Blog

Building Trust through Product Security

By   |  

builtin securitySoftware powers everything – end-user devices, applications, networks, storage, data centers and clouds – and is therefore taking us into a software-defined world. Can we trust software that powers IT? We must, as we strive for resiliency against outages and advanced threats as well as to meet regulatory compliance.

 How?

Software-defined Trusted IT will come in no small part from product security: the art and science of building threat resiliency and compliance in from the start.

 Product security: Building threat resilient products

Trusted IT means securely developed products.

Defending against advanced threats is an endless arms race with a battlefield that has to balance prevention controls with sophisticated detection. We also cannot solely rely on effectiveness of one or two solutions. We need depth to our defenses, which includes security within each product itself. Software powering our environment is a critical line of defense against threats; it must be developed securely.

In 2012, more than 5000 software vulnerabilities were registered on commercial products and open source software. Most recent high profile attacks have involved the exploitation of software vulnerabilities. Each software vulnerability in a product represents a new opportunity for attackers to compromise entire environments. There never will be “vulnerability-free” software but there are well-known steps vendors can take to minimize occurrence and severity of security flaws: 

  1. Implement a secure product engineering process that encompasses training, security activities for engineers to use as part of the software development lifecycle and control over the product suppliers. See EMC’s approach to secure product development.
  2. Implement an efficient process for rapid response and remediation of vulnerabilities impacting the product. See EMC’s approach to vulnerability response.

Product security: Building products that adapt to security policies of customers

Trusted IT means security-aware products.

Most security policies are driven by some combination of external and internal pressures – regulatory compliance and risk appetite. Security policies are the foundation on which products are used and architectures are built. We need policies to tell us how to grant and remove user access, what type of access is authorized, which activities need to be logged, which data needs to be encrypted, and so forth.

Too often customers are forced to change their preferences and adopt security practices that fit the limitations of products they deploy. It should be the other way around. IT products must be deployed in a way that integrates with existing security architectures and processes. The switch requires only three simple things: 

  1. A clear documentation from vendors of the product security settings available to adapt product capabilities to the organization policy. See this blog post for a reference to EMC Security Configuration Guides.
  2. The support of security standards that enable the integration of the products with existing authentication, key management, log management or GRC infrastructures. See how VCE Vblock systems integrate with Governance, Risk and Compliance (GRC) solutions.
  3. A set of basic internal product capabilities around access control, encryption and activity logging without which customers would not be able to comply with their policies.

Product security: Building products that enable advanced security and compliance

Trusted IT means security and compliance intelligence built-in.

Advanced, intelligence-driven security with active governance is an essential ingredient of Trusted IT. They demand deep access to business intelligence to detect advanced threats or to measure compliance. However, this access too often is one-way: security and compliance solutions extrapolate information from IT products without the product’s awareness of what is required for compliance or advanced security. The product managing a critical IT function is in an excellent position to detect risk, anomalies or optimize a function for compliance.

IT products must become active participants in advanced security and the governance ecosystem in two ways:

  1. Track, via intelligent logs, critical business functions and anomalies that feed advanced security and compliance solutions 
  2. Enforce critical security controls required to make the IT infrastructure compliant to policies and regulations. We can show you an example in the healthcare industry related to patient data encryption.

Product security: The foundation of IT trust

Product security is about building threat resilient products capable of adapting to customers’ security policies while providing intelligence for detecting advanced threats and enabling active governance. It is a foundational component of trust for any product participating in the IT infrastructure.

Product security is a process. It is a way of building products that trusted technology providers must adopt as part of their product management lifecycle. Trusted technology providers typically make their product security practices public through a dedicated page of their website; that’s why ours are at www.EMC.com/security.

About the Author: Eric Baize

Throughout his career, Eric Baize has been passionate about building security and privacy into systems and technology from design to deployment. He currently leads Dell EMC’s Product Security Office and serves as Chairman of SAFECode, an industry-led non-profit organization dedicated to advancing software and supply chain security best practices. At Dell EMC, Eric leads the team that sets the standards and practices for all aspects of product security for the product portfolio: Vulnerability response, secure development, consistent security architecture, and code integrity. Eric joined Dell through its combination with EMC where he built EMC’s highly successful product security program from the ground up and was a founding member of the leadership team that drove EMC’s acquisition of RSA Security in 2006. He later led RSA’s strategy for cloud and virtualization. Prior to joining EMC in 2002, Eric held various positions for Groupe Bull in Europe and in the US. Eric has been a member of the SAFECode Board of Directors since the organization was founded in 2007 and also serves on the BSIMM Board of Advisors. He holds multiple U.S. patents, has authored international security standards, is a regular speaker at industry conferences and has been quoted in leading print and online news media. Eric holds a Masters of Engineering degree in Computer Science from Ecole Nationale Supérieure des Télécommunications de Bretagne, France and is a Certified Information Security Manager. Follow Eric Baize on Twitter: @ericbaize