Security by Design is an engineering process which addresses data access policy (protecting confidentiality), protection of the data model (integrity), and system fault tolerance and attack surface (availability). As a practice Security by Design must be followed during all phases of the development process; but especially so in the early design phase of a new system. Failure to implement Security by Design at the beginning of development forever precludes a system from being considered “secure by design”. It may be made secure over time through testing and bug fixing, but it can never be “secure by design” until major systems are discarded and redeveloped, and Security by Design practices are followed.
To be blunt, almost no startup invests in Security by Design. On the other hand, almost no major enterprise can afford not to. Large enterprises connected to customers and supply chains through networked information systems must undergo regular compliance audits, are subject to regulatory oversights, and they must make legal disclosures and representations and obtain third-party “certifications” in order to function as a business in the modern world. These processes are expensive and time consuming; costs that rise exponentially when Security by Design processes are not followed.
The cost of Security engineering and compliance are reduced by modern cloud systems and software architectures. All cloud platforms and cloud native services have been engineered using Security by Design; so, greenfield projects using such services can inherit a significant amount of security, compliance and certification support. Yet it remains easy to undo these benefits by projecting old architectures with security flaws into the cloud. A cloud-native project team must still follow best practices, and these still have significant costs.