The Application Infrastructure Dilemma: How to Assess Risk When You Don’t Know the App

December 13, 2007 at 12:56 pm | Posted in collaboration, communication, Content Management | Leave a comment

Yesterday I posted about the importance of recognizing how a lot of the communication, collaboration, and content technology that is implicitly seen as an application is really infrastructure (Everything’s Now Infrastructure! Where’s My App?).  Like a wolf in sheep’s clothing, it is infrastructure in application clothing – which can be just as dangerous.

The implications of the special nature of application infrastructure (as opposed to pure infrastructure or pure applications) became even more clear when a client asked about doing a risk assessment on Microsoft Office.  Remember that Office is more than Word, PowerPoint, and Excel.  It also includes InfoPath, Access, SharePoint, and many other products.  There’s a lot more variability to what end-user facing collaboration and content creation/management tools can be used for than there is for back end infrastructure such as a router.  Or even pure applications like an accounting system where the application is known.  There’s a level of indirection introduced by application infrastructure in that you first have to determine what the user will create with it, then the risk of that.  Think of the enormous span of artifacts that can be created by these systems:

  • End user databases and end user db applications with Microsoft Access
  • Portals and all kinds of extranet and Internet websites
  • All types documents that may contain sensitive data or macros
  • Workflow that can kick off automated transactions (such as approving invoices or links to payment systems

Then consider that the scope of users who can create applications, websites, and content with these systems is pretty much all encompassing (all information workers have access to Office in most organizations), and the idea of assessing the risks is daunting to say the least!

I have no answer or even framework for addressing the problem at this point.  I’ll be involved in some ongoing research into this topic and will post a summary of findings when ready.  Until then, if any readers have encountered this issue – particularly in regards to a risk assessment – please drop me a line.

Leave a Comment »

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at
Entries and comments feeds.

%d bloggers like this: