Secure Digital Transformation: Principles for Enterprise Defense
Enterprise leaders recognize security as an enable of digital services crucial to business growth. However, given the complexity of security architectures, they often struggle to understand what it is they need to do in order to enable their secure digital transformation.This white paper provides a set of succinct and simplified high-level architectural principles designed for executive consumption. Applying these principles will allow executives to build digital resilience into the fabric of their enterprise, ensuring they can gain all of the advantages of the digital age while minimizing associated risks.
Critical to aligning security strategies with the business is a security architecture, a framework of strategies, tactics and capabilities that provides a common language, a consistent approach and a long-term vision. It incorporates the key objectives of the organization, defines the security requirements and maps out the best approach for deploying targeted security capabilities to support the plan.However, a detailed Cyber Reference Architecture (CRA) can be overwhelming for executives.
To address this challenge, a security architecture should include a set of high-level architectural principles that can be understood by executives and specialists alike. As a foundation, business leaders must understand the challenges facing security organizations. They should recognize that security must be built into application development and testing processes, and understand how critical it is to have a steady supply of skilled security resources.
Moving to DevSecOps
A fundamental shift underway is the movement from “bolted on” security to “baked in” security, from adding security after production to building in security from the earliest point of development.
A fundamental shift underway is the movement from “bolted on” security to “baked in” security.
That typically involves transitioning from waterfall development practices (finish all development before launching into production), to DevOps (iterative development taking into account what is involved in operating the software, with constant improvements pushed into production as necessary), enabling much more rapid application development, especially for the cloud. Now we’re seeing movement to DevSecOps, which ensures that security is considered from project inception.
It is a progression already witnessed in other industries. For instance, drivers once used aftermarket locking bars to connect their steering wheel to their brake pedal, preventing the use of either. Today, baked-in security measures in cars abound, with modern vehicles boasting an array of digital-enabled capabilities including GPS trackers, ignition token proximity sensors, and even tilt sensors to prevent unauthorized attempts to tow vehicles away.
Besides DevSecOps helping address time-to-market requirements, bringing the disciplines together also helps solve another problem: the security talent gap. Recent research from International Information System Security Certification Consortium, or (ISC), puts the global skills shortfall at just under 3 million. But with DevSecOps, security is becoming a secondary competency for all developers.
The IT industry has recognized that close-knit, multiskilled teams are the most efficient way to develop new products, rather than relying on monolithic siloed teams such as separate applications and security development departments.
Expediency is vital in the digital era, which means that rather than passing applications and products to a separate team for a lengthy security treatment, the development team itself must validate an application’s security — only using the central security team where absolutely necessary. This allows a faster deployment of new capabilities aligned to market demand.
The transition of security responsibility for individual products to the DevSecOps team means that the risk ownership model across the business will look very different in the near future. A central security team will own risk for enterprise-wide issues such as strategy, compliance and threat hunting, while the DevSecOps teams and associated business units will own risk for their products and applications.
The central security team also will be responsible for enabling a secure environment for DevSecOps teams. This includes providing a secure continuous integration/continuous delivery (CI/CD) pipeline, deploying automated security evaluation tooling, and providing mentorship and support for DevSecOps teams as required.
Secure digital transformation imperatives
Trying to make enterprise security easier to understand is an exercise fraught with hazards. Oversimplifying risks ignores the many nuances the risks hold, while an overly expansive approach leads back to complexity.
At the highest level, executives must recognize the need to address three key imperatives:
1. Encrypt everything
2. Verify everything
3. Monitor everything
These imperatives align with DXC’s “9 Principles for Enterprise Defense” (Figure 1). The principles offered should be discussed with experts who are able to translate technical intricacies into business language.
Business drivers and benefits
Each of the architectural Principles for Enterprise Defense offers a set of business drivers and benefits for the enterprise:
1. Information as the key business asset
Data mastery is the most valuable skill in the digital age.
2. Devolve cyber risk
Move risk ownership to lines of business while preserving central oversight.
3. Develop an enterprise-wide resilient workforce
Ensure that security is built-in as property of all business functions and provide targeted training for high-risk groups.
4. Cyber resilience
Design cyber resilient systems, supporting continuous operations during incidents. Assume compromise.
5. Implement continuous compliance
Design systems for introspection, compliance and policy changes.
6. Security as code
Deploy security policies in machine-readable format.
7. Cloud-to-edge awareness and response
Design systems for actionable use of security event capabilities and APIs that enable full-stack response.
8. Security and privacy by design
Adopt a shift-left approach by considering security and privacy in early design stages.
9. Identity as the core of trust
Make identity management key to digital trust, verify everything and adopt a zero-trust approach.
Cyber Reference Architecture
To connect these principles to the next level of architectural detail, DXC has created a map between the principles and our Cyber Reference Architecture in Figure 2. DXC Technology has spent the last 5 years pioneering this architectural framework.
The principles in action
Using the principles, and an architectural framework such as DXC’s CRA, allows enterprises to ensure a rigorous approach from the strategic to tactical level. There should be a continuing cycle, as shown in Figure 3, to ensure that security performance is always enabling business objectives.
Looking to the future
The world is changing at an ever-faster rate, and the days of technology being perceived as a necessary evil for enterprises have long since passed. Technology experts now belong in the boardroom as much as they once belonged in the basement. Security leaders and subject matter experts must move the conversation forward by providing and explaining in simple terms the security architectural principles that underwrite modern technology practices and enable businesses to thrive in the digital age.
Contact us to learn more about Secure Digital Transformation.