Security by Design and Secure by Default

The security threat landscape is constantly evolving in this digital age, and meeting the challenges of these threats requires the right expertise. One of the major challenges of IT security is the fact that security has not traditionally been considered in product design for networking appliances and objects that have not traditionally been networked. Stringent prudential, security, and privacy protection regulations are an inherent part of the regulatory framework in which organisations have to operate and which has been reinforced in recent years.

What is Security by Design?

Security must be on everyone’s mind throughout every phase of the software lifecycle. A misstep in any phase can have severe consequences. However, finding a solution is not easy. The problems associated with application security are getting worse with time. Legacy software, which was never developed to be secure, is the foundation on which modern, highly connected and business-critical software is operating. The difficulty of patching these older systems and integrating newer applications has served to make the problem worse. Building security in at the design phase reduces potential disruptions and avoids the much more difficult and expensive effort of attempting to add security to products after they have been developed and deployed.

Security by Design is a security assurance approach that enables customers to formalise security design, automate security controls and streamline auditing. It is a systematic approach to ensure security; instead of relying on auditing security in a retrospective.  Security by Design provides developers with the ability to build security control in throughout the development process.  It begins with taking a more proactive approach to infrastructure security — one that does not rely on the typical protective or reactive third party security tools but builds security into your infrastructure from the ground up.

It is crucial that each phase of the software development process include the appropriate security analysis, defences and countermeasures that will result in more secure released code. From requirements through design and implementation to testing and deployment, security must be integrated throughout the Software Development Lifecycle (SDLC) in order to provide the user community with the best, most secure software-based solutions.

What is Secure by Design?

A lesser-known term, Secure by Default applies the same principle to securing data at the source. It is referring to securing information. Secure by Default data makes the case that all data should have embedded security, and the systems that consume, process and store this data must adhere to the security policies embedded therein. This approach is not as well known because it’s simply not widely employed, if at all. To date, we have failed to embed security into each piece of data as it is created, creating a serious problem, particularly for government agencies.

Security by Design and Secure by Design are related, but securing our systems without securing the information in them is a lost opportunity that leaves us vulnerable. Even if systems are protected, the data inside them may still be compromised. We’ve seen this with many recent high-profile breaches.

Why do we need it?

It seems a bit obvious, but too often new solutions or capabilities are built and delivered, and then people think about how best to make it secure and compliant. And in that case, it’s exponentially more difficult to add security in at the end than to add it in from the very beginning of the project and development efforts. Risk assessments addressing potential threats and attack targets should be dealt with during the design process.

Architects and solution providers need guidance to produce secure applications by design, and they can do this by not only implementing the basic controls documented in the main text but also referring back to the underlying “why?” in these principles. Security principles such as confidentiality, integrity, and availability are important for all applications and devices.

Domino effects of insecurity

Now more than ever, using the Security by Design and the Secure by Default model is critical. Think of it as a sort of domino effect. If an online retail company chooses a managed services provider to host their infrastructure and provide managed services, the design and security used to build and deliver the services are a critical consideration. If there are flaws of insecurity, the online retail company will get exposed to those security flaws, and so too will their customers, in turn—which will cause the business reputation to suffer.

Cyber security expert Bruce Schneier has called for government regulation of the IoT, concluding that both IoT manufacturers and their customers don’t care about the security of the 8.4 billion internet-connected devices in current use.

Forrester Research discusses the outlook for the 13 most relevant and important IoT security technologies, warning that “there is no single, magic security bullet that can easily fix all IoT security issues”. Forrester lists the following challenges to achieving a secure IoT: Many IoT devices lack basic security requirements; There is a plethora of IoT standards and protocols, which creates security blind spots; The scale and scope of IoT deployments hinder visibility into security incidents; There is a lack of clarity of responsibility regarding privacy and security.

Delivering  secure environment

In this digital world, security, privacy, and integrity are essential. Security is not something that is addressed at the end of a product cycle, nor is it a specific milestone that occurs during project execution. As a part of AET Europe’s commitment to delivering a secure environment for our customers, we offer Security by Design and Secure by Default.

We believe that security is not achieved by a single treaty or piece of legislation; it can not solve by a single technical fix. For creating security and digital trust, the world needs different players to take action, closest to where the issues are occurring. It is time to make security and privacy the default by design.

Sources:
Security by Design, Security Intelligence, Chris Woolsey on Security Design, Peak10, Security Innovation, Department of Homeland Security GCN, Sneider 1, Sneider 2 , Gartner, Forrester