Security by Design

21 August 2016

Friday afternoon I participated in a really interesting meeting. Some application managers got a request from researchers to implement a new application to support pharmacological studies. The new application collects information from some business critical application. The researchers combine and enrich the information, evaluate the new information with numerical models and, if the results are promising, it is transferred back to the source systems.

With this, it is very likely that the new application will create and store business critical information, even if the information collected from the source systems may not be critical.

The application managers were particularly concerned about the impact of the security requirements on the usability and the development and operation costs of the application. Thus they decided to start the security discussion as early as during the development of the project proposal.

Great! That is the best phase to start with application security, indeed. Security by Design is the key to sustainable and cost-effective security. We had a very fruitful discussion about role concepts, clearance of users and encryption.

The application managers were actually surprised when I began talking about the solution life cycle. To talk about the solution life cycle during the development of the project proposal sounds really strange, but the architecture of a solution has a major impact on the security and the operation costs.

In R&D we talk about application lifetimes of 10 or more years. With this we have to change applications just because application components are discontinued by the suppliers and need to be replaced by either newer versions of the same component or, in the worst case, by components of other suppliers. In addition, we have to apply an endless stream of security patches to all components which leads to high effort in application operations.

If the application architecture does not support the easy replacement or patching of components we have to apply additional technical measures to secure the application, which leads to increased operation costs and complexity. Thus it makes sense to start talking about the solution life cycle as early as possible.

That reminds me of Dan Lohrmann’s post “Idea to retire: Cybersecurity kills innovation”, which was published in the Brookings TECHTANK blog some month ago:

Security is a necessary enabler of opportunity and innovation. Improved cybersecurity enhances innovative projects and is a core requirement for their success.

Now we have to convince the research department to spend some additional effort and time during the development of the project proposal to build a really innovative application.

Have a good weekend.