Three Ways to Help Your Organization Adopt a Secure by Default Mindset

Originally published by Contino.

Written by Jim Curtis, Principal Consultant, Contino.

The Secure by Default approach is designed to make security a core feature of software development, rather than an afterthought. But security takes more than software, so how can you factor security awareness into every design authority meeting, change request, architectural decision, and even every conversation at the coffee machine?

Well, there are three key principles that will help, but before we dive into them, we suggest starting with an approach favoured by soccer manager José Mourinho—build from the back.

Build From the Back

When José “The Special One” Mourinho arrives at a new club, his first focus is always the goalkeeper and minimising the chances of goals being conceded. He’ll then analyse the defenders to ensure they’re rigid enough to prevent threats. Only when he’s satisfied with the team’s defences does he turn his attention to more proactive midfield and forward options.

So, when it comes to security, think like Mourinho: start with the threats, then build from there, ideally taking on board the following three principles:

• Choose the right cloud service provider
• Set up the right trust model
• Put governance before deployment

Here’s a quick snapshot of these principles, but to read more, head to our blog on Contino.io.

1. Choose the Right Cloud Service Provider

Top of the list for secure by default principles will always, by default, be the choice of cloud service provider—this is because of the shared responsibility model.

The choice of cloud service provider is the bedrock for nearly all security decisions and to effectively design architecture that is both secure and integrates into the customers strategic objectives, so you need to make sure it’s the right choice to suit the needs of your organisation.

The different providers have slightly different interpretations of the model but they can always be summarised down to the concept that you as the consumer are responsible for security in the cloud, and your provider is responsible for security of the cloud and its underlying components. Additionally, the core security controls the main providers have can be easily compared as they all have strong encryption methods, APIs, strong IAM capabilities and posture management toolsets to name a few.

2. Set Up the Right Trust Model

It’s vital when formulating a solution that the customer understands and follows the trust model. The customer could follow a strict zero-trust methodology for resource and user control, meaning every user request or packet of information is scrutinised for authenticity and relevance. Networks could be diligently segmented into a logical separation that allows applications to function with the required connectivity, and user connectivity could be intensely guarded on every login request. Or the customer might have a more robust attitude to network security, but a more open attitude to user device security by implementing a bring your own device (BYOD) model, for example.

3. Put Governance Before Deployment

Don’t go live with a solution before you’ve designed and implemented security policies and guardrails. Having appropriate policies around IAM, network control, management enforcement and code ownership to name a few examples is likely going to be included in any acceptance-into-service guidelines the customer has, and having them in place and tested prior to go-live on a solution makes a new deployment both more efficient and more security aligned from the outset.

The same concept can apply to the CI/CD pipeline through the use of DevSecOps methods such as static and dynamic code analysis or pre-execution threat modelling which all empower developers and security engineers to, by default, implement security factors into code deployments with minimal overhead.

To find out more about Secure by Default, read the full blog here.

About the Author

Jim Curtis is a Principal Consultant working in cloud architecture and security at Contino. He assists enterprise customers with security and cloud transformation projects with a focus on the Microsoft Cloud stack. This can range from Security Operation Centre (SOC) transformation, identity posture overhauls, Zero Trust architecture consultancy and cloud security assessments to align customers with industry recognised security frameworks such as NIST and CIS.