Why are so many technology solutions not secure?
Many IT projects encounter serious issues when they run into delays too close to the implementation “go live” date because they are considered to be “not secure enough”. It seems incredible that the situation still occurs today, as we have been running technology projects with serious security components for decades – so trying to understand why this happens is key to avoiding similar situations in the future.
From my personal experience, there is a vicious circle in operation which, over the years, has been making the situation worse and not better. Over time, two distinct points of view often develop, which can be summarised as follows:
- Technologists (and business people) claim that Information Security specialists insist on unreasonable security measures which are too expensive and/or difficult to implement, and are poorly communicated or expressed too late in the day. Consequently, they are perceived as having a negative attitude that can only impact the project; they just say no to everything
- Information Security specialists claim that the business and technology are only interested in functionality, keeping the costs down and delivering as quickly as possible, and that they are not interested in security and just want to do the minimum in order to keep their (poorly designed or poorly run) projects on track
With these two diametrically opposed views, it is common for the two groups not to engage with each other until the last possible moment that they think they can get away with. Clearly, this is not a constructive approach and is bound to lead to significant difficulties for all concerned.
In a hyper-connected world where technology is an integral part of the business, it is important that all technology solutions are appropriately secure. Failing to achieve this is likely to endanger the business – just think about the effect of numerous recent data breaches which have resulted in loss of share value and reduced customer confidence.
Involve Information Security from the very beginning
The first step to ensure that we only implement secure solutions is to involve all the stakeholders, especially Information Security, from the very beginning. The very beginning means when the idea for a new product is first thought of – the initial involvement should be relatively light touch until the ideas start to take a more concrete shape.
Everyone in the process has the responsibility to constructively work together to design, build and implement a secure solution which is appropriate for the organisation and built around the needs of the business. This simple approach reduces the possibility of surprises later in the project/development lifecycle.
Taking a ‘Secure by Design’ approach
The foundation to taking a ‘Secure by Design’ approach is to clearly gather, understand and prioritise as many of the security requirements as you can, as early as possible. It is unlikely that all the requirements will be identified at the beginning, because they may change as the solution is developed or as your knowledge of the problem you are solving increases.
Usually, it is much easier and cheaper to implement requirements identified during the design phase and, as you proceed through build and into implementation, it becomes progressively harder. This is especially true for security requirements – and the potential impact is large so can cause significant additional costs and delays.
Security requirements should be determined by considering the threats to the assets which need to be protected within the solution. By understanding these particular threats, it is possible to better identify the necessary controls required to protect the solution’s assets against the threats (all in relation to existing and applicable security policies, standards and procedures).
Taking a threats and controls approach will assist in any necessary discussions around balancing functional requirements against security needs. All of the stakeholders will be able to visualise the potential consequences of not fully implementing specific security controls in favour of a particular business function. Ultimately, this should be a business decision, based on the balanced advice of technology, Information Security and any other relevant stakeholders.
In building the complete set of requirements, another pitfall is to not consider how the end solution will be operated on a day-to-day basis once it has gone ‘live’. Failing to develop operational security requirements can easily lead to a secure solution becoming insecure over time. Being “secure by design” means that the solution needs to be secure on day 1 and stays secure in operation.
With a clear and agreed set of requirements, the design of the solution can commence. Whilst the skills of the architects involved will vary depending on the type of technology solution being designed, it is key for all those involved in the design to ensure that the solution remains secure throughout this stage. This is often a cultural change for many teams and needs the full support of management, as it takes significant time and effort from all involved.
Additionally, there are key common security services required by most technology solutions, which it is much better to leverage across multiple platforms rather than build new versions of them every time. These common security services include:
- Identity management platforms
- Access controls framework
- Event logging, monitoring and alerting
If there is not a common solution for these security services, it is worthwhile considering designing and building one which can be reused by other solutions. The benefit in using common solutions is that they can speed up the delivery, lower the overall cost and tend to be more reliable because they have been tested more often (i.e. each time another solution uses them).
Ensure that the design is implemented and maintained
Having gone to significant efforts to ensure that you have designed a secure solution, this should not be the end of the architects’ involvement in the process. Those responsible for the design need to be involved throughout the build and implementation stages to ensure that the resulting solution is actually secure. Otherwise, the effort to create a secure design might have been wasted.
Of course, it is not possible to predict all eventualities – challenges can arise where the requirements change or the technologies being used do not perform as expected. In these situations, having the original designers modifying the solution’s design will ensure that original assumptions are better understood and taken into account. Given that this is not always possible for numerous reasons, it is good practice to at least ensure that all of the design principles and assumptions are properly documented in the design phase.
Just because a secure technology solution is delivered to the users does not ensure that it will remain secure throughout its lifecycle. Equal diligence is required when making changes to a ‘live’ system to ensure security flaws are not introduced. Additionally, it is necessary to periodically review the operation of ‘live’ systems to verify the associated processes and practices are secure.
Today’s technology environment is complex for many large organisations, with many variables and many external partners, so it is essential for all parties to work together to achieve the best protection levels for the organisation over the long term as well as in the short term.
Director
Corix Partners
Find out more about how your business can truly protect its future from cyber threats by contacting Corix Partners. Corix Partners is a Boutique Management Consultancy Firm, focused on assisting CIOs and COOs in resolving Security Strategy, Organisation & Governance challenges.