Our technology systems must be designed from the start to be cyber secure
In August this year, Home Affairs launched the 2020 Australian Cyber Security Strategy. An important input into this strategy was the July 2020 Industry Advisory Panel Report. The report highlighted the often forgotten, age-old concept of “secure by design” – or building the native resilience and redundancy into systems from the outset.
Key recommendations include encouraging major vendors to sign up to a voluntary “secure by design” charter to leverage international best practice aiming to gain industry consensus to accelerate adoption of new standards.
So, where have we have gone awry with native security protection and how can we get back-on-track with first principles?
Technology solutions are ubiquitous – from the high street to online retailers like eBay and Alibaba, or even in your local high-street store. Household products are increasingly internet enabled – microwaves, fridges, ovens, home automation control systems, cameras, cars, music systems and even door entry and high security systems. This results in dozens or even hundreds of devices connected to the home router, compared to the historical handful of laptop and beige desktop computers.
In the business environment, resilience and security engineering is trumped by functionality and the drive for a minimally viable product, meeting regulatory compliance requirements and ergonomic and stylistic aesthetics. The world, back in the early days of digital information communications in mid to late 20th century systems were just not designed to protect or defend against unforeseen hackers tools. To this day, embedded security remains relatively low in the priority list for system designers. Of course, some items are built for security, but most are not designed for high levels of assurance. Few are designed to enhance their security to keep up with the evolving threats. If one supplier were to invest in high security for their product, the resulting price increase is unlikely to be attract would-be buyers – more likely, it would result in the purchase of alternate, cheaper products.
Without regulation, security rarely receives the investment required to be an integral part of the design and build budget.
When we look at the capability of Internet Service Providers (ISPs) standard home modems, these devices fail to provide protection profiles, family protection services, get-me-home VPN services (to apply home policies to kids devices on the move), advanced firewall services for protection against malicious web traffic and content, nor the DNS filtering services required to protect against malicious network activity such as ransomware. ISPs have traded advanced security for cheap services throughout the world. Of course, some readers may have purchased a home router with these features, but it is far from the norm.
Encapsulating Wisdom – Patterns
Security has three dimensions, referred to as the CIA triad – Confidentiality, Integrity and Availability. Within each of these dimensions, security patterns exist for uptime, guaranteed delivery without tampering, and the protection of data. These security patterns help us by encapsulating wisdom. At their heart they provide reusable solutions to a commonly occurring problem. Patterns, whilst considered fundamental to the design of large complex enterprise systems, rarely feature as an element of your normal security practitioner’s lexicon.
Some organisations have gone a long way in creating Enterprise Security Architectures that include top level patterns for Network Security, Data Security, Application Security, End Point Security, Training, and Incident Management. However, others only apply security ‘in-project’ (during a project lifecycle) or worse, it is bolted on at the end as an afterthought.
Fundamental concepts such as data classification, failover, end-to-end encryption are reasonably widely understood and implemented, but more abstract or difficult to enable concepts such as network segmentation, security separation, data protection at row and/or cell level, tagging and labelling, ABAC vs RBAC patterns in enterprise systems, Data Loss Prevention patterns, Rights Management and strangely at times, availability and performance patterns, often struggle to get traction in enterprises.
The latter is sometimes a result of the security controls libraries being “confidentiality” aligned. If system architectures featuring security patterns are not tackled at the enterprise level for all projects to adhere to, or contribute to, the sum of the parts generated by projects never contribute to a coherent and strategic security outcome. Perhaps the method of funding projects rather than engine rooms (core security) causes this, or investment in architectures and patterns may be too abstract and so tactical engineering overrides strategic thought and execution.
The industry advisory board suggested that security by design principles should be adopted by leveraging international best practice. Internationally, NIST and OWASP are two exemplars that can be used to inform patterns within system architecture to enable security by design, but wisdom can also be sought from within Australia from the ISM, PSPF, DSPF and other manuals and frameworks.
The bottom line is we need to protect data and systems from adversaries, and in order to improve our individual, small business, and enterprise approaches to security, best practice needs to be documented and shared, and those with the ability to provide more secure services should do so. Regulation should weed out the ineffective system design to ensure we all move to a more cybersafe world.
Tags Cyber security