Traditionally, the term ‘secure by design’ is a computer programming concept. It means pretty much what it says on the tin. You intentionally design your computer program to be secure, right from the ground up. This is opposed to creating software that isn’t secure, and then potentially trying to tack on some security features afterwards.
But this post isn’t about computer programming.
We’ve taken the ethos of ‘secure by design’ and applied it to our entire business, IAM Cloud.
It’s a brilliantly simple concept, and it can provide some quite profound clarity around issues of security.
The secure-by-design mindset gives you the ability to build security into every decision you make.
I first started thinking about security by design when I was going through an ISO 27001 certification process at IAM Cloud. Pretty much step 1 of an ISO27001 audit covers “scope”.
Let’s say you have some on-premises servers which store some of your important company data. And let’s say they exist in your own data center (which may in reality be a little cupboard in your office).
The existence of the data center and servers warrants the need for physical data center security. And the existence of those servers warrants the need for server-redundancy, server maintenance and patching, server security, anti-malware and so on.
What’s my point?
No data center; no need for data center security.
You can essentially design your organization in a way that eliminates the need for security in certain areas. You can reduce your surface area for risk and attack.
By reducing your surface area for risk and attack, you can focus more time, energy, and security resources on the essential areas you cannot do without.
That is in essence the overview of what I mean by ‘secure by design’.
What are the lessons you can learn from this approach?
- Keeping things simple makes you more secure.
– It is harder to manage risk in complex environments.
- Being well organized makes you more secure.
– Ditto above
- Centralising your systems can make you more secure.
– Centralised means simplified, and a smaller surface area means greater focus and ROI. Instead of buying multiple mediocre solutions to secure multiple systems, buy one top of the range security solution to secure your one central system.
- Delegating your security to best of breed vendors can make you more secure.
– Whose data center has more advanced security – yours or Microsoft’s?
- Moving your files to the cloud can make you more secure.
– The cloud brings together simplicity, organization, centralization and the ability to leverage the security of world-class vendors.
These are simple lessons that don’t require a background in infosec to understand or apply. They are basic principles that you can refer to whenever you make any changes in your organization.
The list above is not exhaustive either. If you adopt the secure-by-design mindset properly you can apply it to all kinds of scenarios.