In April the Cybersecurity and Infrastructure Security Agency (CISA) unveiled its new secure-by-design, secure-by-default principles. The aim is to drive technology providers to make a stronger commitment to cybersecurity transparency and accountability, easing the burden of cybersecurity on their customers.
“Secure by design” means technology products should be built to reasonably protect against cyber attackers trying to gain malicious access to devices, systems, and data. “Secure by default” means those products should be resilient to common exploits while under continuing maintenance, reducing the need for customers to apply additional measures to secure them.
These principles represent laudable goals. The vendor community should embrace the vision CISA desires to achieve, working collaboratively with the government to provide an actionable and sustainable framework.
Regardless of the level of protection provided by the vendor community, government organizations will never be completely relieved of the need to manage their own cyber protections. To this end, agencies can focus on three areas to maximize the advantages of secure by design and secure by default: integration, automation and collaboration.
As technology providers make progress toward CISA’s recommendations, agencies will begin to benefit from more secure infrastructures. But secure by design and default won’t be a panacea, for two primary reasons.
First, cyber threats evolve as malicious actors find new ways to compromise systems and data. The industry will continue to experience a gap between new threats and their mitigations as well as the continual challenge of protecting legacy systems that might require unconventional methods of protection.
Second, not every technology provider possesses the maturity and resources to be as proactive with security by design and default as CISA would like. While larger, established vendors are better equipped to follow CISA’s recommendations, realistically, not every high-tech industry participant will hit the target every time.
With those realities in mind, agencies should take these steps to gain the greatest cybersecurity edge from secure-by-design, secure-by-default products:
Integrate for holistic cybersecurity.
Agency systems are complex, with a mix of interconnected technologies, vendors and solutions. Even if every product you deploy is reasonably protected, your infrastructure overall could still have weaknesses. The touchpoints between products can result in gaps that attackers can exploit. For instance, if two systems are connected and one has weaker access controls, an attacker could hack into one and use elevated trust to access another.
The solution is integration between your cyber protections, plus integration of your digital infrastructure with those cyber protections. Integration can give you greater control over your architecture while minimizing the impact of configuration errors on individual products. Where integration can’t be achieved, a solid understanding of the gaps between systems and how those systems interact will point to where you need overlapping, defense-in-depth protections.
Ultimately this issue points to the need for a zero trust architecture in which access is never granted by default and authentication and authorization are evaluated with each transaction. Aligned with secure by design, zero trust is core to communication among all entities within an IT environment, addressing cyberthreats such as account compromise, lateral movement, and vulnerability management.
Automate for consistency and scale.
Cybersecurity, like the rest of your digital infrastructure, is never “set it and forget it.” To keep pace with emerging technologies and a constantly evolving threat landscape, you need to employ as much automation as possible.
As with integration, automation is foundational to zero trust. CISA’s Zero Trust Maturity Model organizes cybersecurity implementation in five pillars: identity, devices, networks, applications and data. Extending horizontally beneath those pillars is a foundation of automation and orchestration. In CISA’s words, “zero trust makes full use of automated tools and workflows that support security response functions across products and services.”
Implemented properly, automation should result in less complexity, not more. To that end, reduce or eliminate reliance on multiple automation tools that require different teams to be trained on different functionality. Instead, take an enterprise approach to automation for more consistent management and results. After all, many IT and cybersecurity teams are already overtaxed, and many organizations face a tech talent shortage. Automation can ease those burdens.
An end-to-end automation platform that enables infrastructure as code can help. Such a platform enables you to automate system configuration, software deployment and workflow orchestration at enterprise scale to strengthen your security posture. The platform should support mixed, heterogeneous environments, eliminating the need for bespoke tools for each operating system or infrastructure component.
Collaborate for continual improvement.
Secure by design and default points the way to an optimal cybersecurity future. But neither vendors nor agencies will get there on their own. Instead, vendors and agencies should collaborate to build continually stronger security.
That collaboration includes vendors being transparent about and accountable for the cyber protections they can and can’t reasonably provide. Agencies need to provide ongoing feedback to make technology products safer. Mature, responsible vendors will welcome that feedback and strive to build a collaborative relationship with their customers.
Collaboration is one of the strengths of an open development model. Open development brings together technology communities across the public and private sectors to collaborate toward more innovative, stable and secure solutions.
CISA’s new Secure-by-Design, Secure-by-Default principles offer a road map to guide technology providers to a more secure future. By addressing integration, automation and collaboration, agencies can improve the odds our shared technology ecosystem reaches that destination.