How to secure a company’s Chinese development, part one

Let’s suppose you have a company, let’s call it WorldSoft, that is planning to do a big part of its software development in China — a fairly new and growing economy, access to inexpensive but highly educated development resources from local universities, one of the most important future Asian markets and similar such motivations might be the reasons for that. Given the multiple and complex challenges, how would it be possible to secure that from a corporate perspective?

We are going first through a couple of basic assumptions, define the known facts, and picture the assumed risk profile before we’ll dive into the plethora of counter measures that are both possible and (most likely) necessary at the various levels (organizational, process, technological) of the organization. The shown options are prioritized already (not withstanding there are always reasons you could prioritize differently), and suggest that you start at the organizational level, go then into the process level, and finally support all this with the technology level (not vice versa as far too many organizations do) in a combined fashion as shown in the summary section of this concept study.

Basic assumptions

WorldSoft uses a globally distributed development environment using scrum and similar methods. IP laws are enacted based on WTO and World Intellectual Property Organization (WIPO) memberships and also China has signed a Trade Related Intellectual Property Agreement (TRIP) – but these are not enforced.

WorldSoft’s products and solutions address a highly competitive market, major other players / competitors compete both for market share and the most compre-hensive product solution in WorldSoft’s product space. WorldSoft has worldwide customers in all industries, governments, and security relevant organizations such as military or critical infrastructure.

The global economy is in a weak phase where recession and rebound are alternating, the level of uncertainty is very high and competitive advantage can make the difference for a company to succeed or fail entirely. Industrial espionage or unauthorized access to IP data is therefore critical. Furthermore, the built trust with the existing customer base about code quality, stability, integrity and integration is very important to defend the company’s reputation.

Acquired companies or 3rd parties such as service or outsourcing partners must also be integrated into the security environment without changing the risk profile in an uncontrolled fashion. Currently software companies tend to allow administrative rights for developers, and often have no general blocking mechanism in place for mobile data storage such as thumb/USB drives, DVD, and other such items.

Foundational assumptions / known facts

Security is complex and cannot always be solved with a “one-size fits all” approach, especially, when business requirements must be considered / given preference. Concepts such as defense-in-depth, need-to-know, minimum privileges, standards where possible, risk-aligned controls, re-use of certified solutions, attack-surface-reduction, increase attack-costs, security-by-design (not by obscurity) etc. should be applied entirely. Still, the weakest-link most likely will get exploited, security is not 100% and instead an agreed upon risk profile (magic triangle : costs vs. functionality vs. security).

[5 implementation principles for a global information security strategy]

To reach this aspired level of security, it must be addressed at all structural levels: organizational (people and policies), process (end-to-end), technological (automated vs. manually; physical and logical). Prioritization is always required to maximize benefit and minimize necessary spent, and also to focus on the most important assets / risks / issues first. Potential solutions shall be created to minimize business impact and inconvenience for employees / 3rd parties etc. This will reduce the risk that they will be objecting / bypassing security measures. Proactive solutions are way more efficient and effective than reactive ones — and to be preferred; however, in some cases a reactive approach is cheaper, and also still necessary (Incident Response).

Risk potential

• Loss of Integrity: trust / brand reputation if breached / hacked, corrupted data (code or configuration data), corrupted cloud services or business intelligence data -> could impact decision making. If WorldSoft locations / infrastructure would be used in another (external) attack (i.e. against critical infrastructures) potential liability.
• Loss of Confidentiality: Intellectual Property (IP), strategic business plans, designs, sensitive customer data, specific knowhow, wiretapped communications. Industrial and state espionage. Potential liabilities (customers, 3rd parties, Joint Ventures, shareholders).
• Loss of Availability: either at the network level (great FW of China), or the data centers (non-reliable infrastructure, regional conflict, counter-attack on critical infrastructure such as energy/power plants). Potential liabilities (customers, shareholders).
• External threat actors: People (competitors, nation state, hacktivists, former employees) or elementary (natural disasters), power outage etc.
• Internal threat actors: People (non-intentional errors [employees or 3rd parties], disgruntled employees, infiltrated spies [competitors or state sponsored]).
• Based on publicized research, the vast (!) majority of man-made attacks are happening via (automated) malware and hacking on both servers and clients/user devices (end points), followed by some physical attacks, some social engineering and finally misuse (by authorized people).
• Hacking by an APT is currently the highest potential man-made threat and risk.

After having shown the risk potential, we will look into the various counter measures at the different levels of any organization in the second part of this article.

Michael S. Oberlaender, MS, CISSP, CISM, CISA, CRISC, ACSE, GSNA is a subject matter expert on IT and security, and other related subjects. He is the author of C(I)SO – And Now What(CSO Online published an excerpt in March of this year)and has held positions such as CSO and CISO for several large global companies. While he is currently seeking a new professional challenge, he has researched this concept study in preparation for an interview with one of the largest software companies in the world. The material was created under his own copyright and therefore he is sharing this here with you in the intent to educate his fellow practitioners and also improve the security pasture of this particular industry. You can reach the author via michael.oberlaender@gmail.com or via LinkedIn.