Security by Design
It’s all in the cloud with no hardware involved
We know by now that there is an abundance of
business advantages in the cloud — it’s agile
and cost-efficient, and, with little to no hardware
maintenance, it’s easier to update and perform
maintenance on than traditional on-site
servers. Cloud architecture is built to scale with processing and storage
needs, meaning organizations can scale up (or down) as needed,
and without the concern of outdated software or hardware.
But building a cloud-based service takes time and forward-thinking
innovation. After all, the security of the cloud has long been
called into question. As more and more customers demand cloudbased
services for their businesses—and discover the advantages they
provide—it is critical for end users and integrators to understand
how these solutions can, and must, be built with security in mind
every step of the way.
Architecture and design play a large role in determining how to
properly use and update security protocols. Many companies, including
Arcules, have adopted the concept of “security by design,”
whereby from day one, the security of the solution is considered and
kept at the forefront throughout the entire process. For a cloud-based
service, this method of oversight is critical as the data is typically
transmitted over the internet. There are a number of ways to establish
security by design within the product lifecycle.
At the beginning of the lifecycle process, there’s a significant amount
of time dedicated to completing risk assessments. Risk assessments
enable a manufacturer to eliminate possible failures and reduce the
impact of the ones that are likely to place regardless of preparation.
As cloud services have matured, protection of privacy has become
a risk that cannot be ignored. Assessments can identify sensitive information
that is used and stored by the product. With this knowledge,
manufacturers can better prepare a product in development and
identify potential focus points when utilizing third party pen testers.
Choosing the Right Provider
Another aspect that is crucial to building a secure cloud-based solution
is determining the characteristics required for a cloud provider.
Cloud-based security use cases generally include the transmission of
large amounts of data, so storage is a major factor to consider. The
amount of data being generated today is staggering: According to
IDC, 41.6 billion Internet of Things (IoT) devices will generate 79.4
zettabytes of data in 2025. most of it from video surveillance. As a
result, cloud providers must be able to provide adequate storage for
these applications that collect large amounts of data.
With so much data, data loss prevention (DLP) services are required
to help ensure data is not being moved without your knowledge.
Some providers are able to provide this for an additional fee.
Depending on the data stored, this may be worth the investment.
Many virtualization technologies exist and are scriptable, providing
the immutable infrastructure which can help teams on multiple
levels with disaster recovery and more if an infrastructure issue is found. Choosing the right cloud provider, such as Google Cloud Platform
(GCP), eliminates mundane infrastructure management tasks
such as security upgrades, leaving manufacturers to concentrate on
what’s most important: bolstering the platform’s security capabilities.
Finally, connectivity is always a concern, as users expect (and
require) the ability to access data instantaneously. From a security
perspective, a product must be able to mitigate different types of attacks
including distributed denial of service (DDOS). Some providers,
including Google, mitigate these issues within their networking
products, giving the manufacturer more time to focus on the product.
Testing, Testing, Testing
A regular part of the manufacturer’s process is the testing phase,
which helps strengthen systems. Penetration testing, which includes
efforts to circumvent the risk controls and security configuration of
the product, attempts to engage the product in a denial of service, to
access and authenticate on the product via unauthorized means, to
elevate privilege on the product, and to exploit vulnerabilities.
Once a cloud-based service has been designed, tested and introduced
to the market, the product testing shouldn’t stop, as new vulnerabilities
are found every day. As with every product that works
over a network—such as today’s IP cameras and networked access
control solutions—the data being collected and stored must be treated
with a multi-layered approach and protected through encryption
to and from its final destination.
How to Integrate Security
by Design as an Integrator
So how does the design of a product affect the integrator’s relationship
with an end user? There are a number of ways.
First, integrators are increasingly tasked with acting as a liaison
between the security side of the business and the IT departments.
This means they are often responsible for ensuring networks and firewalls
are configured correctly to implement security solutions.
Integrators must also be adept at identifying where data privacy is
paramount and communicating what information is being collected
so that IT departments can protect said data from outside threats.
Finally, integrators are an essential part of training end users on the
proper use of cloud-based platforms and how to take the necessary
steps in effectively using these tools to protect a facility (or multiple
facilities across an organization).
It’s a Process
Throughout the years, the increasing popularity of cloud-based services
and products has given rise to companies developing solutions
that harness the exceptional power of the cloud. However, these companies
are also tasked with ensuring that their products are providing
adequate protection of the data being transmitted and stored.
Cloud security starts with design and doesn’t end when a product
enters the marketplace. End-user customers who choose to
transition to a cloud-based service must engage
in the stringent process of due diligence and
search for a manufacturer that has kept security
at the forefront of the design, development and
post-sale process in order to protect critical data
from outside threats.
This article originally appeared in the September 2019 issue of Security Today.