hence, the reduction or elimination
of IT operations issues requires that applications developers leverage
security tools. Of these tools, access management software, which
centralizes the implementation and management of business security
policy decisions, has emerged as a common solution to implement
a web application security framework..
By building network enabled web applications on a solid security
infrastructures, IT roles work cohesively. The benefits to applications
- Improved time to market - Often, applications will not need
any custom security code. Those that do, will implement the code
using consistent and structured practices. Custom security code
implemented within the access management server allows it to be
instantly leveraged and consistent across all protected resources.
- Development costs are substantially lowered. The amount of security
and overall code required for each application is reduced. Security
code is often the most time consuming and difficult code to implement
- Lower software TCO. Because there is less code to maintain,
the ongoing costs will be lower. Relationship changes that might
have previously required recoding application logic in each application,
are now implemented in the operational environment by non-programmers.
And the resulting benefits to IT operations staff include:
- Faster cycles for getting users online and productive. Users
can be setup to self-administor new account registration and to
submit requests into an automated workflow.
- Lower costs for administering users. Users have only one account
reducing the number of support issues for forgotten passwords
and other common administrative tasks. Users can self-administer
forgotten passwords and password policy enforcement can be easily
- Lower user management TCO. As users relationships to
the security policy change, the rules and permissions that govern
use can quickly change also. These changes are delegated directly
to the personnel responsible, flattening the workflow chain and
improving accuracy and time.
Without an access management system, application security functionality
is distributed and embedded in many products and projects. With
access management, this functionality is encapsulated in a product
that IT security can integrate and manage in conjunction with point
security products. For example, as usage increases, bandwidth can
be allocated and access management services can be scaled across
servers. Or, the access management server can be configured to communicate
with a firewall to dynamically block sites at the network boundary
that are violating the business security policy.
security ROI model
When application security is viewed as a business enabler, organizations
can now use a broader perspective to measure its total value and
evaluate ROI. To varying degrees, all secure web applications realize
returns based on:
- increased revenue
- reduced costs
- improved policy compliance
- mitigated risk
Access management is a technology designed to put the right web
application resources in the hands of the right user. It works by
comparing individual user profiles with an organizations business
rules, and deciding on a case-by-case basis to grant or deny access
to the requested resource. The criteria for granting access can
be static (e.g., job responsibility or department), or active (e.g.,
account balance or status).
Correctly implemented, access management empowers organizations
to safely expose back office applications to customers, partners,
and channels. For example, customers can update their addresses,
sales reps can track customer purchases, and suppliers can automatically
There is considerable literature to suggest that the payback on
access management is both large and rapid. Forrester Research, for
example, reports that most organizations expect to recoup their
investment in access management in just three months. Although these
statistics are encouraging, individual organizations generally like
to calculate financial returns on their own.
Access management is a security infrastructure which, in the absence
of a specific business process, returns nothing. Moreover, returns
from a security infrastructure are difficult to separate from the
returns from the business processes they enable. The primary focus
should therefore be on the financial returns from the successful
implementation of a particular access management-enabled business
process. When this is done, a proven three step process can be used
to determine ROI:
- Calculate baseline given current operations
- Establish metrics
- Forecast scenarios including metrics
The first step must be to frame the ROI discussion in the context
of key security enablers for a particular business application.
This will usually correlate to an existing business process, but
may be something completely new. In either case, this correlation
provides both the foundation for calculating a baseline and a framework
for injecting the metrics that generate the forecasts.
The next step is to determine the metrics. Generally, metrics will
be a function of business objectives that increase revenues, reduce
costs, improve policy compliance, or mitigate risk. Examples of
- Revenue generated online - What would be the financial impact
of increasing our on-line revenues by 50 percent?
- Time to market - What would be the value of getting our next
release out 3 months sooner?
- Development time - What would be the financial impact of decreasing
our initial development time by 6 man months?
- Total cost of ownership - What would be the ongoing savings
of enabling customer service representatives to make relationship
changes rather than developers? Or, the number of required changes
were reduced by 75 percent?
- Cost of new customer acquisition - What would the financial
impact be if 40 percent of new customers would register for accounts
online, rather than by phone or fax?
- Percentage of self-administered profile changes - What would
be the financial and user satisfaction value of enabling users
to make their own account profile changes?
- Number of help desk requests - How many help desk requests would
be eliminated by user self-registration and management of password?
There's not a single magic metric or spreadsheet for all organizations.
Metrics will vary depending upon the organization, application,
existing infrastructures, business goals, etc. To help define metrics,
the following sections focus on the common returns businesses seek
from security initiatives and the primary factors that drive them.
