IT security through the backdoor Security-by-default when selecting software
Security-by-Default (SBD) is playing an increasingly important role in protecting our data. Specific requirements for data protection-friendly presets can be found not only in Article 25 of the GDPR, but also in the coalition agreement of the federal government. Users should therefore know and observe the most important functions and principles of security-compliant software solutions.
With Security-by-Default, IT managers have a powerful tool in their hands to both relieve their own work and facilitate the secure use of software by users.
(Picture: Nicolnino – stock.adobe.com )
If programs and applications are to be successful with users, i.e. they are to be used regularly and as intended, they must be easy to use. This in itself can already be a big challenge in most cases, as UI and UX designers can certainly conjure. For IT managers who have to select, roll out and explain the appropriate programs for companies and authorities, a certain framework of legal regulations is added, especially in the EU area, when it comes to the security and protection of a large number of processed data. Specifically, this can be found in Article 25 of the GDPR [Art.25 – EU-DSGVO – Datenschutz durch Technikgestaltung und durch datenschutzfreundliche Voreinstellungen – EU-Datenschutz-Grundverordnung (EU-DSGVO)] Information on “privacy-friendly presets” that those responsible have to implement.
It quickly becomes clear that an egg-laying woolly sow is actually needed. An easy-to-use application where users can actually do no wrong when it comes to security. Although there is probably not the perfect application for every task, there are some adjustment screws that can be used to facilitate safe use without users having to notice it. We are talking about security-by-default settings, which, however, are far from being standard in all programs. The German government has also recognized the benefits of security-by-default and has therefore included the issue in the coalition agreement.
Block lists, shipping rules and app stores are well-known types of SBD
Among the more well-known security-by-default functions that end users come into contact with are block lists for web browsers that block certain websites in the corporate network, admin barriers for software downloads or the execution of .exe files. Instead, users can use a selection of shared programs in their own enterprise app stores.
In the area of secure data transfer, for example via integrated solutions in the e-mail client, certain shipping rules with regard to subject, file formats, domains and other parameters offer numerous control options. Low-code and also no-code applications aim in the same direction here, as they offer users a modular system of modules with which they can automate certain data exchange processes or the interaction of apps, for example, without having direct access to databases or the like.
When it comes to finding a suitable software solution with which users can access or edit critical and sensitive data, it is therefore advisable to take a special look at SBD aspects as part of the IT security strategy in order to relieve both the IT department and the users. An overview of the British National Cyber Security Centre, which defines several principles for SBD, can serve as a possible orientation aid here. The authority points out that it should not be understood as a final classification or even a seal of approval for a software. However, a small checklist can be derived from these principles:
1. Were the safety aspects taken into account during the development and not treated as a secondary consideration?
Security aspects in corresponding software applications should always play a role in their development and should not be seen as an option. The more basic security is anchored in the development, the higher the probability that the solution will provide a high degree of security. If applications are first programmed for operability and only subsequently checked how security functions can be adapted to them, this hardly speaks for a serious security awareness.
2. Does security limit the usability of the software?
The most secure software in the world is useless if it is not used by the users or used incorrectly. How a solution handles the tension between safety and operability is one of the most crucial test criteria.
3. Do the security functions work directly during the implementation of a product without extensive configuration?
The most important security functions should be ready for use during the rollout, even before the first user uses the software. This does not include any relative adjustments to your own IT system.
4. Are the security functions regularly developed further?
The threat situation of IT systems and programs is constantly changing and there is no final state. A suitable solution should therefore always be up to date and be further developed with continuous updates.
5. Can users use the security functions without special technical knowledge?
This is probably one of the two crucial questions in terms of end users. Safe operation should not be hidden behind countless windows, registrations and forms and should be as easy as possible.
6. Is security guaranteed if users use the software in an expected way?
This is the second crucial question, which focuses on user behavior. How likely is (unintentionally or intentionally) unsafe use despite compliance with the SBD principles?
With SBD functions in software solutions, IT managers have powerful tools in their hands to both relieve their own work and facilitate the safe use of software by users. Therefore, it is advisable to pay special attention to them when searching for and purchasing new software. They form an important part of an IT security strategy that facilitates structural security.
The further requirements mentioned in the coalition agreement of the new German federal government in this regard can be quite useful, especially in order to increase the security standard of software in the EU area nationwide. What is particularly interesting here is how the IT security managers master the balancing act between simple and secure work.
About the author: Ari Albertini is Revenue Flow Manager and a member of the Management Board of the data transfer specialist FTAPI Software GmbH. After working in science and project consulting, he has been with FTAPI since 2015, where he deals with topics such as agile working and innovations. He is also regularly active as an author of technical articles and as a speaker at industry events.