There was an interesting twist to the recent distributed denial-of-service (DDoS) attack against domain name provider Dyn that plunged huge areas of North America and Europe into internet darkness: The perpetrators didn’t directly attack the servers of their ultimate target. Instead, they compromised 100,000 small, interconnected devices with weak default passwords, building an enormous botnet that then battered the real target. In doing so, these attackers make the case for secure by design.
These incidents serve as evidence that the future of cyberattacks and threat vectors is largely unknowable. However, we do know that the threat environment is highly dynamic and unpredictable. Enterprises must prepare for the inevitable attacks by building security deeply into the requirements of applications and the platforms, as well as architectures that support them.
That’s secure by design. The principle requires IT teams to presume attacks will happen and take great care a priori to minimize the impact when a breach is discovered.
Creating Trusted Partnerships
Taking a secure-by-design approach requires organizations and their vendors to work together as trusted partners. When this happens, issues are uncovered early and costly consequences can be avoided. For example, we recently consulted with a very large financial services organization that was launching a next-generation platform, essentially supporting its entire business and its new, fully digital strategy. What we found, fortunately well ahead of the launch, was that security was not a priority in the design phase of that platform. We avoided potential major downstream issues by working with the organization to build security into the platform from the design point.
This is not a new position for IBM. We’ve been pushing secure by design for many years now. We recognize that in the era of the lean development process, security is a potentially disruptive area that affects not only the development itself, but also the entire environment and architecture where the development resides.
Many organizations are exposed from a security perspective, predominantly in their legacy environments but also in new development rollouts. Banks, for example, frequently carry large legacy architectures. These banks must assess the costs of either fully securing their architectures or proposing alternative delivery models. Often these costs outweigh the benefits. These legacy systems typically have sparse documentation, and experts have often either retired or moved on. Just how quickly can organizations move away from the vulnerabilities of legacy architectures, and toward emerging consumption models such as cloud and as-a-service models?
Cloud Security Considerations
Moving to the cloud doesn’t change the principles of secure by design. An enterprise cannot transfer the responsibility for the security of its data and applications to cloud service providers. It remains your responsibility to build security deeply into the applications you deliver.
In fact, the whole question of security in the cloud is generally a tricky one for enterprises to resolve. We recognize that, as workloads inevitably transition to the cloud, there will be an increased call for transparent cyber resiliency. Seen this way, cloud does not change the principles of secure by design.
Cloud can inject more agility into development processes, so perhaps an enterprise can more quickly leverage different security technologies in the market place. We’re seeing more reusable code around securing application program interfaces (APIs), which may drive quicker time-to-realization of security requirements in the cloud.
Make Your IT Environment Secure by Design
In any case, it’s important use secure by design early in applications and architecture development to provide the right level of security downstream in a highly dynamic threat environment. The enterprise is still responsible for the applications it writes.
IBM recently demonstrated its massive commitment to cybersecurity when it launched the X-Force Command Centers. There, IT and C-suite executives can experience simulated cyberattacks to practice responding to real-life incidents.