1. Understand your service and the data you will need to operate it.
Firstly, you need a clear understanding of your service’s purpose. You need to know what data you require to deliver the service and what you need to protect.
Find out: What losses would be unacceptable? What would be the impact of private data becoming public? What would be the impact if an adversary were to modify or destroy the data?
Explore examples from other services where things have gone wrong, and play out what this would mean in your context.
2. Understand the role your suppliers play in securing your service.
The suppliers you use to help build and operate your service play a vital role in helping to keep it secure.
Being clear about your intentions and requirements for security in your contracts with suppliers is important, but being over-prescriptive can lead to adversarial behaviour. It’s better to build a shared risk proposition with suppliers so they are invested in doing the right thing, rather than just fulfilling a contractual obligation.
3. Have a clear, end-to-end understanding of your service and how it is accessed.
You should understand how user interactions with your service translate to messages or interactions within it. Take account of every possible point at which data could be stored, processed and rendered.
The following areas are often overlooked:
a) Devices used by end users to access data
- If data is to be rendered on any device it should be assumed that the data is present on that device. Certainly any data accessed would be available to malware capable of stealing sessions on the end user’s device.
b) Third-party services
- Third-parties, such as hosting services or the management environments of systems integrators, are another common blind spot. Data would be accessible to an attacker who gained control at either point.
c) Network-security devices
- Web-browsing proxies and other network-monitoring devices typically used in corporate environments may decrypt traffic between your system and its users. These devices may have access to large volumes of sensitive data.
d) Copies of your data
- Consider copies of data stored in audit logs and monitoring tools, or exports taken to support business intelligence or management information. A number of the principles below include techniques such as tokenisation or redaction that can be used to reduce risk associated with copies.
4. Ensure the governance arrangements for your system are clear.
Good governance implies effective control over the security of the service and of the data held, not blind adherence pre-determined processes.
Where trades need to be made between security, usability and cost, it’s important to talk about those trades in terms of business impact rather than in technical language. Consider the cost of not doing something just as much as the cost of doing it.
5. Make it easy for everyone involved in designing and operating the service to know what their role is, and what constitutes acceptable behaviour.
There should be no ambiguity about responsibilities. Ensure that the right people are empowered to protect the service and accept that this could mean giving relatively junior people the ability to affect a service. This could extend to degrading functions or turning off a service in response to external events - without reference to senior management.