Security by
Design
Architects of buildings have a set of rules and requirements to make sure their result is structurally safe and secure. It’s no different in the world of cyber security, with a set of criteria that need to be met and tasks that need to be done to be cyber safe. We call this security by design.
In a bit more detail:
Security by design ensures the system architecture of your business is secure. Making sure the hardware, software and data management necessary to undertake the operation of your business are designed to be as secure as possible, enforcing authentication, authorisation, confidentiality, data integrity, privacy, accountability, availability, safety and non-repudiation requirements, even when the system is under attack. Based around design and theory, it works in combination with environmental security (the practical application), utilising best practice principles and tactics to minimise potential exposure, thus reducing risk.
Here are 4 quick wins to start you on your cyber-health journey to improve in security by design; click on the icon or scroll down to see more detail:
Understand how and where your data is used
Before you can meaningfully design a secure system, you need to understand how your business uses data and how and where it is used. Factors such as how data is used, how often data is used, how it is shared, where it is stored all form part of the overall picture of how best protect your company’s data.
Some simple steps you can take to understand your data are:
- Categorise your data and its importance to the business if it were lost, altered or publicly exposed (this information can be taken from your asset register)
- Map out where data is stored and how it is shared. E.g, it may be stored on a cloud service and shared with customers using a web service or it may just be stored on a laptop
- Work out where the data is most at risk, for instance a laptop with sensitive information could be stolen or data sent across unencrypted channels could be easily read
Define your security controls and apply them to projects, new systems, etc
Now that you know how and where your data is used, you can start to design the security controls to keep it safe. In some instances, especially cloud services a lot of security may already be applied and using the knowledge of what data is important and how your data will be used, informs you of what control may need to be applied. You can use our handy XaaS Security by Design checklist to help you if you don’t know where to start.
Some simple steps you can take to define your security controls are:
- Where data is accessed, think about how people are authenticated (prove they are who they are) and authorised (gain access to only what they are allowed)
- When data is stored or transmitted, how and where can encryption be applied to ensure it cannot be accessed or altered?
- Create a set of rules that can be consistently applied to every new system
Ensure assets are encrypted such as laptops, server, mobile phones
One of the most common ways that a business’s data is exposed is through the loss of laptops, mobile phones or removeable media (USB sticks). We have all heard about government officials leaving laptops or important papers on trains or thieves walking out of premises with computers and servers.
Some simple steps you can take to protect data held on portable devices are:
- Make sure your computers and servers have their hard drives encrypted. All modern operating systems provide this option, such as Microsoft Bit Locker or Apple’s FileVault
- Ensure your mobile devices such as phones and tablets are password protected and encrypted
- Encrypt any removable media (such as USB sticks) that contain sensitive information either by using either file level encryption (i.e., encrypted Zip archive) or software or hardware level encryption provided by the device
Ensure important systems have appropriate redundancies
Making sure you have access to important systems and data that allow your business to work means that you should think about building redundancy into your system design.
This can range from physical redundancy (making sure that important systems have backup power or dual power / network connectivity) to fully redundant systems that automatically fail-over.
For a small office this can be as simple as having a backup 4G router to provide redundant internet access if broadband is lost. For larger enterprises, this is more likely to be making sure you have designed systems that replicate, so that the data you need is always available.
Most cloud services provide redundancy as part of their service, but it is important to check that this is the case.
Some simple steps you can take to build in redundancy are:
- Work out which systems your business needs and how long you can work without them
- Have spare hardware available for your critical devices (such as internet routers / laptops etc)
- For critical in-house systems, can information be made available on another system or in the cloud?