If you want to make sure visitors to a building are properly checked in at the front door, the best time by far to arrange for this security precaution is at the initial design stage. This is when the front entry can be designed to be secure, practical and inviting, and other entrances can either be eliminated or appropriately secured.
Unsurprisingly, the same principle applies to cyber security, privacy protection and all-around system quality. The time to get these things right is when a system is initially designed because security, privacy and quality can then be built right into the system’s architecture. Trying to retrofit them later on is not impossible, but it is guaranteed to be more difficult and open up more opportunities for error.
Legacies Happen, but the Future of Cyber Security Begins Today
Truthfully, in the real world, we do not always get to start with a clean slate. In the same way companies must use existing buildings, they must often use existing legacy systems — and they often pay a heavy price for it. As Amanda Vicinanzo reports at Homeland Security Today, both private and public organizations continue to be stung by security breaches. All too often, they learn the hard way that they need security guidelines for implementing updates or even a security reporting plan.
Legacy systems cannot be done over from scratch, but they can be updated and upgraded. Each of these changes can serve as a starting point for security, privacy and quality. This is one of the crucial points made by Erik van Ommeren, Martin Borrett and Marinus Kuivenhoven in their new e-book, “Staying Ahead in the Cyber Security Game.”
As the authors note, “Whenever you plan a new release for this older system, you have to apply a new security pattern.”
‘It’s Not a Feature, It’s a Bug’
According to the e-book, security by design begins with the recognition that “there are circumstances when bad things happen to seemingly good software.” Or, as Tim Holman recently wrote at Computer Weekly, businesses should “start with the assumption that a cyber attack will be successful.” The only way to prevent failure is to plan for it.
The authors of “Staying Ahead” call this designing for anti-patterns, or negative use cases. Suppose, for example, that authenticated users could check their past five transactions in a mobile banking app. To build in security, it is critical for designers to also consider unwanted outcomes, such as nonauthenticated users being able to check recent transactions or authenticated users being able to check someone else’s recent transactions.
Implementing security by design is a process that operates along two parallel tracks. One is technical — making sure that the code actually does what it is supposed to do. But the other track, while equally critical, is “the project management or process path, where the decisions about resolution of these requirements are tracked to satisfactory resolution.”
Only management-level initiative and follow-through can ensure this happens. When it is done properly, it will also ensure that the technical path is correctly followed. The end result will not be perfect security nor privacy protection because in the real world, these things are unattainable. However, the result will be robust protection, which is integral to the system and will build the foundation for continued cyber security improvements.