Building a security-vigilant organization

Better?secure?than sorry! Security is?not?an afterthought, and security-vigilant organizations take proactive measures to safeguard consumer data & enterprise assets. They are foresighted of all the internal and external threats and invest upfront in creating a security-first mindset in their employees. Though there is higher responsibility on the product & engineering teams, the buck doesn't stop with them. There is enough emphasis on all department employees to equally develop this mindset, be it a customer service agent or a salesperson. Since Product & Engineering takes a more significant piece of the pie, I focus more on that here.

Start with building a security center of excellence(SCOE), responsible for establishing the enterprise strategy and vision of creating a security-first mindset. The SCOE comprises engineering leadership and technology architects who usually fill this role. But for the SCOE to be more effective, there has to be a representation of critical thinkers, mavericks, and diverse participants. Document the roles and responsibilities, along with the accountability of each member in the SCOE. Create clear and concise approval workflows for each of the SDLC phases. Let SCOE act as the approval authority and gatekeeper for any major decisions.

Create security guidelines and train the teams, laying the foundation for building secure systems. For example, these guidelines cover every detailed security aspect like:

• Service authentication/authorization
• Data encryption in transit/rest
• Access controls and privileges
• Data/access key rotations
• API rate limiting
• Usage of third-party libraries
• Use of DAST/SAST tools
• Log monitoring and scraping

Create comprehensive blueprints for repeated engineering tasks. It increases team efficiency and helps the SCOE and reviewers quickly identify deviations from approved/agreed practices. Note: Blueprints are standard reusable documents, templates, and libraries created for ready use by the engineering teams. Some examples include:

• Templates for design docs HLD/LLD, deployment architectures, threat models, and data access patterns.
• A docker image for a containerized microservice with a predefined tech stack. E.g., tomcat, java, spring, and approved third-party libraries prepared to deploy on the EC2/ECS cloud.
• A reusable encryption/decryption library.
• A CICD job template script.

Automate security processes and reduce manual intervention as much as you can. E.g., automate credential/key rotations. They are so painful and error-prone when done manually, leaving much sensitive information in the hands of the SREs.?

Consumer data is gold, and safeguarding that is paramount. Define comprehensible policies for consumer data management (storage, access, and retention). Ensure your systems managing the consumer data comply with various compliances(e.g., PII/PCI, FCRA, GDPR, and CPRA) by engaging with your Risk & Compliance teams upfront.?Not all applications/services need consumer data, and restricting data access is essential. Data access requirements for a headless backend system/service vs. frontend applications like web/mobile apps and CRM tools vs. analytics/reporting systems are different. Leverage these requirements to understand the application cohorts to create data access policies.

Here are some more best practices to consider in system and database design:

• Enforce security as a sidecar aspect in all the phases of SDLC.
• Emphasize the zero trust model as a fundamental strategy in all your system designs.
• Design your systems for operational excellence. Your ops and production support teams must not have to find workarounds and exploit the systems to fix customer issues, resulting in Data Quality/Integrity issues. These exploitations can further lead to the birth of insider attacks.
• Design applications/services that restrict blanket database searches on consumer data returning multiple consumers' information.
• Design your systems to leave an audit trail for every DML(CRUD) operation.
• One centralized repository/database of critical consumer data like PII/PCI at the enterprise level gives better control as it eliminates the need to replicate your security controls. But this may not be practical when you have different product lines/verticals but something to keep in mind.
• Never allow any direct database updates. Provide automated processes for your operations and production support team for bulk updates like data patches and reconciliation.
• Create dashboards for your applications/services, define thresholds for your critical health indicators, and set up alerts.

Conclusion:?To create a security-first mindset and to lay a strong foundation, there is much commitment, patience, and investment needed in the beginning. Bringing in any change is not easy; leaders must develop a strong will to face resistance and criticism. You may receive questions like: Why do we need a pessimistic security model? Isn't it over-architected? Why do you make it so challenging to access consumer data? Why not invest more in innovation and new product ideas that generate revenue instead? How can we meet the performance SLAs because of these overarching security aspects? Be prepared to answer them, and ensure they understand that security is critical to run the business. Conduct roadshows to educate and train your employees on the cyber safety aspects. Educate them on various existing and new cyber threats, and show examples of companies impacted by security breaches.

There is much more happening at the ground level than the thoughts I shared. I wanted to hear more from you and learn all the good things you do in your organization to protect your systems and data.?

#securityvigilant #security #technology #NortonLifelock #WhartonCTO #Wharton