krishnacreations - Fotolia
SMAC platforms seem to be on the rise and my business is looking to take advantage of related technologies. What are some of the security implications I should consider as a CISO before implementing SMAC strategies?
The combination of using social, mobile, analytics and cloud (SMAC) technologies together is being heralded as the next big IT innovation. A SMAC platform combines these technologies to bring together real-time data and advanced analytics. Retailers may be able to track customers through stores and on websites to determine buyer behaviors, for example. This type of analytics walks a fine line between business and Big Brother, as many consumers may object to this level of behavioral tracking. It will be critical for CISOs to build or validate the security of these potentially controversial systems or companies could face a consumer backlash.
The good news for CISOs is that the technology behind these SMAC platforms is not new. It is simply a combination of existing technologies working together. Mobile apps still need to be assessed for the standard set of security vulnerabilities such as data leakage and insecure data storage. The cloud service used for the SMAC platform must pass a complete due-diligence assessment based on defined controls -- such as the Cloud Security Alliance's Cloud Controls Matrix. The data stored in the cloud could be confidential and harmful to the company if it were exposed. However, the approach is no different than assessing other cloud-based applications.
The use of these SMAC platforms could create new ethical issues for organizations. There are already concerns about the potential discriminatory impact that a SMAC system could have on consumers. Incorrect assumptions or mistakes in data interpretation from SMAC could harm consumers. Organizations blindly acting on incorrect assumptions from SMAC could also end up inadvertently violating existing laws. SMAC data could lead to a job applicant being denied due to their age, race or religious status, for example. This is why it will be important to define policies and procedures ahead of the implementation on how the information will be utilized by the company. This will include policies to cover acceptable uses and disclosures of the information, as well as the authentication requirements for access.
The idea of SMAC is not new, but it's taking the idea of market research to a whole new level. This rapid evolution has outrun the current laws on data privacy and security that are in place around the world today. The data elements covered under current compliance legislation may not directly include the data elements being captured in a SMAC platform. It is still a gray area, since some of these elements include metadata. Metadata is not considered personal data as currently defined in legislation. There will also be differences in the type of data covered by compliance requirements based on the location of the service. Companies looking into SMAC platforms need to realize that they are forging a new compliance trail and must make decisions appropriate with their risk tolerance level.
SMAC could be the next big innovation in IT. It could also be the next big security threat to companies that do not consider the potential risks. CISOs have an advantage in that the technologies used by SMAC platforms are not new and their risks are understood. CISOs will need to define new policies and procedures early in the implementation process and implement tight controls around access to the data. Compliance is still a grey area with SMAC platforms, and CISOs should walk a conservative line in accordance with their risk-tolerance level.
Ask the Expert
Have questions about enterprise security? Send them via email today! (All questions are anonymous.)
How social media has transformed business communications and SMAC and the strategic benefits of SMAC for IT teams.
Dig Deeper on Security audit, compliance and standards
Related Q&A from Joseph Granneman
The consequences of phishing attacks could fall on the victims as enterprises start to punish employees who fall for this age-old scam. Expert Joseph... Continue Reading
CERT's ITPM certification is designed to help enterprises with their insider threat programs. Expert Joseph Granneman discusses the certification and... Continue Reading
Privileged users pose a growing threat to organizations. Expert Joseph Granneman looks at this insider threat and shares ways to mitigate it. Continue Reading