A lean methodology to balance security and change

Modern corporations must evolve at an increasing pace to offer advanced and innovative services. They must do it securely, fending off old and emerging threats by cyber-criminals. Further, they must comply with a slate of regulations at different levels of abstraction and all the above must be achieved with a lean and cost-effective budget.

For Poste Italiane – the largest Italian employer offering integrated services in finance, logistics, and mobile communication (with a turnaround of around 24 billion Euro) – to balance security and change means identifying security requirements for over 150 change requests/month and over 2000/year.
A simple solution would be to mandate the most difficult security requirements across the board. Yet, very high security often bring severe performance or usability penalties. For example, strong authentication (e.g. by biometric or a hardware token) is used for appropriate financial transactions but could be mandated for all services as well. This would yield a signicant drop in performance, huge deployment costs and would be rightly perceived by many users as a ridiculous burden if they just need to check whether grandma’s birthday parcel has arrived.

The alternative of sloppy-security-for-all is not an option either. Individual changes of one application may have domino effects on other services. Many intermediate IT components are used by different top level services and are subject to different compliance requirements. Touching one application without careful analysis of its implication may lead to severe fines or even criminal prosecution.

Company’s management wants that every change request goes through a security gate and the simple solution is to just follow the books: many security risk assessment standards and methodologies can be used (e.g. ISO 27005, USA’s NIST 800-30, CoBIT, Germany’s BSI, France’s EBIOS, Spain’s Magerit, UK’s IAS, etc.). At lower abstraction levels one can also follow company- based methodologies such as Cigital’s BSIMM or Microsoft’s STRIDE. Academic methods are also available like SI*, CORAS, SQUARE, and SREP. But what is the actual effort needed to perform a security analysis “by-the-book” in an industrial setting?

The Report “Security Triage: An Industrial Case Study on the Effectiveness of a Lean Methodology to Identify Security Requirements“*, a work from the DISI, University of Trento, presents a lean innovative methodology for the identication of security requirements stemming from a year long project conducted by Poste Italiane.

The process is based on an global mapping analysis of the overall ICT landscape (Security Survey) and then a lean dynamic process (Security Triage) to quickly identify the level of relevance of a individual change request for security assessment and the corresponding security requirements. The approach signicantly reduces the time to identify security requirements at the pace of change.
The Security Survey and Triage process should be embedded in a company’s production cycle as mandatory step to manage change requests so that security initiatives are prioritized based on the relevance of the assets and of the business objectives of the company.

(* Giacalone, Matteo, et al. “Security triage: an industrial case study on the effectiveness of a lean methodology to identify security requirements.” Proc. of the 8th ACM/IEEE Int, Symp. on Empirical Software Engineering and Measurement. ACM, 2014. http://dx.doi.org/10.1145/2652524.2652585)