Former CIO, U.S. Department of Education CEO, BINARC
Senior Strategic Advisor, BINARC Senior Solutions Architect
“Baking security in” has become a popular phrase used by Systems Integrators and clients alike. The phrase clearly emphasizes how important it is to ensure that security is considered not only for modernization efforts but also for mission critical legacy systems. What does the term really mean though? And, more importantly, how should you go about baking security in?
One misunderstanding is that security can only be baked into systems during the upgrade, refresh or modernization phase. Given most if not all systems move from an initial go-live state to an O&M (Operations and Maintenance) state, there are always opportunities to assess the hardness of a functioning system. The objective is to be proactive and not wait for audits to uncover vulnerabilities in your ecosystem. A comprehensive security assessment can solve this problem and establish a baseline for improvement.
Another short-sighted belief is that baking security in only involves your ecosystem’s hardware and software. Given a business system’s true ecosystem includes hardware, software, data, policies, processes, facilities and people, all must be considered when attempting to bake-in security. The reality is that any of these nodes in the system could represent a security vulnerability. Baking security in then must assess the robustness of all of the elements.
Now that we have a clearer picture of what “baking security in” means, how do we go about doing that? And, what tools are available to support this task.
Methodology for baking security in –
Step 1 - Take an inventory of the nodes we’ve discussed, which include:
- Documented policies
- Documented Procedures
- Hardware
- Software
- Staffing and Roles
- Data
- Facilities
Step 2 - Upon gathering this data, consider the following questions:
- Are your policies up to date and reflect proper governance?
- Are your procedures up to date and reflect how you really wish to operate?
- What is the status of your hardware, in terms of its life? In other words, do you have equipment that is beyond its end-of-life? Do you have equipment that is in need of firmware upgrades or patches?
- Do you have Software that has not been patched or is no longer supported by the vendor?
- In terms of staffing, do employees have the latest training required to properly maintain their environment?
- Do you have proper separation of duties across your production environment?
- What is the integrity of your data?
- Who has access to critical data?
- Has critical data been properly backed up?
- Does your facility have the proper physical and logical security in place?
Step 3 – Use the data gathered from the first two steps to harden the entire ecosystem
- Update outdated policies
- Apply BPR to procedures to make sure they are lean and accurate
- Retire old equipment
- Retire unsupported software
- Ensure all hardware and software are sufficiently patched
- Assess staffing anomalies and make corrections
- Assess the integrity of your data and clean where necessary
- Harden all vulnerabilities found in and around your facilities
Utilizing this methodology will ensure you’ve left no stone unturned as you look to modernize mission critical systems. The fact that the line of business was in need of modernization suggests that most of the nodes supporting the legacy system were also in need of review.
Tools for baking security in -
Enable Zero Trust with Microsoft security solutions:
- Azure Active Directory – Protect access to resources and data using strong authentication and risk-based adaptive access policies without compromising user experience.
- Azure Sentinel - Get a bird’s-eye view across the enterprise with the cloud-native security information and event management (SIEM) tool from Microsoft. Aggregate security data from virtually any source and apply AI to separate noise from legitimate events, correlate alerts across complex attack chains, and speed up threat response with built-in orchestration and automation. Eliminate security infrastructure setup and maintenance, elastically scale to meet your security needs, and reduce costs with the flexibility of the cloud.
- Azure Security Center - Get a comprehensive view of your security posture and compliance state. Monitor and help protect multi-cloud resources and receive best-practice recommendations.
- Azure Defender - Use deep-threat intelligence to detect and block malware and threats across servers, data, cloud-native services, and IoT with our cloud workload protection platform.
- Microsoft Cloud App Security - Get end-to-end protection for your cloud apps with our leading cloud access security broker (CASB). Microsoft Cloud App Security is built on native integrations and is highly customizable and optimized for a global workforce.
- Information protection and governance - Manage information lifecycle and records intelligently with in-place management, automated policies, defensible disposal, and pre-built data connectors.
Conclusion
While “baking security in” is a powerful phrase, the reality is that few projects perform the task. The proof lies in the number of projects that are denied an ATO (Authority to Operate) due to security weaknesses. If security were truly baked in, the ATO process would be a mere formality. Another piece of evidence is the number of findings that show up during most annual FISMA audits. While not easy, there are solid methods and tools that can be used to ensure projects.
BINARC is adept at supporting organizations in implementing both methods and technology to help bake security into all mission-critical modernization and legacy projects. For more information on how to engage us, contact us by phone at 202-681-7787 or online. You may also schedule a free 30-minute IT architecture strategy session via our online booking tool.