Application Economy is Forcing Channels to Change their Security Strategy: Steve Firestone, CA Technologies

The application economy is introducing new threats and channel partners need to change their approach to security to be able to combat them says Steve Firestone, GM-Security, CA Technologies.

How crucial is the security play in today’s application economy across organizations?
The application economy is the new touch point for businesses to their consumers, partners and employees. The days where applications were just Web or networks are over, it is much more through applications, like mobile, cloud, and others. The application economy is compelling companies to transform into software companies as they have to write the applications to leverage technologies for brand loyalty and customer connect.

There are three disruptive trends to application economy. The first being unwired enterprise or IoT with the presence of exploding number of devices and large number of identities. That big number is interesting as key strength of CA Technologies is scale. Ambient data is the disruptor too because companies desire the same security control and management controls for outside applications. Companies are using analytics for some automation and lower cost for writing policies or using attributes of users, identities, and IoT devices for understanding the customer patterns to leverage and market them.

Lastly, API assembled apps have become significant as rewriting each application would be an extremely slow process. We create an opportunity to leverage standards that developers are comfortable with--outside of the enterprise–into mobile and cloud applications.

Any data points on how the application economy is impacting the companies in India?
The recent study by UK research, sponsored by CA Technologies 8 Steps to Modernize Security for the Application Economy was conducted with CSOs, CISOs, large security executives across large companies (that have more than Rs 500 million in revenues) globally spread across key verticals.

The survey attempted to understand the security trends in the application economy. Security clearly emerged as a critical component and as number one or number two priority for organizations. And the application economy is definitely forcing a new approach to security. Organizations are investing more in security not only to protect but also enable businesses with that extra budget.

In India, 65 percent of respondents said that they had open API to partners and customers. Securing them becomes important due to the effect of the application economy. In the APJ region, 60 percent said security is about control while 40 percent attributed it as business enabler. That’s a big change over the years. There is huge interest in mobility as 55 percent saw a big impact on mobility in security practices and policies of employees or customers.

As enterprises protect their businesses in a digital world, everybody is accountable for that spending and the companies expect few breaches, more accountability and control, customer trust, ease of use, increased productivity etcetera. And they also expect more customers will use mobile or remote services.

CA Technologies is optimistic about identity-based solutions to help secure the increasing number of cloud, Web and mobile applications operating in today’s open enterprise. Does it put you ahead of competition?
Some of the differentiators for CA Technologies is scale, reducing complexity and enabling API as a natural extension of an enterprise’s security posture. IAM is an enabler for the application economy. The protection earlier in legacy environments has the identity associated to an application. If the person moved to another department, they got access to multiple applications. In the next level of maturity, some governance was added that changed the security aspect from identity to role. The role had access to applications and identity became a part of the role.

Furthermore, if you add somebody to the next role, there might be separation of duties violations. That’s why we added governance and certification in that identity which is the higher spectrum of that lifecycle to make things easy. Now you have the identity in that traditional way that flows across all these channels including mobile. For one of our customers, identity is a registered medical device like pacemakers, which sends information back to the health professional. Identity is not about user and password anymore but it could be an IoT device.

How important are privileged identities for enterprises and why?
As organizations start to open up (in terms of access) in the digital world, privileged identities become extremely critical. We have seen hackers getting access to real sensitive information in recent breaches. In order to access selective information including customer database and financial information, companies need to change their view boards.

We have a solution for privilege management that allows the access of password for a limited time to ensure collusion and accountability and that happens in the privilege identity space. Analytics related to those identities can trigger strong authentication solutions that can record entry path, language, geography. They can detect risk for the sign up based on applications. The privileged and sensitive information goes across the whole channel: Web, SaaS or mobile leading to unified access from mobile to mainframe for end-to-end security providers.

When compared to pure play security companies, what is the value proposition of CA Technologies? 
We deliver Securecenter offerings from both cloud and on premise. There are three layers. API technology layer from CA technologies helps developers get standard security for mobile devices and cloud applications. We have a DMZ gateway that transforms standards external to the enterprise applications into things that are traditional in the backroom whether mainframe or distributed applications that exist today. That’s the external part which enables the Application economy. Within the access layer, there is a strong authentication solution that finds more information-- protected or privileged. We provide a seamless experience for different applications in a transparent manner with a single sign on. And finally the identity layer which has governance, certification and privilege identity management from both on premise and cloud.

One of our telco customers in Europe runs 1.5 billion transactions per month which proves our solution’s scalability. More than 150 million active users have been authenticated through our solutions. That becomes a value proposition of IAM and partners and customers who deliver that value chain.

Do you see the evolution of new channel communities like ISVs and cloud providers as security becomes commoditized for resellers? 
It is not about the security space getting commoditized because we have special relationships with different types of channels. Partners have certain skills like helping developers to extend the enterprise through APIs, implementing privilege identify and IAM or managing the attributes of analytics. We see a big opportunity for partners in special areas to grow or to be broad-based channels in the value chain.

There may be local partners who act as complementary in a native geography. There are a lot of complementary solutions outside IAM in the ecosystem to have standards and operability to play together and give the best chance for customers and partners to be successful.

What are the three key security technologies for channels to focus on right now?
Because of the increased mobile trend, the management capabilities is a critical area to become comfortable to enable the application economy in the app world. Privileged identity is another big opportunity amid the recent cases of breaches. Our solutions control the sensitive information and its access so that hackers cannot access all the information at one time. The access management and identify portfolio has to play all together as enterprises open up for APIs. Lastly, with IoT gaining momentum, security becomes paramount for the information flow between various devices.

Yogesh Gupta is executive editor at ChannelWorld India. You can contact him at and follow @yogsyogi1