Process-based Security Certifications Are the Right Fit for The Digital Economy

By Tim MCKNIGHT, Chief Security Officer, SAP SE

Meet a new certification model that complements existing security practices while increasing confidence and breaking rigid borders in digital environments.

Across the digital economy, the potent mixture of speed, openness, and connectivity is stressing standard security practices.

Companies are connecting to customers, suppliers, partners, employees, and assets, and the threat landscape gets larger with every connection.

Bit by bit, organizations become easy prey for malicious actors looking to compromise systems, steal data, and hold organizations for ransom.

Nation-state threats are no longer philosophical discussions; they are a real concern.

The scale and cross-border nature of cyberthreats calls for stronger and more structured dialogue and a harmonized approach among standards bodies, governments, businesses, security technology providers, users, and in particular companies offering secure products and services.

Ultimately, these parties must work collaboratively to remove digital barriers that slow economic growth and market development.

A united effort is the best prospect for successfully identifying digital processes that suit the digital economy and secure global connectivity.

There’s a real and obvious need for consolidation of national certification schemes and the development of new ones to address challenges triggered by emerging technologies and new business models.

Within a new security framework, we can build greater transparency and trust in our digital-centric world.

Borderless cyber threats need a global solution

For decades governments and security bodies have crafted security regulations and individual product or system certifications to protect our critical infrastructures in energy, banking, healthcare, and transport.

Cyber- attacks are a significant cause for worry in these high-profile industries, and operators have worked diligently to ensure that appropriate network and information security measures are in place.

The general benchmark of “zero trust and validate all” has led to the current product and system-centric certifications, which have served nations well and protected our infrastructures.

In these environments where components have a long lifetime, the existing certifications are a much needed requirement, but digital environments have a completely different playbook.

Digital environments have unique, diverse landscapes. Let’s look at the characteristics of these environments and their impact on the certification process.

Global in scope. Globalization is a major factor in today’s market. Rarely do industries remain within a single border.

A cybersecurity certification strategy for international efforts requires a global effort, as it is a global challenge.

Our world’s hyperconnectivity crosses borders and security must be defined on an international level.

Agile in response to changes. While agile may be an overused term, it is undeniably a hallmark of current software development.

Under agile software development practices, updates are constantly refining the software and user experiences.

These rapid development cycles are fueled by speed and flexibility and can lead to daily updates and new releases to mobile and enterprise apps. New security regulations must accommodate the fast pace of these updates. Product and system-centric certificates cannot match the speed of software cycles.

Scalable for large and complex systems.
Considering the scope and complexity of digital projects, a scalable security process is a necessity for successful go-to-market deployments.

In a typical industrial IoT system, such as a connected car, a real-time supply chain, or a predictive maintenance application for industrial machinery, the scope is sizeable.

These systems are composed of devices, edge components, communication links, platforms, and applications and services providing the actual business functionality, which can run on edge devices, platforms, or stand-alone.

The components are provided, owned, and operated by multiple entities and can be exchanged on the fly.

A security model must accommodate the diverse and inter- changeable nature of the environment.

Adaptable for heterogeneous technologies. Connected cars, manufacturing on demand, and automated remote asset monitoring are early examples of complex digital environments that have heterogeneous technologies.

These environments thrive on openness and easy accessibility, creating a delicate balance that supports security controls without preventing access.

Cloud-based services, for example, are standard within digital businesses in a public, private, or mixed architecture, and their technologies are typically from a heterogeneous set of third party-providers.

End-to-end platforms and systems are not the norm so a security framework must work within this multi-player, multi-component, open environment.

Economically viable.

The certification process must be of global scale, spanning nations, verticals, and organizations.

Nations and organizations should include mutual recognition agreements. At all costs, they should avoid the need to repeat certificates for multiple nations or bodies.

The additional expense of multiple certificates for the same assessment places too much stress on global operators.

Under the same argument, the certificates should cover product portfolios rather than individual products.

Collectively, these attributes of a digital landscape point to a need for a security framework that is unlike the current ones.

Rather than replace current frameworks, an up-to-date process-based certification should complement present-day certifications.

The core concepts for a digital-friendly framework are: process oriented, risk based, and harmonized across all regions and verticals.

The certification would be based on international standards and address the effectiveness for the processes applied to the development, deployment, and operation of the software.

Under process certification, solution and software providers would provide the security best practices applied to their development activities and acknowledge the protection needs and risk exposures for each release.

The process would extend to all lifecycle phases, including deployment and operation.

Security under the European Cybersecurity Act

With its move towards the establishment of a European cybersecurity certification framework, the European Commission would be in an ideal position to promote process certification as an alternative for providing transparency of security assurance in an agile, digital environment.

The final Cybersecurity Act includes process certification alongside product and service certification.

Therefore, the European Union Agency for Network and Information Security (ENISA) should consider a process-based certification a priority under its extended mandate defined in the Cybersecurity Act.

The entire industry would realize significant progress by elaborating on a similar certification for mainstream commercial software systems and cloud services and working with industry stakeholders and security labs.

Moving forward, greater collaboration between EU Member States to harmonise security measures and reporting requirements is crucial to continued growth in the digital economy.

What’s needed now is a risk-based, harmonised and international approach that gives the private sector the flexibility to adapt to rapid changes. In these environments, process-based certifications are a much needed solution.

Securing global efforts together with process-based certificates

Process certification is a promising alternative since it can assure that best practices have been employed for the design, development, and operation of a complex system.

With process certification, security best practices will be applied in the development activities of each product.

As the technology evolves, process-oriented schemes will not require re-evaluation when new product versions embody the latest technology controlled by best-practice methodologies. Innovation can continue.

As global cybersecurity threats loom larger, our hope is that European institutions cooperate more closely with trade associations, international forums, and industry experts.

Security is a joint effort, and we look forward to working more closely with everyone in the ecosystem to build global secure digital environments.