Principle 2: Security is part of the development life cycle

The football coach prepares the team by reviewing the schedule, identifying the strengths and weaknesses of the opponents, and helping the team use its strengths to exploit those weaknesses, both on offense and defense. But if the coach focuses only on offense and ignores defense, the team will probably lose.

In technology, we often concentrate on developing a good automated solution for many types of business problems. We identify the end-users’ needs, document system requirements, and develop the system. But if security is ignored, the defense of the system can be easily compromised. It is important to consider information security as part of the life cycle of any business system.

The development life cycle includes steps to identify, develop, implement and maintain security processes and controls to ensure:

  • There is no single point of failure.
  • That information remains private
  • The information is available and accurate for those with a business need.
  • The system controls and procedures are usable.

Concepts associated with the development life cycle are Information Privacy, Information Assurance, Usability and Defense in Depth. Considering these concepts during the development life cycle will help protect the information while assuring that the information is available to users.

Information privacy

Do you post a notice on the Internet that you hide your house key under the front doormat? Do you tell your bank credit card number to your mailman? Not if you want to ensure your privacy and protect your assets.

The Family Education Rights Protection Act (FERPA) is an example of a regulatory requirement that is intended to ensure information privacy. FERPA legally and ethically obligates the University to protect the confidentiality of students’ records.

Managers of information should respect the privacy of co-workers, business partners and System Users by withholding their information from those who could misuse it. They maintain the privacy of this information by implementing controls and processes that will protect it in the course of the business transaction:

  • Encryption can protect the information at rest or as it flows over the network.
  • Access controls will limit who can view or modify the information.
  • Deleting unneeded information from the application will reduce the amount of information that could be lost.

These controls and processes are identified during the system’s development life cycle.

Information assurance

Bank processes ensure the accuracy of your accounts. You have the ability to verify that the bank has correctly recorded your transactions. The combination of the bank’s actions and your actions ensures that you have the correct amount of funds available.

Information assurance is about the accuracy of information and the availability of the information to those who have a need to view or change it. Network controls, access controls and auditing controls help ensure the integrity and availability of the information needed for our business systems.

Some other processes to provide Information assurance are:

  • Validate and test the connections to the system. Test user access to ensure the access is appropriate.
  • Identify individuals who can approve security changes.
  • Identify and maintain information regarding who can update security in the system.
  • Log security request changes.
  • Create a process to audit security changes.
  • Log access to the system.
  • Work with the infrastructure team to ensure the system is up-to-date on security patches.
  • Report inappropriate use immediately.

Usability

Would you drive a car if you had to use a hand crank to start the engine? If the car ran out of gas after 20 miles? If it carried only one passenger? This illustrates the concept of usability. If something is too difficult to use, we are unlikely to use it and will find an alternative.

In information technology and business applications, security must be usable. If you had to remember a 12-character password to authenticate to My UW–‍Madison, you probably wouldn’t use the portal. Some other examples are:

  • If it takes too long to authorize a new employee to view information, people will start sharing logins.
  • If it is too cumbersome to unlock a door in a high-traffic area, someone will tape the lock open.
  • If it is too hard to understand an audit report, people will start signing it without checking it.

In contrast, usable security does get used. Examples of usable security controls are:

  • Enabling a user name and password that allows a user to authenticate to many different applications. With your NetID, for example, you can authenticate to My UW–‍Madison, WiscMail, WiscCal and MyWebSpace.
  • Keycards and proximity tokens allow authorized people to pass through locked doors without difficulty, so they’re not tempted to prop them open “just for a minute.”
  • Succinct reports that communicate what is important.

Defense in depth

Bank tellers never handle large amounts of money. The big money in a bank is in the vault, and you must pass through multiple layers of defense to enter it. A bank’s defensive layers might include:

  • Time-release doors. You enter the vault through a bulletproof glass capsule. The first door closes, and the second door opens a few seconds later. A thief can’t rush in and out.
  • Guards are posted inside the bank.
  • Cameras monitor the bank vault.
  • The vault also has multiple layers of defense, such as:
    • It opens only at certain controlled times
    • It’s made of very thick metal.
    • Inside the vault are more metal boxes with their own locks.
    • Multiple keys are assigned to separate people.

These multiple layers provide defense in depth to protect the bank.

Defense in depth represents the use of multiple, complementary security techniques to help mitigate the risk of the defense being compromised or circumvented. It requires balanced focus on people, technology and operations. It requires both prevention and detection techniques.

Anti-virus software should be installed on an individual’s workstation, for example, even when virus protection is already installed on servers within the same environment.