Security by design is one of those concepts that happily goes hand in hand with resilience. Candidly, they were made for each other. The security by design methodology helps minimize some of the inherent risk we cannot do anything about.

Building on a Tectonic Plate

Consider for a moment you absolutely had to construct something — say, a building — on a foundation that is inherently vulnerable. There are no other areas to build on (at least not yet). How would you go about that?

Chances are you would take a more cautious approach, build incrementally and test along the way. You would likely add in some redundancies, just to be safe, correct? You would also think about the entire life cycle of the building. You’d try to determine how many good years you could get out of it knowing it is on shaky ground. You’d want to know what type of maintenance would be required.

Quite reasonably, you would examine your technical processes to make sure you have good project management in place, a risk matrix and decision-making process and a way to keep track of quality all before you started to build. And knowing that you are building on something inherently vulnerable, you would also have a plan for how to bring down the building safely and dispose of all materials just in case it becomes too risky to keep up.

Finally, you wouldn’t want people to enter that building unless a bunch of safety checks were performed.

Seems like a quite reasonable approach.

So why are we developing our software and infrastructure in the exact opposite way?

The Inherent Vulnerability of the Internet

The backbone of what we rely on — the internet — is inherently vulnerable.  Accept that and you are ahead of most, especially as there is little we can do about it right now. If you are asking why, it’s because of decisions made decades ago. At the same time, we’re stuck with what we have because of the lack of capital resources to build a ‘new internet’. Because ‘it is what it is,’ there is pressure on business continuity and disaster recovery planners. Therefore, if you are feeling that it is one cybersecurity crisis after another, just remember this: the people who built the internet made it to share information, not necessarily be secure. Security just wasn’t top of mind.

Welcome to 2021. Information security is so top of mind for everybody, the issue is ready to pop out of our heads!

Here’s the key: the internet is your unstable tectonic plate. And just like we have learned to design and construct buildings to be stronger and more resilient in earthquake zones, we need to do something similar for our information technology infrastructure and software. That is where security by design comes in. It is the mitigating methodology to reduce risk.

A Multidisciplinary Approach to Design For Systems Security

If you are looking for a one-stop-shop on security by design principles, there is no better place than NIST SP 800-160 Volume 1, Systems Security Engineering, Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. Building on standards from the International Organization for Standardization (ISO), the International Electrotechnical Commission (IEC) and the Institute of Electrical and Electronics Engineers (IEEE), NIST SP 800-160 mixes in systems security engineering techniques, methods and practices to improve the robustness, security and resilience of systems and software.

It is difficult to summarize any better the purpose of the special publication from what is already in there, so let’s just cite directly from it:

The ultimate objective is to address security issues from stakeholder requirements and protection needs perspective and to use established engineering processes to ensure that such requirements and needs are addressed with the appropriate fidelity and rigor across the entire life cycle of the system.

And the keyword is ‘system’ because that is what ties it all to resilience.

Think about it like this. A single business process becoming unavailable or an asset failing, in isolation, does not impact anything else. Sure, that individual item may buckle, but you contain the blast zone. It’s an isolated resilience failure.

But if those processes or assets have upstream and downstream dependencies, well, then the calculus changes. Knock off one or more of those critical ones and your entire system can come crashing down. That’s why security by design is such an incredible methodology: it’s fixing every piece (a smaller system) in isolation before it gets plugged into the larger system. In other words, if it is safe in isolation, the likelihood of it being unsafe in the larger system decreases. Translation: a more resilient system.

The Price of a Secure System

There are two harsh truths that come with security by design. It’s potentially costly and may come in opposition to business needs. Candidly, good code isn’t cheap. And business drivers, along with market demands and behaviors, do not necessarily have the time or patience to wait for good code.

And therein is your resilience paradox. Security sustains and helps build a strong economy. But, you need a strong economy to invest in security.

See the conundrum? Limited resources and time bind us, leaving us to invoke the old favorite: it’s all about risk management. At some point, somebody has to make the decision and say, “All right, I know I’m going to suffer a disruption, and I know that I need to find a way to operate through that disruption; how much risk can I take on and survive?”

Really, that is all that it comes down to. With 5G investments happening, Internet of Things use still exploding and sensitive data handling requirements continuing to grow, such as personal health information, we are reaching a tipping point where the risk may be too high. Specifically, we are reaching that level where an organization may not be able to operate through a disruption. Instead, it may go bust.

That’s why security by design is such a good idea. It may cost upfront, and it may take a bit longer to implement, but the approach will help you weather most storms.

Next in our journey and very appropriate after this piece: the supply chain and third parties.

more from Incident Response