How to secure a company’s Chinese development, part two

In the first part of this article series, I explained the basic and foundational assumptions and the associated risk potential for a company (we called it WorldSoft) that is planning to do a big part of its software development in China. Now we look into the various counter measures at the different levels of the organization.

Potential counter measures at the organizational level

At the organizational level (that is people and policies), we can do the following:

• Global multi-level policy structure that defines clear objectives and acceptable risk levels (incl. BCP), and provides for regional or local additions/changes. Standards & procedures, ITIL and similar change controls prevent errors (unintentional wrongdoing).
• Contracts with employees and 3rd parties that will specify clearly the duties to protect IP, copyrighted material, internal and confidential information handling, access and change of information, need to know and the other principles such as not lending passwords, physical access cards, smartcards etc. to others. The contracts should spell out clear fines and enforce those with pre-paid escrow accounts (for 3rd parties), or choose 3rd parties with compensating assets in other countries such as EU/US.
• Have NDAs/CAs signed by all employees, contractors, subcontractors, etc. as part of their employment relationship. Prefer contractors with (indirect) assets in EU/US where litigation is enforced and binding.
• Require a Certificate of No Criminal Conviction (“CNCC”) from the potential employee (especially for leadership positions), use these both before hire and during tenure. Observe and act upon changes in behavior — a disgruntled employee, for example, will often show warning signs.
• Regularly educate all employees, contractors, 3rd parties about their expected behavior, let them sign their agreement and participation of those trainings. Awareness programs that are positive and contain interesting and professionally made material will change behavior (IP and security in general). Top management must adhere to all measures to set the “tone at the top.” Incentivize positive behavior, (aggressive) profit sharing schemes and leverage local JVs to prevent their need for infringement.
• Use detectives/trusted parties (non-government) to identify misuse or illegal copies. Adhere and enforce the procedures in case of wrong-doing to deter others.
• Protect IP rights before enforcement is needed. To reduce trademark squatting, register early.
• Job rotations could also help find fraud and reduce collusion.
• Acquisition of other companies: do risk assessments of their environment (at the organization, process, and technology levels) before connection to infrastructure.

The next organizational level is the process level where things are defined how they shall work, and how a company runs its business. At this level, a lot of improvements should be made, this is part of the “secret sauce” of any organization, and those most sustainable will have highly efficient and effective processes. One could argue that this still is all organizational, but on the other hand we strive to structure the approach in the best way and that is why I present it this way.

Potential counter measures at the process level (end-to-end process)

• Design all security measures into the right chain link within the process (efficient, effective, easy).
• Document and automate processes to reduce error and unintentional wrong-doing.
• Ingrain security requirements in the SDLC (from the beginning to the end) and approve only those solutions where the security requirements are reached.
• Split code development such that no-one has access to the entire code / product base but only those snippets that are needed (see technology: source code vault, AC ).
• Separate development, testing, piloting, production and adhere to strict change control for transfers.
• Design and operate a development environment that doesn’t need local storage and installations (see VDI ).
• Digitally sign, fingerprint, and watermark code that has been verified and is secure. Integrate those used technologies.
• Verify customer licenses and proper code use when doing support for that customer.
• Classify all documents upon creation and adhere to the processes accordingly throughout their lifecycle.
• Define and optimize the entire Incident Response process.
• Provide employees who need to access secure areas a locker room to prevent mobile devices in those areas.
• Before entering into partnerships with 3rd parties (providers etc.), assess the potential risks and do security process verification.

Now I describe how to best support these above organizational and process security controls by leveraging technology solutions in its best potential ways. Important is again that not one technical solution will solve all problems, but instead the useful integration of the various products with a well-thought-through architecture will support the intended security level.

[5 ways to create a collaborative risk management program]

Potential counter measures at the technological level

• Physical controls such as fences/gates, cameras, AC, secure zones, no cell phones and flash drives etc., tracking of people within the DCs or other secure zones, assigned accompanying guards for 3rd party access to sensitive areas. Compartmentalization approach for important assets.
• Create different user profiles (classes) with access accordingly to their roles (sales not in developer area/network segment etc.).
• Leverage smartcards with biometry where possible and integrate physical and logical contexts.
• Use a VDI (virtual development infrastructure) in trusted locations with VPN and other encrypted connections.
• Use network segmentation (D/T/P), NGFW, VPNs, VLANs, NAC, DLP, SIEM, WAF, etc. with an integrated design architecture.
• Use static and dynamic code analysis tools, black-box and white-box scanners.
• Secure servers in DCs, anti-malware, AV, FW, strong authentication and AC, backup, DR (also against the natural threats)
• Secure storage networks (SAN/NAS etc./encryption/AC/separation [AV/AM]), including DR.
• Secure endpoints with antimalware, AV, PFW, PKI/Encryption/Signature/Hash, proper SW installs, backup-tools.
• Track local port usage, data flow, DLP, find code signatures, leverage RMS , SIEM etc. dashboard, use a strict code-tracing technique to monitor copying.

So far the potential solution options, as you can see, are manifold.

Differentiated but also integrated approach (Summary)

Based on the aforementioned options, it is best to prioritize the risks and compare the value at risk with the associated costs of mitigating controls. The combination of counter measures at the 3 different layers (people, process, technology) is best, therefore an integrated approach between risk & corporate security, legal, IT security, product security, cloud security, service and other units should be used.

What you don’t measure you can’t really manage, so a few KPI examples here:

• Percentage of employees that have their background verified (with a CNCC, prior employment, claimed education).
• Percentage of contracts with 3rd parties with NDA/CA signed that’s enforceable (s.a.).
• Number of performed and validated awareness educations and signed records / per month / quarter / year etc.
• Percentage of registered IP items (of all assets) in China vs. other locations or global average.
• Percentage of customers found with unregistered/counterfeited WorldSoft products or pieces in China.
• Percentage of unsecured ports/thumb drives seen in the environment.
• Percentage of solved incidents from IR and any further details on that.
• Etc… (A lot of detail work needed here, depending on the situation).

Finally, the business aligned security strategy should be adapted based on the success of the measures and seen change in measurements. Hint: To get the necessary active support from management and employees, incorporate security into the(ir) annual performance goals.

Michael S. Oberlaender, MS, CISSP, CISM, CISA, CRISC, ACSE, GSNA is a subject matter expert on IT and security, and other related subjects. He is the author of C(I)SO – And Now What (CSO Online published an excerpt in March of this year) and has held positions such as CSO and CISO for several large global companies. While he is currently seeking a new professional challenge, he has researched this concept study in preparation for an interview with one of the largest software companies in the world. The material was created under his own copyright and therefore he is sharing this here with you in the intent to educate his fellow practitioners and also improve the security pasture of this particular industry. You can reach the author at michael.oberlaender@gmail.com or via LinkedIn.