Secure by Design in practice //07.10.21

Organisations need to implement threat monitoring so they can detect and respond to attacks. The ability to recover from an attack can mean the difference between business continuity and obsolescence.

And training staff on the basics of cyber hygiene can minimise risk. But enterprises are also taking a more proactive and preventative approach. They’re not automatically trusting activity within their perimeter, for starters. And they’re investing in security at the code level.

In the UK, the National Cyber Security Centre has released guidance for developers on how they can take a Secure by Design approach, and there are calls for the tech sector to embrace this guidance. In the US, the White House released an Executive Order that includes policy relating to the software supply chain. In the future, software vendors selling to the US federal government need to disclose the composition of their software and put it through testing.

But opinions vary about what Secure by Design actually means – and there is even some scepticism about how achievable it is as a goal.

Bartley Richardson, senior AI infrastructure manager at LORCA partner NVIDIA, shares his thoughts about the company’s approach to the Secure by Design principle. 

By Bartley Richardson

When you look at the development stage of technology, almost all software stacks rely on some open-source dependencies. Open source is great for the developer community, but it means that most organisations can’t say with conviction that they understand where all the dependencies and vulnerabilities are. You can take a Zero Trust, Secure by Design stance, but it only takes one mistake or malicious update to a piece of software to break your entire architecture. It’s a trade-off.

If an organisation wants to embrace Secure by Design, investing in writing all the code in-house or sticking to one version and not releasing frequent updates are not appealing options. Doing so can stifle innovation.

Instead, it’s important to take a layered approach. Secure by Design, at least from NVIDIA’s point of view, doesn’t just happen at rest. It’s not just about software. It’s about how you’re moving data about, and where you’re moving it to.

Developers don’t fail to code everything in-house or embed security because they’re lazy – they’re just under pressure, and they don’t want to be reinventing the wheel. In a way, security is diametrically opposed to the lightning-speed pace of engineering. We need better training for developers in security, while layering on other protection as well. Too much of the Secure by Design narrative places responsibility at the doors of developers.

Large organisations and systems integrators can play a role on the ecosystem level. NVIDIA is not a cybersecurity company, but we build frameworks and software development kits (SDKs) that the ecosystem can use. This helps take some of the burden off developers, who work within tight resource constraints.

This allows them to build cybersecurity into their products without having to understand all the design principles that go into it. For example, our Morpheus solution is based on the expectation that bad actors will be in your network and includes models that look at privilege escalation and account takeovers. It provides a highly optimised AI pipeline and pre-trained AI capabilities to enable the instant inspection of all IP traffic across the data centre.

“We’re trying to reframe cybersecurity as a data problem”

We build cyber principles into our core architecture and become Secure by Design through collaboration. Our engineers and data scientists work closely with product security and security operations teams during the product development lifecycle. It’s easy to build kingdoms – a security kingdom and an engineering kingdom – but I’m not here to build kingdoms. I’m here to get people working together.

As these teams work together, their goal goes beyond hardening software against attacks. They’re also respectful of the laws governing data before code gets out in the world. This foundation is how we define Secure by Design, though other organisations may have their own definitions.

We’re trying to reframe cybersecurity as a data problem. In the past 20 years, the industry has not addressed the root problem of cybersecurity – the data issue, whether it’s the availability of data or encryption. Instead, it’s created plasters. Addressing cyber as a data science problem is harder, of course. It means pushing capabilities towards the edge, towards the sensors, so the entire ecosystem can be built on that capability. But that should be the goal.

NVIDIA is enabling zero-trust cybersecurity architectures that are Secure by Design by accelerating extreme performance for AI that is orders of magnitude faster than CPU-only servers. We also enable complex deep neural networks to be deployed throughout the fabric of a security environment, all while minimising data movement, eliminating unnecessary data converts and tightly integrating with the existing security ecosystem.