Skip to main content

Three principles for security-first architecture

As companies accelerated digital operations due to the pandemic, security has taken a backseat. Here's how to keep security in mind from the start.
Image
Smartphone with a white lock symbol on a purple screen lying on a yellow background

Photo by Franck on Unsplash

The COVID pandemic has pushed many companies to quickly digitize operations in order to support decentralized teams. Unfortunately, in the rush to provide these systems, many soon discovered that that ease of use, compatibility, and efficiency can come at a heavy cybersecurity cost.

While certain systems have always carried some security risk, the incredibly high numbers of remote workers and the ever-rising US$6 trillion+ threat of cybercrime have caused these vulnerabilities to be exploited en masse. In fact, large-scale breaches are reported to have increased by 273% in the first quarter of this year. Now, businesses are worried about updating their IT infrastructure and instituting safe digital work processes.

This article will focus on the business need for solutions that properly safeguard corporate data and some of the key elements architects should consider when building security-first platforms. While there are multiple applications these principles can (and should) apply to, most of the examples used below will focus on how they can be implemented in collaboration tool development.

Start from zero

Zero Trust is not a new approach to IT security. It was a concept that was popularized nearly ten years ago yet is still making its way into actual implementation. For those that are unfamiliar, Zero Trust is a security strategy that assumes that everything (data, devices, apps, and users) inside or outside of the corporate network is a security risk and needs to be regularly and granularly authenticated and verified.

Zero Trust is a critical element to maintaining security and privacy (in many products, including collaboration tools) because of its dynamic and thorough nature. It is especially important for architects to embrace Zero Trust because it needs to be built into the core design of a product in order to be truly effective.

Planning

Architects looking to utilize the Zero Trust methodology first need to think about how their product/solution will fit into the overall IT environment and user experience to address any potential technology and regulatory challenges. It’s also important to evaluate the user experience. Who are the key users? What apps and systems do they use, and what kinds of access will they need? From there, it will be easier to develop goals and roadmaps around protecting and controlling mission-critical data in a compliant manner.

Systems and protocols

Zero Trust is a good proactive defense against cyberthreats because it is dynamic and hyper-vigilant. With this type of framework, there are no default configurations. Architects must build systems that continuously monitor all network communications, constantly monitor all users, and utilize comprehensive system permissions and safeguards. This principle of constant monitoring and verification typically translates into stringent protocols such as multi-factor authentication, identity access management, end-to-end encryption, orchestration, analytics, and other comprehensive system permissions.

Many companies currently rely heavily on messengers for employee collaboration—this is a trend that will only increase as the workforce continues to become more mobile. Unfortunately, many of the messengers that have become ubiquitous do not protect consumer data with essential Zero Trust technologies like end-to-end encryption. However, several open source alternatives offer greater security out of the box.

Embrace hyper-transparency

There have been many cases where platform providers have not been entirely forthright about how their tech is built, what security measures are put in place, and how user data is being routed or used. Privacy takes a great deal of intention to protect, as the advocacy group Electronic Frontier Foundation (EFF) outlines in their privacy guide.

Architects that are truly interested in building platforms that prioritize security need to accept that security, privacy, and transparency go hand-in-hand. There is no true security if there is a violation of privacy, and the best way to prove true privacy is by offering hyper-transparency into how a product is built.

One approach to implementing transparency is through open source software where the source code is released and accessible to the public. This allows external parties to verify all security claims and identify any hidden backdoors or data collection operations. Architects can also leverage the wider developer community to find bugs or vulnerabilities and patch them before they can be exploited.

Institute checks and balances

In some ways, you can never be truly done with building a security-first platform. Truly secure platforms require constant checking, digging, and improvement.

That being said, it can be hard for architects and their teams to spot gaps in their own technology because they are so immersed in it. The best way around this (and to ensure all bases are covered) is to get regular security audits from a third party. Third-party experts like security researchers, universities, and other organizations can help provide an in-depth and credible assessment that may help win the trust of prospective customers. But more importantly, having independent audits from other experts can offer architects an unbiased and fresh perspective on their own system’s design and flaws.

Conclusion

There is mounting pressure to figure out the problem of security from all sides. Advocacy groups have started demanding that vendors put out transparency reports, governments are enforcing regulations with high culpability like CCPA and GDPR, and businesses are zeroing in on security, privacy, and trust as deciding factors for their tech investments. In order to meet this challenge, architects need to do more than reactively patch flaws or retroactively refurbish systems to have better security protocols. Architects that want to create systems for the future need to design with security-first architecture that embraces the mindset that everything should be scrutinized and authenticated, implements cutting-edge cybersecurity protocols, and operates on a philosophy of transparency.

Topics:   Security  
Author’s photo

Alan Duric

Alan Duric is the co-founder and CTO/COO of Wire, a secure collaboration platform. He is an experienced entrepreneur with a strong background in real-time communications. More about me

Navigate the shifting technology landscape. Read An architect's guide to multicloud infrastructure.

OUR BEST CONTENT, DELIVERED TO YOUR INBOX

Privacy Statement