Security is a Product Feature

When customers pay for your cloud-based service, they expect it to be secure. It has to be secure enough to protect their data and their customer's data. At the same time, it has to be always available when they need it. It’s analogous to utilities, when you open your faucet, you expect water to come out immediately, and not just ordinary water, it has to be clean water.

Even if your service or app has the capability, do not expect customers to spend time configuring encryption, two-factor authentication and other added-security features to make it more secure. Nowadays, customers expect it to be there already, pre-configured. Customers prefer a cloud-based service for this reason. They want to focus and spend more time on the core business rather than managing the technology to support their business.  This is where Product Management of a Cloud Service Provider (CSP) can help build security in (BSI).

Product Managers gather customer business requirements. They work with developers to translate these business use cases into working product features. These business requirements are crafted as User Stories and presented to software developers. Developers in turn convert these User Stories into working lines of code. There will be a series of iteration until a shippable product is ready to be presented to paying customers.

So as a security professional, how do you influence product managers to insert security in this process?  

The best approach is to help Product Management understand that security is a feature, just like any other feature in the product.

Quoting the authors of Writing Secure Code Second Edition from Microsoft Press:

Security is a feature, just like any other feature in the product. Do not treat security as some nebulous aspect of product development. And don’t treat security as a background task, only added when it’s convenient to do so. Instead, you should design security into every aspect of your application. All product specifications should include a section outlining the security implications of each feature. To get some ideas of how to consider security implications, go to www.ietf.og and look at any RFC created in the last couple of years – they all include a Security Consideration section

To keep it simple, when creating a new product or service, don’t forget the Evil User Stories. :-)

So as a CSP, it would be ideal to offer security by default, which includes but not limited to modern-day encryption and strong authentication. The burden of security rests more on the CSP than the customer despite the fact that the security model in cloud computing is a shared responsibility. Customers are also responsible in ensuring the security of their data in the cloud.

###