Cybersecure by design: The role of security architecture

We are living in a time of ubiquitous digital technology. Not only are we constantly surrounded by digital gadgets, but as the cities and communities we live in become “smarter”, we become more reliant on technology for day-to-day services. With rapid digitisation comes an incessant demand for data. More often than not, it is our personal data that we directly disclose to various businesses and government agencies, or indirectly exchanged between third parties that enable these digital services.

Alarmingly, incidents of data breaches are becoming a common occurrence, with service providers failing to adequately protect the data that they have collected. Globally, governments are enacting increasingly onerous data protection regulations to protect individuals. In Singapore, the Personal Data Protection Commission (PDPC) has actively investigated data breaches and penalised companies found to have breached local privacy laws. Yet, data leaks still continue.

As a cybersecurity consultant, I am often asked, “If data always leaks then how can we trust cybersecurity?” I believe that cyber safety should be treated as no less important than our physical safety. To accept cybersecurity as a lost battle could usher in a future of chaos and catastrophe, where trust is completely eroded and our critical infrastructure services could be at risk of attacks. Rather than add to the doomsday messages, my intention is to look for practical solutions. As consumers of digital services, we should demand better accountability from service providers, and this will pressure them to improve their cybersecurity performance.

Nobody likes to lose their data or have their private information compromised. This is worsened when organisations we trust, such as the government, healthcare service providers, or educational institutions compromise such sensitive information. We should value our data more highly and complain to the authorities when we experience data breaches. As for businesses that collect our data, we must be more discerning in sharing data and, when possible, vote with our feet by abandoning service providers that fail to protect our data.

Industries for which the highest level of cybersecurity has a commercial imperative such as financial services, have managed cybersecurity quite well. Whilst there are stories about unauthorised access by hackers of individual bank accounts through trickery or inadvertent transfer of funds to fraudsters, significant data breaches within banking institutions are rare. On the other hand, industries new to digitisation, such as health, education, retail, manufacturing and some transport services, often do not have direct accountability to consumers. Hence these industries have not reached a level of maturity to reliably protect their customers’ data. These sectors need to adopt a more robust methodology for cybersecurity, and it must start with the concept of ‘secure by design’.

Organisations with significant cybersecurity maturity did not get there by accident or good luck; it took years of investment and fine-tuning. They understand that cybersecurity investment is a cost of doing business and “bake it in” at the onset of projects. But what does it mean and how can we achieve it?

Cybersecurity is a multi-domain framework, and there are several technical and non-technical issues that require careful consideration. A methodical approach is required, starting with senior management’s buy-in on cybersecurity as a business risk. The next critical element is security architecture. However, security architecture is highly misunderstood and therefore, undervalued and underutilised domains of cybersecurity.

So, let us demystify security architecture. In the context of IT, architecture is defined as a fundamental underlying design of computer hardware, software, or both. Therefore, in the case of cybersecurity architecture, this means a fundamental underlying design of hardware and software that leads to securing digital assets. In other words, security by careful design, as opposed to patching security holes as an afterthought or ad-hoc exercise.

After defining security architecture, the next question is, “Why do we need it?” Firstly, security architecture provides a clearer understanding of the security challenges to be solved and managed. Secondly, the purpose of security architecture is to make information systems secure by design, allowing for better access control, monitoring, visibility, logging and auditing. Thirdly, good security architecture can protect against many known and even unknown security threats and vulnerabilities.

A well-known pitfall of cybersecurity is the concept of the “zero-day-attack”, which refers to an attack or threat that has not previously been seen. When such zero-day-attacks are revealed, it often becomes a race against time to find remedies. Having good security architecture from the outset can either prevent, or at the very least contain, damage from zero-day attacks.

On 15 February 2019, digital defence was launched as the sixth pillar of total defence. Whilst big investments are being made to bolster cybersecurity at the national level, more cybersecurity programs, specifically designed for struggling SMEs, would be appreciated. As seen with the Productivity and Innovation Credit (PIC) scheme, funding digital equipment for the sole purpose of digitisation does not solve the problem of cybersecurity and can actually make it worse. Hence it might be time to go beyond the symbolism of the sixth pillar and make architecture design funding available to small businesses, so that all Singaporeans can face the digital future with confidence.

Mamoon Reza | Cybersecurity Consultant | Certigo

Mamoon has over 23 years of experience working in the information technology and information security industry. Prior to moving to Singapore in early 2017, he worked in IT operations, design and architecture roles for the financial sector in Australia. In his various roles, he has managed multiple projects where he demonstrated strong technical skills, as well as business process and project delivery skills. He holds a Master’s degree in Information System Security