Business processes that generate new or increased revenue streams
often create the most compelling justifications for investments
in security. Revenue enhancements are generally more strategic than
tactical in nature, often making them somewhat more difficult to
quantify. In this case, however, it is not much of a challenge to
find revenue streams enhanced or enabled by authorization. After
all, revenue is generated by outward-facing business processes and
access to every such process must be managed and protected or it
is simply impossible to conduct business electronically. To put
the matter another way: there is no e-business without access, and
no access without authorization.
Reductions in cost are another reliable driver of financial returns
for security solutions although cost reductions are generally
more tactical than strategic in nature, they are also generally
the easiest returns to quantify (hence their popularity). Cost-based
financial returns are typically expressed as some combination of
- Cost savings - the new or improved business process is less
expensive; we can spend fewer dollars than we did before.
- Cost avoidance - the new or improved business process scales
to higher levels; we can avoid spending as many additional dollars
in support of new capabilities or expanded scale.
- Efficiency - the new or improved business process saves time;
we can increase the velocity at which we conduct on-line business.
- Effectiveness - the new or improved business process increases
productivity; we can do more or different things with the resources
we already have.
Business processes that must be implemented by requirement fall
into the compliance category. Compliance generally refers to things
about which there is little choice, or things we must do in order
to do business in a certain way. In some cases, compliance may be
related to cost avoidance (e.g., to avoid a fine); in others, it
may be related to protecting an existing revenue stream. In any
event, compliance-based business cases tend to be somewhat binary:
above a certain threshold, we just do it. As it relates to a security
infrastructure, compliance-based arguments tend to come from one
of the following four categories:
- Regulatory - failure to implement could mean fines, loss of
revenues, jail terms, etc.
- Partner - failure to implement could mean loss of a business
relationship or deal.
- Customer - failure to implement could mean the loss of a business
relationship with a key account.
- Competitive - failure to implement could mean the loss of competitive
advantage and revenue.
As mentioned, risk-based arguments are the most frequently used
approach to justify investments in security infrastructure. This
can be effective but it also tends to reduce the value of security
to an operating expense, rather than a business enabler. Investments
in security infrastructure made with prevention in mind are usually
not all that visible (unless theres a problem), which tends
to make risk-based justifications the least apparent of the four
categories. Fortunately, there is now significantly less emphasis
on FUD and more on the systematic management of risk. Risk-based
investments tend to focus on:
- Productivity loss - What would the financial impact be if a
security breach caused a sustained disruption of internal processes
and communications? If we lost the ability to communicate with
customers? (99.5% uptime still translates to 3.6 hours of downtime
- Monetary loss - What would the financial impact be if there
were a security-related corruption of our accounting system which
led to delays in shipping and billing? If there were a diversion
of funds? What would be the expense of recovery and emergency
- Indirect loss - What would the financial impact be if a security
breach resulted in the loss of sales? The loss of competitive
advantage? The impact of negative publicity? The loss of goodwill
- Legal exposure - What would the financial impact be due to failure
to meet contractual milestones? Due to failure to meet statutory
regulations for the privacy of data? Due to illegal user or intruder
activity on company systems?
Loss or exposure may be difficult to quantify. For example, indirect
losses are among the most difficult to quantify but also among the
most compelling in the risk-mitigation category, especially for
businesses built on the fundamental foundation of trust.
Cams access management
Cams is easy-to-use, reliable, and cost-effective security software
that centrally controls access to Apache, Tomcat, and custom resources.
This high-performance security server provides single sign-on and
fine-grained access control to web server content and applications.
Cams is the only web access management product to focus on the
feature and cost requirements of small and midsize businesses. Using
Cams, companies can:
- Experience 100% ROI in 1 to 2 development months
- Securely enable their online business
- Improve time-to-market for their on-line initiatives
- Reduce total cost of ownership for software development and
- Reduce security risks and losses
For more information on Cams, please see the Cams
Overview and related resources at http://www.cafesoft.com.
The concentration on network-level security threats has masked
the real issue: Web application security is a fundamental requirement
to enable on-line businesses to achieve their goals. The focus must
shift from point products such as firewalls, to IT security business
enabling tools, such as access management solutions, which can help
organizations deploy their web applications, quickly get users operating
online, and maintain policy compliance across the entire IT infrastructure.
Because access management solutions cannot be separated from the
business processes they enable, traditional ROI models can be used
to justify their inclusion in projects. In so doing, the focus for
developing meaningful financial returns can be placed on the business
process, establishing appropriate baseline metrics, and looking
for all relevant revenues, cost, compliance, and risks returns.