When dealing with information, security offers great potential for discussion, because the danger to business and society is constantly growing in the digital age. Protection is provided by developers and users of software solutions by means of various measures.
Cybercrime is a dark appendage to digital transformation: it is becoming ever easier to break into business virtually. Most criminals aim for financial gain, but also the confidence in the company suffers. The security framework of the EU General Data Protection Regulation (GDPR) reveals that data protection has the highest priority in the digital age. It states that companies must demonstrably protect sensitive data. Software vendors are also responsible and have to pay fines if they violate the EU GDPR. The relevant criteria of the security framework include the amount and type of information to be processed, its retention period and accessibility.
The EU GDPR also states that the hardware and software should be tested for vulnerabilities during the development process in order to minimize security vulnerabilities. According to the methods “Security by Design” and “Privacy by Design”, specific protection measures should be adhered to in which the confidentiality, availability and integrity of information form the three core security principles. Sensitive data must be protected against unauthorized access, manipulation, and deletion as well as the actual information systems.
The Layered Security Framework
In order to make it difficult for hackers, the Layered Security Framework by Alex Berson and Larry Dubov has proven itself in software development: a multi-layered model for the secure handling of information. For each layer of the software architecture (data, application) and the technical infrastructure (platform, network, perimeter), individual security measures apply. From inside to outside they build on each other; the overlapping layer compensates for the vulnerabilities of the lower layer.
The software architecture
To secure data (data) and applications (application) as layers of the software architecture, two-factor authentication and authorization is important: who is entitled to what? This centrally controls identity access management and gives companies a framework in which they can work protected in a private or public cloud. Also important is the limited data access through a data-visibility concept with corresponding security certificates. In addition, Web solutions should be vulnerable to vulnerabilities using the leading security policies of the Open Web Application Security Project.
The technical infrastructure
The technical infrastructure is divided into the internal layers Platform and Network as well as the overarching perimeter layer: The platform includes operating systems, web or application servers as well as databases and file systems. The connections to them via cable or WLAN can be protected in different ways: by encrypted data storage, the correct port configuration, current updates, blocked system information and strict authorization measures.
Further preventive measures within the local network are the encryption of data transmission using transport layer security as well as the secure connectivity of firewalls. This perimeter layer allows the connection between a closed and a public network and is protected for example by a Virtual Private Network (VPN) and VPN-enabled firewalls. An access point, in turn, ensures a secure WLAN environment; A security information event management recognizes when and where the handling of data deviates from applicable compliance regulations.
Further security measures
For a holistic information security management system (ISMS), companies should also take organizational and procedural measures. An ISMS takes particular account of privacy and the three core security principles. Although not explicitly mentioned in the ISO standard, there is also the physical security that concerns access to server rooms, but also network cables or the range of the WLAN connection. For cloud-based work environments, cloud providers with data centers certified to ISO 27001 are the right security partners.
Information security is very important if companies want to protect themselves against unauthorized access to their data. This security is also the responsibility of the software and cloud providers they work with. The focus is on confidentiality, integrity, and availability of information. To prevent financial and non-pecuniary damages by hackers, it takes time and money – an important investment in view of the increasing security awareness of customers, suppliers, and partners.