Security vs Flexibility vs Automation vs Compliance (Part – 2)

In continuation from my previous post, let me share few stories about Security vs Compliance vs Flexibility....

Story 2: Compliance vs Flexibility vs Cost

Around a couple of months back I was briefly involved in a small application for automobile manufacturer, a project from its QA department. This application, to be used by various QA staff members at various stages of shop floor progression, required some data from the ERP system as inputs. It is used entirely in an intranet environment. When it came to fetching data from ERP, we wanted to get it via web services. However what we finally ended up doing is that a routine was set up by IT department to periodically export the data needed from ERP and dump a CSV file that our application parses to import the data. The reason for this solution is no other software application can get direct access to ERP system as IT Compliance demands complete isolation of the ERP system to ensure security. Another reason cited was hefty cost that ERP provider would levy in order to provide the web service.

This is a fairly workable solution in this case, specially since the data need not be available to our application in real time. However, the premise of compliance for security reasons is difficult to digest in today's technology world. Specially since the application in question is not accessed outside the network and has no external users. I wonder if similar IT compliance norms are forcing organizations across the world to invest more in integration, maintenance and manual processes than is actually necessary if modern technology is used without restrictions.

Story 3: Security vs Flexibility

A United Nations body, wanting to make its product brochures publicly available, creates an altogether different database that synchronizes products data from ERP system for security reasons.

Story 4: Security vs Automation

Manufacturer of automobile filters wanting to give access of orders to its suppliers so that status of orders can be updated and tracked in real time, creates a separate database just for this purpose. Its IT Department is not convinced web services can be made secure! Orders created automatically based on stock levels by a system outside the ERP is fed manually to the ERP - reasons being security and cost of provisioning equivalent ERP service.

Moral of the Story:

1. IT Departments should review their IT Policies constantly and bring more pragmatism in context of contemporary technology capabilities; outdated policy is worse than outdated technology!
2. Don't let existing policies create pre-conceived notions about technologies; IT departments as well as IT providers need to conciously challenge these notions and compliances
3. IT companies need to understand compliance and security needs of organizations and demonstrate how their product or solution can deliver flexible and automated solutions without compromising on security
4. Suppliers of ERP Products may be thriving on implementation services, however they need to realize they are losing business because organizations are not using their technology due to prohibitive costs
5. IT providers need to educate customers about possibilities that their solution provides; many a times customers don't even know automation or easy integration is possible while commiting to round about solutions
6. IT Departments need to realize compliances for security might be leading them to a data nightmare, which will make their business intelligence strategy much more costlier because organizational data is highly fragmented.