image not found image not found
image not found
image not found

CxOs need to embrace a security-first digital workplace. Here’s why.

23 April 2020 | Lee Cocking

As organisations begin to look beyond the COVID-19 pandemic and embrace a new normal that could consist of multiple work-from-home waves, there is mounting pressure to leverage digital solutions and applications that ensure greater security and privacy. To do so, CxOs need to understand the nuances regarding the apps available and the associated risks they pose.

If we take a step back, it’s easy to see how we got here. Technology has, for decades, been slowly changing how we work. In truth, it’s dramatically changing how we live, and by extension, our relationship with the work we do. The days of filling your briefcase with paperwork and trudging to work are long over, with millions of employees and business leaders worldwide working digitally or remotely with a broad set of applications from many vendors.

This evolution has brought unprecedented flexibility, productivity, and the ability for both large and small organisations to adapt and respond to rapidly changing market dynamics. Unfortunately, it has also brought a high degree of complexity due to an expanding set of solutions for enabling digital work, and with it, new levels of security and privacy risk. These new risks have organisations now questioning the very approaches vendors use to design, build and deploy the underlying software solutions that comprise the new digital workplace.

In our previous article, discussing why consumer messaging and conference apps can’t be trusted, we touch on the notion of consumer-first versus security-first design. The central premise here is that many applications and solutions that have become staples of business environments were either initially focused on consumer needs and viral growth, or have tilted in that direction over time. A great example is Microsoft announcing that they’re launching their Microsoft Teams collaboration product for consumers so that it can be the single tool consumers use in both their personal and professional lives. On the surface, this might sound like a great idea, and it may indeed bring great flexibility. Still, it will put pressure on interoperability between consumer and enterprise systems which are often at odds with secure by design approaches.

In actuality, it’s a compounding problem. To drive greater efficiencies, organizations have taken more and more steps towards cloud-based services, giving them less control over their data and who has access. For example, recent articles on Zoom have highlighted that what they have been describing as end-to-end encryption, is not end-to-end at all . The subtly here is the difference between transport-layer security vs session or application-layer security. Let’s briefly discuss to illustrate the point.

For the non-security experts, I’ll use the analogy of that old telephone game we use to play as children. Somebody would whisper a message in your ear, and you tried to faithfully pass that message along to the child sitting next to you. Transport-layer security is like writing that message down on a piece of paper, putting it in an envelope, and passing it along to the next child. Now, any nosy child could open that envelope, read the message, or replace the message before passing it along. You can certainly hope that the message will make it to the last child, and that nobody has read it (maintaining confidentiality) or altered it (maintaining integrity), but there is no guarantee of that.

Take application-layer security on the other hand. Using the same analogy, it would be akin to putting that message in a lockbox, where you know the last child holds the only key in the circle. As the lockbox passes from child to child, they can’t read the message, or alter it in any way, because they can’t open the box. You don’t need to hope the right message gets to the last child. You know it will. While this is only an analogy, it offers a simple way to think about end-to-end security, and what it really means.

There are many aspects of security like this that we could talk about. Still, the main point is that the continuing pressures to digitise, support work-from-home, and drive productivity via technology are both pushing organisations to adopt more consumer-oriented solutions, and driving software vendors to support more consumer-first or consumer-friendly approaches. This puts organisations overall into a significantly heightened risk posture and should be triggering a hard look at the vendor solutions being implemented to enable digital workplaces.

At Digital14 our position is that there is a risk-balanced way to digitise your workplace and securely enable communications and collaboration, but that it must be rooted in software and solutions that have been painstakingly architected with a secure by design philosophy. Secure by design means that the solutions has been designed from the foundation to be secure and that the architecture enforces the security. Additionally, it’s not only essential to design a robust security architecture, but it’s also necessary to preserve that architecture during software development and evolution through strong, secure software development lifecycle management (SSDLC) and security validation testing.

With this in mind, we encourage you to take a deep look at both existing solutions in your digital workplace, and new solutions your evaluating, and start asking the hard questions. We suggest placing your focus on ensuring the following:

  1. 1) A strong identity that guarantees user authentication and prevents impersonation (ideally based on some type of PKI)
  2. 2) True end-to-end application-level encryption to ensure confidentiality and integrity (not just transport-layer encryption)
  3. 3) Strong cryptography to guarantee confidentiality and protect against persistent threats (ideally multi-layer, and quantum immune)
  4. 4) Full auditing capability (that can function even when ensuring full end-to-end application-level encryption)
  5. 5) Independent testing and validation to provide software and solutions meet the security requirements of the design, and no gaps or vulnerabilities can be identified

Everything we do at Digital14 is rooted in the above philosophy, which internally we call a “no holes, no gaps” secure by design approach. Whether your organisation is public or private, government or commercial, we want you to have the confidence to digitise your workplace to drive productivity without risk. To learn more, visit today.

We Are Digital14

Connect with us

© Digital14. All rights reserved.