Ασφάλεια από τη σχεδίαση και εξ' ορισμού
View/ Open
Keywords
Security by Design (SbD) ; Security by Default (SbD) ; Systems Development Lifecycle (SDLC) ; Privacy by Design (PbD) ; Privacy by Default (PbD) ; Data Protection by design (DPbD) ; General Data Protection Regulation (GDPR) ; Cybersecurity ; Security ; Privacy ; Privacy Enhancing Technology (PET) ; Information Technologies (IT)Abstract
Most organisations adopt a Systems Development Lifecycle (SDLC) methodology for the development and implementation of computer systems. SDLC is a multi-step lifecycle process to deliver computer systems to ensure good-quality systems that meet specifications and, within time and cost estimates.
While most organisations acknowledge that security is an important consideration in developing computer systems, costs and business performance often take precedence over security. Even though awareness has been elevated on security issues, most organisations focus on applying security only at the commissioning stage of the system development and try to forced fit security into the final design, resulting in ineffective application of security
An effective way to protect computer systems against cyber threats is to integrate security into every step of the SDLC, from initiation, to development, to deployment and eventual disposal of the system. This approach is the Security-by-Design (SbD) approach, something that discussed in this research.
Security-by-Design is an approach to software and hardware development that seeks to minimise systems vulnerabilities and reduce the attack surface through designing and building security in every phase of the SDLC. This includes incorporating security specifications in the design, continuous security evaluation at each phase and adherence to best practices. The values of integrating security into SDLC include:
Early identification and mitigation of security vulnerabilities and misconfigurations of systems.
Identification of shared security services and tools to reduce cost, while
improving security posture through proven methods and techniques.
Facilitation of informed key stakeholder decisions through comprehensive risk
management in a timely manner.
Documentation of important security decisions throughout the lifecycle of the
system, ensuring that security was full considered during all phases.
Improved systems operability that would otherwise be hampered by isolated
security of systems.
Specific to cybersecurity, Security-by-Design addresses the cyber protection considerations throughout a system’s lifecycle. This includes security design specifically for the identification, protection, detection, response and recovery capabilities to strengthen the cyber resiliency of the system.
A lesser-known term, Security by Default applies the same principle to securing data at the source. It is referring to securing information. Secure by Default data makes the case that all data should have embedded security, and the systems that consume, process and store this data must adhere to the security policies embedded therein. This approach is not as well known because it’s simply not widely employed, if at all. To date, we have failed to embed security into each piece of data as it is created, creating a serious problem, particularly for government agencies.
Before a new product is made, many questions go through a software developer’s head: what should the new input screens look like? How efficient should the new software be? Yet there is one important aspect that is still neglected too often: security. And this at a time when the number of cyber-attacks is increasing rapidly, as is revealed in the status report by the German Federal Office for Information Security (BSI). According to this, experts discover around 380,000 new malware versions every day, for example.
It is said that “the problem is: that the 95 percent of successful attacks are due to poorly programmed, poorly maintained or poorly configured software,” something that admitted by Head of Internal Security & Cyber Defense at Deutsche Telekom. Yet this problem could be solved by taking security into consideration directly from the outset – “instead of sticking a plaster over the product only once it already has been assembled”
This research addresses and deepens what security is by design - security by default, what benefits they will bring with their implementation and how that is achieved. It will also analyze the stages of the basic design principles to ensure security at each stage of development of a system. We will further analyze how we will ensure the privacy of information, what philosophy has developed in this field, and how we can achieve a smooth incorporation of protection into every aspect of the design and development of a product or service. In addition, we will see the role and correlation of security with design with the General Data Protection Regulation (GDPR).
Gap analysis in the adoption of privacy by industry is provided. On the basis of these data, we analyze more closely the gaps in the current regulation (such as imprecise wording, weaknesses in penalties, retention obligations or personal data coverage).An emphasis is placed on the General Data Protection Regulation (GDPR) and what limitations on existing technologies and design method, and what incentives to adopt and comply with the regulation. Finally, a guide - guidelines have been developed to make industry more understandable how they will comply with the requirement for protection from design and by definition in accordance with Article 25 of the General Regulation and what the benefits of compliance.