As more services are delivered online, outsourcing and other distributed business solutions will become more common. But will they be as reliable? EU-funded researchers are laying the foundations — models, architectures and controls — so that online business relationships can be made secure and trustworthy. For example, hospital IT systems can be made available to all stakeholders — nurses, doctors, pharmacies, patients and relatives — while keeping sensitive data and medical information secure.
As business increasingly moves online, we are being asked to embrace a multitude of new technologies and services to connect us with our contacts, clients, colleagues and suppliers, but also potentially every hacker on the planet!
‘Managing assurance, security and trust for services’ (Master) is an EU-funded project that has developed an IT platform to manage securely whole business processes in different contexts, so that users can seamlessly access cloud computing and software services without security concerns.
This is where ‘security governance’ and ‘compliance management’ come into play. These two practices have found their way into corporate structures all over the world, so that services work together according to the organisation’s policy and best practice.
The services that we once purchased over the phone or in person are being delivered in new combinations. Today, we almost expect to be offered ‘recommendations’ after an online purchase, or to know where the nearest taxi is by using a GPS application on our smart phones. These special arrangements, also sometimes called mash-ups, rely on ‘trust’ relationships between sellers, third-party providers and, ultimately, the customers who pay for the services.
And as these ‘service relationships’ become more plentiful and complex, government regulations and industry best practices have emerged to bring order to this chaos. But this means enterprises must devote more time and resources to ensuring that their services and systems comply with these regulations, especially when it comes to security and trustworthiness.
‘Compliance management is key to ensuring the security of business process operations, especially taking into consideration myriad dependencies among internal business processes and external service providers,’ says Pedro Soria-Rodriguez of Atos.
For example, different departments in a company may develop and deploy business processes in different ways to meet their respective clients’ needs, or they may integrate the work of several subcontractors into their systems, but the coherence of overall company operations must be ensured.
Security and flexibility are critical to future online business. Cloud computing, for instance – in simple terms, renting space in someone else’s computer for data and processing – depends on the provision of services that can comply with a company’s specific constraints.
‘Best-effort security will no longer be accepted and business entities will have to provide certified services to customers, and expect assured services from contractors, in order to manage the associated business and technology risk,’ notes Soria-Rodriguez.
His company is the coordinating partner in the Master project, which tackled a critical aspect of today’s hyper-vigilant business environment; security-related compliance management. A holistic modular approach was needed because of the many actors involved. At the same time, the many parts of Master’s system had to be easy to assemble to be fit for purpose.
Master set out to solve the growing need in many organisations (large companies, SMEs and others) to comply with diverse regulations, internal policies, industry best practices and contractual obligations. ‘Compliance is a big problem because it means costly steps to meet all expectations, or face potentially costly fines, bad publicity, legal proceedings, and so on,’ stresses Soria-Rodriguez.
So, the researchers examined ways to secure whole business processes in different contexts: centralised, distributed (multi-domain) and outsourced. They developed a set of key assurance indicators, key security indicators, protection and regulatory models, and security model transformations, coupled with tools for analysing and assessing business processes.
Team members working on the three-year project also set up case studies to test the project’s approach; one in banking and insurance and one for e-health, where Europe has a strong history already.
Systems that care
The Italian hospital San Raffaele (HSR), part of the Master consortium, worked with the project partners on ensuring that the suite of tools could help hospital staff better manage out-patient care. They developed a tailored ‘information system’ which coordinates appointments, facilitates monitoring and generally ‘extends the territory’ of traditional healthcare by bringing all stakeholders into the system: nurses, doctors, pharmacies, patients and even parents of patients.
The San Raffaele test case showed that multiple parties from multiple locations could follow medical cases more efficiently. The system could deal with the sometimes complicated regulations for health and insurance, as well as the hospital policies regarding care, while keeping sensitive data and medical information secure.
‘Master was presented to a number of other healthcare institutions in Italy which share some of the same compliance management requirements as San Raffaele, so there is a common interest in the Master solution,’ notes Soria-Rodriguez. The San Raffaele pilot programme was therefore a valuable proof of concept which has been followed closely by hospitals in Sassari and Perugia.
The EU-funded Master project ended earlier this year, although the research continues. As coordinator, Atos is pleased with the output and is taking up some results from the project for its own RIGER compliance management platform, which is already used by some Atos customers in Spain. Other groups in the consortium, according to Soria-Rodriguez, are taking similar steps with their own products.
Master was a collaborative project funded under the EU’s Seventh Framework Programme for research (FP7). It was aligned to the strategic objective ‘Secure, dependable and trusted infrastructures’ defined in the ICT work programme for 2007-08.