The Black and White security principle is associated with the infrastructure security and adaptation of security for enterprise products. This principle explains the philosophy on which digital assets must be secured. The principle is divided into two parts: Black box and White box. The Black box represents Infrastructure (IT) security whereas the White box represents the enterprise products that contain digital assets.
The Black box perceives the White box as a transparent system containing data that needs to be secured irrespective of the security design considerations, principles, or patterns that it is built on. According to this theory, IT considers an enterprise product as a system without protection mechanisms. The White box perceives the Black box as the internet. According to this theory, the enterprise product is built on the philosophy that IT security does not exist and the system is exposed to the internet directly.
Therefore, the enterprise products must be developed using the protection mechanisms recommended in Black and White principle as illustrated in the following image:
Due to faster go-to market (GTM) strategies, companies tend to rely on IT security instead of focusing on improving the security of their enterprise products. More than 50 percentage of security flaws are injected into the product without writing a single line of code. This statistics stresses on the need to invest a considerable amount of time to enhance the security in products during the design phase of the Software Development Life Cycle. The implementation of security design principles, patterns, design considerations, threat modeling, etc. would result in a product that is more secure and reliable. If you are wondering if this is also applicable to IT system firmware/ software, the answer is Yes!
As a boon, a continuous innovation is observed in the field of security for IT landscapes. These innovations include next-gen firewalls, WAFs, SIEMs, malware detectors, SDNs, IDS, IPS, End point solutions and so on. These security systems are futuristic and expensive. It is not feasible for many organizations to afford extensive IT security systems considering the costs. However, with a little investment into security during product development, the security posture of an organization is likely to improve.
Also, monitoring and managing products regularly is equally important for early detection of security glitches. Enterprise products usually comprise of small segments of proprietary code and more of open source components. Most developers prefer using software that is free and time-tested than re-writing security algorithms from the start. Besides third party components, there are other security solutions that we must consider. For example, an invention such as, a Secure Container that helps with Design in Depth principle is amazing. In addition, companies should consider incorporating the right administrative and technical controls that are driven by processes. After all, organizations are more so run by processes than people. Implementing the required level of security in products can be achieved through regulating the right strategies. It is not too far away when information security becomes business and business depends on information security.
An important aspect that aids in improving the security stance of a company is its people. A futuristic strategist, an awesome security architect, and a star security analyst, along with the support from the senior management can make a huge difference in developing a highly secure and reliable product. Thus, enforcing the Black and White Security Principle helps in building security programs and products that are modern, innovative, economical, and efficient.
We must, therefore, “Innovate, not renovate!”