How to Bake Security Into IT From the StartNIST's Ron Ross on Adapting an Engineering Approach to Securing Systems
Baking security into information systems from the get-go has been an unrealized goal at most enterprises. That's because organizations, in piecing together their systems, rely on hardware and software from vendors who don't always consider security a high priority.
But new guidance - based on engineering principles - from the National Institute of Standards and Technology is aimed at helping technology vendors build secure components their customers can use to build trustworthy information systems. After all, "consumers can't design or modify source code, or do the other tasks necessary for full-spectrum security," Ron Ross, NIST Fellow and guidance lead author, points out in an interview with Information Security Media Group (click on player below photo to listen).
View DC Keynote Presentation from Ron Ross: Fraud & Breach Prevention Summit: Washington DC
The guidance, Special Publication 800-160: "Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems," also includes chapters designed to help security professionals and other executives assess products that could be used to build trustworthy systems.
Systems Security Engineering
"We're all relying on the same commercial products today," Ross says. "This is going to give us an opportunity to take a step back to see how we can build security in from the start. We have talked about that forever, but now we do have an approach that can work to help us do the things that been saying for years."
NIST this past week issued the second draft of SP 800-160, a result of nearly five years of work by Ross and his colleagues. It's soliciting comments on the current draft at email@example.com through July 1. NIST expects to publish the final version of the guidance by year's end.
In the interview, Ross discusses:
- Ways the new guidance encompasses a disciplined, engineering approach to building security into hardware, software and firmware;
- How the guidance could help CISOs and others get buy-in from senior executives for building trustworthy and resilient systems; and
- The holistic enterprise view of IT security the guidance promotes and how it could help security practitioners and others to identify the often invisible dangers lurking within IT systems.
Systems Security Engineering Framework
Ross says the guidance encourages enterprise managers to assess the value of their information assets. Then, he says, they should use security design principles and systems engineering processes to develop appropriate security requirements, architecture and design. The objective is to implement a security capability that can adequately protect information systems and reduce a system's susceptibility to adverse consequences from threats and other hazards, all in the context of an organization's tolerance for risk.
"The systems security engineering considerations give organizations the capability to strengthen their systems against cyberattacks, limit the damage from those attacks if they occur, and make their systems survivable," Ross says.
Security consultant Robert Bigman, former CISO at the Central Intelligence Agency, sees SP 800-160 as becoming the "de facto standard for integrating 'trustability' into the design, development, deployment and operation of systems used both within government and commercial critical infrastructure industries."
Hear Ross, Bigman Speak at ISMG Summit
Bigman and Ross will be featured presenters at the ISMG Fraud and Breach Prevention Summit in the Washington, D.C., area on May 18. Bigman will lead a session titled "Creating 'Trustability' to Strengthen Breach Defenses." Ross will deliver a keynote address on "Securing New Generation of IT: The Promise Engineering-Based Approach." Registration is now available online.
Ross was also lead author of NIST SP 800-30 and SP 800-37, guidance on risk assessment and risk management. He specializes in security requirements definition, security testing and evaluation and information assurance. Ross leads NIST's Federal Information Security Management Act Implementation Project, which includes the development of key security standards and guidelines for the federal government and critical information infrastructure.