Information is fast becoming more ubiquitous and tightly interconnected within the vast networks of cables and hosts distributed worldwide. This translates into an urgent requirement for more secure transactions and exchanges between international government bodies, in order to foster stronger B2B and B2C commerce.
And as the technology used to host and deliver the information evolves, new avenues of data access are providing a richer tapestry with which to build interfaces for more secure access to highly sensitive information.
While this infrastructure presents new prospects for today’s business and consumers, it also presents opportunities for “hackers” to realize their motives – ranging from notoriety to downright criminal. The new breed of computer criminal is most likely a member of an international crime syndicate, employed alongside other skilled people who specialize in illegal cyber activities such as software virus development, phishing, creating and distributing malware and spyware, and, now, digital identity theft.
In addition to cyber criminals becoming more organized, there are two major trends impacting information security.
First, given the huge variety of interfaces available today through rich applications, the majority of today’s attacks on government and corporate IT installations are targeted at the application layer versus infrastructure and second, everyday Internet users are now being targeted by hackers.
Taking stock of security
The security priorities of many Canadian organizations have changed considerably from years ago when technical infrastructure was seen as the major focus of defence against cyber crime. Today, most attacks are either aimed at the application layer of an organization’s software or at specific individuals through targeted social engineering tactics such as phishing.
As a result, organizations are now looking at different ways to strengthen their application layer by developing in-house applications that meet their unique needs. What is needed is a holistic, integrated solution to address security in the application lifecycle that encompasses people, process and technology.
The very first thing that needs to be evaluated is the existing processes around application development as well as the need for new processes. Security must be considered an integral part of the entire application lifecycle starting from the envisioning or rationalizing phase down to support and retirement of the application. It is critical to view security as just another attribute of an application like performance, scalability, usability, accessibility, etc.
The key is to evaluate the importance of the security attribute in line with the business requirements of a given application and develop a strategy that builds and maintains the acceptable security posture. There are never enough security resources to go around so it is absolutely imperative to understand the business requirements of a given application along with the technical composition so, overall, the security resources of your organization are appropriately distributed amongst your entire enterprise application portfolio to eventually develop and maintain an acceptable security posture of the entire portfolio.
During the envisioning or rationalizing phase of an application, for example, it’s critical to evaluate the cost of maintaining an acceptable assurance level of the application with introduction of security controls. This exercise helps tease out cases where the cost of maintaining an acceptable assurance level of an application is actually greater than the value the application brings to the organization. In cases like this, the application proposal fails its rationalizing and should not be developed.
When designing IT applications, it’s also important to determine the kind of processes that are in place to help articulate the security requirements of the application and align these requirements with security controls that need to be introduced to maintain an acceptable assurance level of the application.
A process needs to be established, during the testing phase to help evaluate the security posture of the application from an objective perspective. This can include an independent security assessment or vulnerability scanning tools that are run against the application code. The process of assessment also needs to take into account remediation as well as exceptions to provide an end-to-end management of the results of the security assessment.
It is not enough to simply enforce patch management of the underlying infrastructure; the application itself needs to be managed to ensure its security posture is maintained even through change requests. After the application is deployed in production, processes need to be followed to ensure the application maintains the acceptable assurance levels even through the discovery of new attack vectors or exploits.
Secure technology, secure processes
After processes have been established, technology should be evaluated in support of them. It is not effective to simply apply technologies to security problems without an underlying process to govern them. It is important to understand the limitations and benefits of such a technology in the context of processes established to assess the security posture of an application.
At the same time, training and knowledge must be provided to staff, so they are empowered to make security part of their job. The goal is to establish an independent governance and enforcement body in the organization, work towards managing security policies and drive compliance in an effective and proactive manner.
In the end, the security of your organization is only as good as your weakest link. As such, it’s critical to maintain an overall holistic view of security and incorporate security into every aspect of your application lifecycle. At the same time, it’s important not to get overwhelmed by the scope.
Security approaches can be adopted in piecemeal fashion starting with process tweaks to existing development processes, for example. From there, government organizations should start evaluating how technology can be introduced into different aspects of the development lifecycle to bring about efficiencies.
Todd Kutzke is the senior director of Information Security for Microsoft Corporation.