Defining Security by Design
According to TechTarget, security by design is a new methodology for IT implementations that puts security first—meaning that security controls are built into products and services, which eliminates the potential for a retrofitted security tool implementation, and significantly decreases the risk for vulnerabilities and subsequent attack by malicious actors. Here’s how we like to think of it in simple terms at Peak 10: the moment you begin planning to build out a new IT capability that you’re going to deliver, you need to be thinking about security implications. It’s a design consideration that must be planned from the outset.
It seems a bit obvious, but too often new solutions or capabilities are built and delivered, and then people think about how best to make it secure and compliant. And in that case, it’s exponentially more difficult to add security in at the end than it is if you bake it in from the very beginning of your design and development efforts.
Technology consumers have woken up to the fact that they need to care about how a manufacturer that they’re purchasing software or hardware from has gone about implementing security by design, because they’re powering business based on products and services that they’re consuming from a vendor or a partner. All in all, as goes the security capabilities in those products and services, so goes the security of the product or service the consumer is trying to provide their own customers.
Why Is a More Comprehensive Approach So Critical?
There are a lot of good reasons to use a more holistic, preemptive approach for security as a whole, but there are two major forces underpinning security by design.
Compliance—especially where other countries are concerned
All businesses have the obligation to understand regulatory and compliance requirements, especially when doing business internationally. For example, if a particular organization in the United States is doing business in Germany, and has electronic healthcare records of their users in Germany, that organization will have to understand the German laws with respect to how storing and handling that data is regulated—which may very well be different from the laws in the U.S.
Partnering with a service provider who makes security a priority from the beginning and understands government regulatory and compliance issues is a good way to alleviate the challenge.
The technology supply chain—hardware, equipment and software
If your IT team has taken on the project of putting together a new IT capability internally, buying equipment is going to be a major initiative; in particular, equipment at the most reasonable price. And most of the time, people aren’t thinking about the origin and path of travel; the goal is to find the best deal and begin building out a design efficiently.
Here’s the problem that is not often discussed: if something has been tampered with somewhere along the supply chain, installing a new technology into a network results in malicious actors gaining unauthorized access, and it’s a real problem. There are cybercriminals who will alter a product between the manufacturer and end customer, which makes buying equipment an even greater risk.
Doing business with a technology partner who has built their infrastructure through trusted, secure vendors removes this concern and allows a level of trust that would not necessarily be available in buying equipment to install in-house. (It would also eliminate the need to actually install the equipment).
Comparing the Security by Design Model with the Traditional Approach to Security
The old way of deploying a new IT solution and practicing security essentially involved building what needed to be built and figuring out how to secure it when it was finished.
Historically, there were a limited amount of tools available for security programs, and most IT functions didn’t include the right visibility needed to detect when bad things were occurring in the first place. In attempting to add a particular security tool, performance was often compromised because an ad-hoc security control was not designed in initially.
Think of building a new house: if you don’t pre-wire the doors and windows for a security system, and then later on you decide you want to install one, it’s considerably more difficult and expensive to do—and that’s just a simple example that relates to technology, whether it’s a product or a service. The point is, if security isn’t included from the beginning, adding in controls will be expensive, and in some cases, impossible.
Why This Model Needs to Change: Security Has Earned Its Place
We are all aware of the extent to which various emerging security threats have become a major concern among all businesses throughout all verticals, without question. Information security as a practice area is growing exponentially, and everyday more tools are available to help strengthen your security posture and prevent or remediate malicious activity.
So, now more than ever, using the security by design model is critical. Think of it as a sort of domino effect. If an online retail company chooses a managed services provider to host their infrastructure and provide managed services, the design and security used to build and deliver the services are a critical consideration. If there are flaws, the online retail company will get exposed to those security flaws, and so too will their customers, in turn—which will cause the business reputation to suffer.
As IT consumers, we all need to care about who is building underlying IT capabilities, and what processes and designs that went into the security components. Ultimately, business success and reputation is on the line when IT services are consumed.