NC1703
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
OPINION<br />
SECURING SOFTWARE-<br />
BASED IP<br />
IF NOT SECURED AND<br />
REGULATED SOFTWARE-<br />
BASED INTELLECTUAL<br />
PROPERTY CAN POSE A<br />
SUBSTANTIAL RISK. SVEN ERIK<br />
KNOP OF PERFORCE<br />
SOFTWARE CONSIDERS WHAT<br />
CAN BE DONE<br />
The task of internally securing softwarebased<br />
intellectual property (IP) and<br />
confidential product data against the<br />
insider threat is a major challenge for today's<br />
organisations. Whether deliberate or<br />
accidental, we are all aware of the catastrophic<br />
damage that data breaches can cause. The IP<br />
Commission Report estimates annual losses of<br />
$300B attributed to insider IP theft in the<br />
United States alone. Additionally, there is also a<br />
growing need to protect software IP as part of<br />
compliance requirements.<br />
There are many aspects to managing internal<br />
data breaches and one area that deserves a<br />
bigger place in the spotlight is securing the<br />
data source, namely the software development<br />
process which, is inherently vulnerable. Product<br />
teams tasked with creating software IP are<br />
often globally dispersed with contractors and<br />
external business partners collaborating on<br />
multiple assets. These can include source<br />
code, binary files, firmware, hardware designs,<br />
images, art and video files. Often this data gets<br />
stored in unsecured repositories with few<br />
restrictions, leaving valuable IP vulnerable to<br />
error or unwanted access. Here are four<br />
measures that can improve protection of<br />
software-based assets and IP.<br />
CREATE A SINGLE SOURCE OF TRUTH<br />
Having all participants check software assets in<br />
and out of the same repository, with clear<br />
visibility of everyone's actions, lays the<br />
foundation for a transparent, collaborative and<br />
auditable environment. A version control<br />
system is typically used to create this single<br />
source of truth, but there are a few things to<br />
consider. Projects are increasingly dependent<br />
on a wide range of assets and not just code, so<br />
make sure that the system can support the<br />
necessary file types. Also, the version control<br />
system must be easily accessible, viewable and<br />
understandable by users outside of the core<br />
software development team, including external<br />
auditors and compliance professionals.<br />
Ideally, the version control system should be<br />
capable of integrating with third-party security<br />
tools to provide even more comprehensive<br />
visibility of the enterprise's security landscape.<br />
GREATER TRACEABILITY<br />
This single source of truth should also provide<br />
high-resolution visibility into who, when and<br />
how critical IP is being accessed.<br />
Administrators should be able to track every<br />
system asset: what user accessed which file,<br />
how, when and where and even why. Make<br />
sure to use version control that provides an<br />
immutable record so that users cannot amend<br />
or delete changes.<br />
IMPLEMENT FINE-GRAINED ACCESS<br />
CONTROL<br />
The type of access that users require varies<br />
hugely according to individual roles. Granting<br />
users unnecessary levels of access can increase<br />
the risk of security vulnerabilities being created.<br />
Protect critical IP with fine grained access<br />
control using IP address, user and group,<br />
enforceable at the repository, branch,<br />
directory, or individual file level, locally and<br />
across geographic regions and authorised<br />
locations. As well as safeguarding valuable IP,<br />
this rigorous approach to data access will also<br />
help to address regulatory, audit and<br />
compliance requirements.<br />
A MORE COLLABORATIVE APPROACH<br />
Some of the current trends in software<br />
processes, notably DevOps, can also help to<br />
protect IP, by creating a greater level of<br />
transparency and interaction, making it more<br />
difficult for security issues to be buried. This<br />
brings us full-circle to the single source of truth<br />
concept, which is increasingly being viewed as<br />
integral to successful implementation of<br />
DevOps by supporting a more collaborative<br />
and accountable way of working.<br />
Steps such as these are within the reach of<br />
any organisation and can make a major<br />
contribution toward securing the software on<br />
which most enterprises increasingly depend.<br />
Of course, addressing IP protection, the insider<br />
threat, and other security risks is a multi-layered<br />
endeavour and it is applicable to every stage<br />
of each asset's lifetime. However implementing<br />
more control around the genesis of those<br />
assets is surely a logical starting point. NC<br />
30 NETWORKcomputing MARCH/APRIL 2017 @NCMagAndAwards<br />
WWW.NETWORKCOMPUTING.CO.UK