Cybersecurity + Integration Meet at the Intersection of Art and Science

Cybersecurity + Integration Meet at the Intersection of Art and Science

From a cybersecurity perspective, system integration lives at the intersection of art and science. Each use case requires unique tailoring to meet a customer’s mission set – which I consider to be the art of integration. Simultaneously, technical rigor must still be applied systematically throughout, employing logical reasoning and evidence-based methodologies – which is the science component of the process.

Context matters. Before integration takes place, a creative exploration must be undertaken when applying standards or pre-packaged solutions to each use case. That is not an easy task and there is no overarching playbook that can be uniformly applied across all projects.

Moreover, security functional requirements are often insufficiently defined or agreed upon by the various mission and system stakeholders. Integrators must address fundamental questions early on to intimately familiarize themselves with the specificities of the mission set and gain relevant insight into the customer’s unique needs, their risk appetite, and the complexities of their environment. This will better assist them in aligning with stakeholder expectations and designing a cohesive solution for a finalized capability that works and that can operate at an acceptable residual risk level. This is an art that is gained through experience and pathfinding. As an engineering discipline, cybersecurity is ultimately a problem-solving activity.

Art then merges with science when engineers implement technical controls and apply configurations defined by and assessed against pre-established security control baselines and parameters.

The Art of Exploring and Applying Standards 
Integration is a fluid and evolving process, and cybersecurity standards must be adhered to and leveraged in a way that enables systems to be adaptable. Programs and partnerships such as Commercial Solutions for Classified (CSfC) and NIAP Common Criteria have facilitated pre-assessed and pre-authorized products based on protection profiles and capability templates, harnessing commercial innovation and economies of scale in a secure manner. However, when integrating systems into an existing environment or new environment and making it a mission-unique capability, those standards must be shaped into a fit-for-purpose design. This is where the art of exploration comes into the process once again.

Why does cybersecurity require that exploration? Because each mission set is different.

Remember what the ‘F’ in Risk Management Framework (RMF) stands for. As a “framework” there is space and consideration that can be taken when applying certain standards to a particular mission set. This buffer is critical as the operational context and risk tolerance of a network, data, or mission owner are going to vary across the spectrum. As a result, cybersecurity standards must be assessed within a customer’s specific threat model. Other factors must also be taken into account and explored, such as the customer’s existing environment, legacy systems that may be present, and interoperability constraints – among many others.

Considerations for Open-Source and Commercial Products
Cybersecurity practitioners and system integrators should be encouraged to take advantage of the cost and time reductions that a pre-assessed standards template imparts, so that they don’t have to necessarily start from scratch. The commercial sector is constantly manufacturing products that U.S. Department of Defense (DoD) customers can derive great benefits from but an exploration and assessment of whether they are an optimal fit for a unique mission set must first be undertaken.

For instance, there may be a commercial-off-the-shelf (COTS) product that is on an approved product list but based on a particular mission set’s parameters and a mission owner’s level to accept residual risk from that deployed solution, it may not be the best fit for the use case. This is why operational context is critical and where ‘art’ comes into play to trigger an examination of the unique factors of the mission set that is being supported.

Open-source software is also widely endorsed by the DoD but with certain caveats. Caution must be taken with how open source is used, and a product cannot be blindly deployed within a system environment without taking its pedigree into account.

Integrating Systems and Cultures
Integration can be viewed as a deliberate aggregation of capabilities that are modular in nature. Each modular segment may be owned by a different mission or network stakeholder. This means that not only are different segments of a data logistics chain being integrated, but different cultures and perspectives are as well.

Harmonizing risk appetites amongst data owners and tracking data ownership throughout the entire logistics chain play key roles. Integrators are touching different networks, different flavors of systems and products, and at times different classification levels. A successful solution design requires asking the right questions about who owns the data and then presenting them with an end-to-end view of what’s going to happen to that data from the moment it is generated until it is consumed.

Conclusion
The best way to exercise the art of integration is to engage the applicable stakeholders and embed cybersecurity in functional operational conversations as early as possible. This will enable integrators to ensure the right questions are being asked and the cybersecurity requirements are defined as early as possible, enabling integrators and customer stakeholders to be in sync throughout the process.

Different stakeholders often form different pictures in their minds about what an integrated solution should look like. Setting expectations and having discussions around architectural topologies and data flows early on and enabling visual thinking, allows for a clearer vision of the proposed solution and allows for the broader operational view of the mission context. Without that context, it will be difficult to deliver a fit-for-purpose capability. There is no one-size-fits-all approach to every system integration – which is why it is just as much of an art as a science.

To learn how Sigma Defense is enabling faster, more secure software development pipelines for the U.S. Navy, click HERE.

The author, Magdalena LoGrande, is a Cybersecurity Engineering Fellow at Sigma Defense Systems, LLC