Data security principles codified in cybersecurity protocols like GDPR, CCPA, PCI DSS and others are raising protection standards. They also spell more work for software developers. Managers, meanwhile, must decide whether to prioritize security in an unstable economy.
With the recent shift to cloud-native architectures, we are seeing the responsibility of cybersecurity falling more and more on the shoulders of developers. The so-called “shift left” in the continuous integration / continuous development (CI/CD) pipeline, with software development (Dev) on the left and IT operations (Ops) to the right (or downstream of development), has put pressure on developers to deliver secure code at an expedited pace.
This repositioning of security earlier in the development lifecycle highlights the importance of creating secure code as the foundation for any digital estate, with cybersecurity embraced within the very culture of the company before the first transaction takes place. Unfortunately, in the vast majority of cases, developers are measured on rapid delivery of business value through functioning value-added code, not necessarily on the security of their work. Time to market is paramount, and security is treated as an inconvenience and sometimes an outright obstacle to a speedy delivery of software.
In regulatory frameworks like CCPA, GDPR and PCI DSS, while basic compliance might be achievable with perimeter-focused controls, the scope (and cost) of audit can magnify across an entire cloud-native ecosystem. Without data-centric security measures, data can be apprehended when it transitions beyond perimeter environments into more diffused cloud-based data ecosystems.
The very notion of data-centric security is rooted in the idea that the data itself is the focus of protection, either by secure design, pseudonymization techniques such as tokenization or even format-preserving encryption. Code that has been designed with security in mind should be the primary weapon in your arsenal – code that takes into account how data processed by the application can be processed and worked securely. This means it is even more crucial to ensure that data is secured appropriately from the very beginning of the architectural and development processes.
Admittedly, the many data security regulations across one or more legal jurisdictions can often be confusing. At the end of the day, “security by design” often means that developers are left to deliver secure systems under extreme pressure and limited time instead of having the latitude and resources to weave security into the product throughout the development process.
This situation raises the question: why should application developers be held responsible for securing the data processed by their clients? After all, developers are hired to provide business value and customer experience optimization and should be treated (and measured) as such. While developers are expected to create secure application architectures, the buck does not — and should not — stop with them.
Cultivating a Culture of Data-Centric Security
We should acknowledge a significant cultural barrier to achieving cybersecurity from a developmental standpoint. Putting too much pressure on developers to deliver code rapidly means corners will be cut somewhere at some point. Therefore, business leaders must instill within their employees a passion for data-security-minded software development (and even incentivize it). They need to cultivate a culture of security by design and not compliance after the fact by ticking boxes on a feature-by-feature basis.
Data privacy regulations like CCPA and GDPR promote the notion of “secure by design” and “privacy by design” principles, while additional regulations such as the PCI DSS that apply to financial institutions encourage similar “north star” security principles. In the U.K., for example, GDPR requires organizations to put in place appropriate technical and organizational measures to implement data protection principles effectively and safeguard individual rights. This is “data protection by design and by default.” PCI DSS stipulates that enterprises processing cardholder information “must address common coding vulnerabilities in software development by training developers at least annually in up-to-date, secure coding techniques, including how to avoid common coding vulnerabilities and develop applications based on secure coding guidelines.”
No matter what an organization’s financial outlook happens to be, a single breach can bring it all tumbling down. All the transformational ideas, innovation and precise execution can be rendered pointless in the event of a widespread data breach, because critical intellectual property can be exposed. On top of that, loss of customer trust following a data breach means that consumers will hesitate to adopt product or service offerings moving forward, quickly turning to other solutions and negatively affecting your bottom line. A single event can turn a prospering company into a struggling one, literally overnight.
Data breaches have consequences far beyond loss of client trust. Any data security incident may prove to be catastrophic or even an existential crisis for the organization, exacting an especially heavy toll on the C-suite. Data security thus needs to be woven into the DevOps fabric and process, in the CI/CD pipeline – and by default, not as an exception, nor bolted on after it’s entirely too late. And this culture starts with the C-suite and executive management.
On one hand, the forthcoming generation of early-career software developers brings highly sought-after skills in cloud application development, either from experience in dynamic cloud-first startups or due to more sophisticated professional training. And they are native users of technology from their earliest years!
On the other hand, these developers often rely on cloud platforms for security without grasping a deeper awareness of their limitations and resilience capabilities when under attack, which can lead to significant and damaging data breaches. Again, a culture of data security and data privacy has a positive effect on these professionals, reinforcing the moral and ethical reasons for that culture, not just the cynical business value of it all.
Developing an Alternative Solution
Over the last decade, seasoned developers and engineering managers, especially those who have lived through painful data breach incidents and bought into evolved OWASP principles and MITRE ATT&CK situational awareness, have begun weaving security and risk mitigation into software development life cycles and operational processes. Highly experienced enterprise security architects with responsibility to bring state-of-the-art solutions to market within new data engineering strategies must also be familiar with powerful data protection techniques such as tokenization, format-preserving encryption and zero trust architectures. These techniques complement each other within an overarching data-centric strategy. This means not simply securing the perimeter around the locations where any data resides, but securing the data itself in a way that renders personally identifiable information (PII) meaningless but still workable in its original format by the application under development. This approach allows information to be used for business-critical activities such as data analytics while still maintaining regulatory compliance guided by a culture of security and privacy.
Meanwhile, DevOps cannot simply add data security to an operational model when it comes to persistent data protection, particularly for data traversing microservices and containers and into entirely different data ecosystems and distributed enterprise data architectures. So far, most dev-centric security practices relate to classic coding practices, vulnerability scanning and perimeter-centric controls, user access control and container integrity. These are themselves critically important, but they are incomplete from a data exposure perspective, particularly in light of compliance and the risk of data incidents or breaches. A missing key ingredient at the heart of data privacy and security compliance and risk reduction in these environments is having data-centric security built into data processing at its heart – the data itself.
As the IT security skills gap widens, finding developers with this deeper level of intrinsic knowledge and experience is becoming increasingly difficult. According to the recent ISC2 report, with COVID-19 and the resultant changes in hiring as well as the continued focus on digital transformation, the cybersecurity industry still needs a staggering 89 percent growth in skilled practitioners to address the current backlog of over 3 million skilled developers and IT professionals.
A dangerous lack of cybersecurity skills combined with an increasing complexity of digital infrastructures means organizations must adopt better security tooling and more effective governance processes in order to resolve risk and privacy issues. Additionally, these solutions must allow information to be immediately consumable without requiring hefty budgets to hire even more specialists. Unfortunately, 2021 will most likely amplify this problem, as more business leaders aim to prioritize operational efficiencies and profit over data protection by getting systems online before they are secure.
But for anyone still wondering for whom the data security bell tolls, the SEC and FINRA have made it clear: It tolls for thee.