Building hybrid clouds right with data encryption and security by design
It's time for IT managers to change their thinking about software design. Instead of having developers design and build an application and then test it for security weaknesses at the end of the process, managers need to turn things inside out: Encourage developers to build software more carefully so it requires fewer security patches and fixes in the first place—and then reward them for doing it right.
That is security by design, a mindset that minimizes vulnerability-producing coding errors, saves measurable development and maintenance dollars, and produces better and safer code. The result is software that can reduce your company’s risk of a destructive security breach.
Think security, early
Duh, seems obvious enough. But it’s not how IT security administrators and software development managers historically have looked at these things, says Simon Leech, chief technologist for Hewlett Packard Enterprise’s digital solutions and transformation team. If your company is moving to a hybrid cloud, you need to be concerned about more than cutting infrastructure costs and simplifying parts of your IT systems. Anyone leading the business into the cloud has to be sure to protect the business data of customers and users.
“A lot of problems crop up if you don’t think about security early on in your application lifecycle,” says Leech. “You’re creating applications by humans. They will always make errors that can lead to vulnerabilities.”
You change the code by changing the mentality of developers
By applying a security-by-design approach to code creation, in combination with proper data encryption processes, companies can pump up their own IT security operations. And that is particularly important when an organization adopts cloud computing, wholeheartedly or in concert with a hybrid cloud strategy.
Of course, it’s not quite that simple. The problems can be quite daunting. But ultimately, the security issues can be managed.
Well-written software needs strong data encryption
You can outsource your applications to the cloud, but you can’t outsource your risk, so it’s important to do a risk analysis. “Be sure you can afford to have that data in the cloud, and that it is protected appropriately if it’s put in the cloud,” Leech advises.
That’s where data encryption comes into play. Regulated industries, such as banking, insurance companies, and healthcare providers, all have requirements to meet for securing data using encryption and other security tools. Look, for example, to the European Union's General Data Protection Regulation, coming into force in May 2018. “If they get breached and all of that data ends up on the street, it’s game over” for businesses in those industries, Leech adds.
To protect their private and public cloud infrastructure—on-prem, cloud, or a combination—IT leaders need multiple tools and business processes. Often, encryption is the critical last line of defense. Even if attackers get through firewalls, hardened hardware, or other defenses, they can’t read data they might access if it's encrypted.
The argument for strong data encryption is easy to make when you look at recent examples of data breaches. For example, in May 2016, LinkedIn announced a data breach that affected 167 million user accounts, dating back to 2012. The user account passwords had been saved in a “hash” password storage format without employing “salting” (which makes the hash of commonly used passwords unique for each individual user). Hashing is a mathematical function used to scramble information, but it requires other steps, such as salting, to ensure security.
Many companies have similar vulnerabilities in their IT systems and may not realize it, says Leech. Older homegrown applications, for example, might include a credit card processing application that was never intended to be used in the cloud. Originally, the application might have stored sensitive data in plain text, so obviously introducing encryption would be a good idea. Unexpected problems can occur, however, when companies try to encrypt a credit card number using a standard encryption algorithm, which then turns it into a much longer string that an older application expecting a fixed length of data may not understand or be able to process.
But if password protection, identity systems, and other vulnerable data is treated as if it were in a well-protected on-site data center, there’s new opportunities for an organization to find its name splayed across news headlines. The software has to be re-examined—or designed the right way in the first place—to ensure that it’s updated for the cloud. In particular, think about the different approaches for encryption to maintain data compatibility across business applications.
For instance, to make the systems work together, special format preserving encryption (FPE) can protect the data while maintaining it as a 16-digit credit card number that can’t be read by hackers because it is encrypted, says Leech. “In a well-designed application, the application does not know your password. All it knows is the hash of your password. It comes in at the back end, most likely at the program level, when it stores the password.”
The problem is that often IT executives don’t even realize that this could be an issue because they are unfamiliar with the process, says Leech. The answer? Bring in the people who do. “Get the security people around the table when they design the application,” he says.
“Such issues all come back to the security by design method, so you can be sure data is well protected,” Leech adds. “It again points out the discussions you have to have about security.”
Better code saves lots of money
The cost of software code errors can be staggering, and the amount of work involved in making fixes and getting users to patch their applications later can be huge.
Depending on a bug’s severity, Leech says, “the organization has to write patches, test them, and then plan to release the patches to customers.” That assumes that users install the patch—which is less of a problem on cloud-hosted applications than on, say, server-based software, but still quite a lot of effort and work for IT organizations.
Tighter, less error-prone code costs 30 times less money to fix during development than after the fact in production environments, says Leech. That’s true for software defects beyond security, of course. But by reducing or eliminating security-related errors, companies can improve their IT security without adding additional tools. For corporate risk reasons, that means the company should prioritize security vulnerabilities for repairs, leaving mundane style and appearance fixes for another time.
“Some issues are so critical that you can’t afford to let that product go out the door,” says Leech, even if it means delaying the application’s release. That comes from carefully thinking about potential vulnerabilities as the code is being written. “They’re not security people. You need to change their mentality, their mindset, to get them to think about security.”
Leech adds that you can change the code by changing the mentality of developers. That means showing developers that the goal is not to just get the code out quickly, but to build and rethink code that is more secure from the start.
This security-by-design mindset isn’t yet found everywhere, but it is becoming more popular. However, no one should treat security by design as a silver bullet. While it can reduce coding errors, it won’t completely solve them, says Leech: “This is why when you design a hybrid cloud security system, you have to make sure it is layered with encryption and other security steps.”
Tying it together
Security by design is important for every element of application development, but particularly so for hybrid cloud environments. Encryption, too, provides protections as a last line of defense in case of breaches.
“As an executive, you need to understand the risks, the threats, the due diligence, what platforms you should use, and which protections you will put in place from a security perspective,” says Leech. “It’s about the liability and the risk of not using encryption. You can’t assume you know it all.”
Security by design: Lessons for leaders
- Carefully consider the type of encryption suitable for each cloud application.
- Build software right in the first place. It's cheaper than fixing it later.
- Part of the application design process is its security—and that needs to be done up front.
This article/content was written by the individual writer identified and does not necessarily reflect the view of Hewlett Packard Enterprise Company.