Dec. 11, 2019
Over the past few years, regardless of the type of industry, digital transformation (DX) has become a critical business issue for Japanese companies. However, we failed to address this as a real issue for a long time. As per a survey on security measures for digitalization conducted by NRI Secure Technologies in the U.S., Singapore, and Japan, nearly 86% of companies in the U.S. and Singapore acknowledged taking countermeasures for security, while this is only about 31% for Japanese companies.
What's more concerning here is the recent data and personal information leaks in core business and services, leading to financial losses for some of Japan's leading user companies dealing with digitalization. Plenty of DX managers have also realized the significance and pressing need for security. In this article, we will discuss two particularly important security strategies for DX.
Provision for appropriate security measures for DX at the design stage
In conventional system development, the processes were clearly defined as requirements definition, system design, basic design, and so on. It was quite common to build a high quality, linear, and sequential system on a large scale by clearing the quality standards for each process (waterfall business model). This approach, however, does not keep pace with rapidly changing client needs or advances in IT, and a different approach using "Agile development" or "DevOps" is required to realize DX. Agile Development is based on the concept of constant development where self-organizing cross-functional teams (developers and operators of a user company) collaborate and form a relatively small team (around a number that can share two pizzas among them) to develop and release priority features in a matter of few weeks.
In the waterfall system development, a vulnerability assessment for security that examines system flaws from an attacker's viewpoint was often performed at the final step of the development process (comprehensive testing and user acceptance testing). However, it would be difficult to follow this approach in the agile development and DevOps system, as a vulnerability assessment requires at least a week from the implementation of the audit to the preparation of the report.
If we include the time to implement a patch, this delay is fatal in agile development which is a cyclical process performed in a matter of a few weeks, including the concept, inception, construction, release, production, and retirement stages. Therefore, we support DevSecOps, which has automatic security inspection functions within the agile method, which can recognize security defects as well as bugs, and prompts developers to rectify them.
On the other hand, we will proceed with the waterfall system for software development of financial systems requiring extremely high quality, and software embedded in electronic control units (ECU) of automobiles.
Vulnerability assessments are essentially "black box tests" and although there is some degree of resilience to known attack scenarios, we cannot guarantee that system specifications are inherently secure. As requirements to interact with external systems are increasing, keeping security in mind during design and development is becoming extremely important in upstream processes such as requirements definition and system design. The security checks for the products, including the design documents and source code, are performed by using white box testing. Since there is a need for sophisticated knowledge and experience in system design and development, the pool of specialists qualified to perform security checks is quite small. However, security in the upstream processes, including DevSecOps, is the first security strategy in DX.
Managers need to view security as their job
We have no option but to actively utilize cloud services such as AWS and Azure, and mobile devices like smartphones. Conventionally, perimeter defense (where security devices such as firewalls protect the boundary between trusted in-house and unreliable outside sources) acted as a basic model for security. But in this age of cloud and mobile services, that perimeter has disappeared. This is where the concept of Zero-Trust security comes into view.
The zero-trust strategy comes down to the idea of not trusting anyone and cutting off all access until the network recognizes the communication partner trying to connect. Access is given after authenticating the communication partner on the basis of system and partner requirements (For example: When an online banking user logs in from a different location or device than usual, they are asked to enter an additional one-time password, or they are not allowed to transfer funds to a bank account other than the registered ones). User ID and password authentication alone will not suffice. Rather, we need a multi-factor continuous authentication combined with biometrics and possession authentication, which uses devices such as IC cards and USB keys that contain specific personal information to authenticate. Therefore, the second security strategy of DX is to thoroughly authenticate and authorize at the design stage based on the zero-trust model.
Besides this, an organization's on-premises security, multi-cloud security (utilizing more than one cloud provider for operations), and blockchain service security, for which business utilization examples have emerged, are a few more issues that we cannot neglect in realizing DX. Managers don't have to be security experts, but it is necessary for them to take a proactive stance and look at it as a part of their job.