By HERMAN KANNENBERG
THE rise of cybersecurity incidents, coupled with an increased number of laws and regulations around the globe has exposed the crucial need to build more robust, collective cybersecurity capabilities across industries.
Industries must come together and start dealing with the legislative, regulatory, ethical, and technical frameworks that will govern cybersecurity in our new normal. We need to set shared goals, align responsibilities and collaborate to build a trustworthy digital environment.
Huawei recently released its Product Security Baseline framework with the objective of creating a standards-based, coordinated approach to governance, technical capabilities, certification and collaboration around cybersecurity and data privacy.
The framework leverages more than a decade of experience in product security management and is based on an analysis and summary of laws, regulations, standards, specifications and security practices that dynamically updates alongside any developments in cyber security and Huawei’s own practices.
To ensure that Huawei’s Product Security Baseline is effective, implementable, verifiable and that it continuously improves the security quality of products, it observes the following principles:
- Result-based – only result-based requirements are objective and verifiable. Ensuring that products achieve expected objectives and help customers compare and select required products based on objective results.
- Universal – requirements specified in the Baseline must be common and applicable to all or most products ensuring that they meet a consistent set of fundamental security quality requirements.
- Applies to all – to ensure that the security of all systems and infrastructure, in a world where supply chains span the entire globe, the same set of fundamental security standards must be applied to all suppliers and product components.
- Continuously optimised – cybersecurity is a dynamic process and therefore the Baseline must be regularly and continuously updated to adapt to the always changing cybersecurity environment.
Overview of the Product Security Baseline
Based on the analysis and summary of laws, regulations, standards, speciﬁcations, and security practices, Huawei developed the Huawei Product Security Baseline and updates it dynamically with developments in the cyber security space as well as with Huawei’s own best practices.
The Baseline consists of 54 requirements under 15 categories. To facilitate the accurate understanding and implementation of the Baseline in different Huawei products and scenarios, we have developed 112 entries for implementation, guidance and interpretation.
Protecting users’ communication content
Huawei complies strictly with industry-wide security standards in product design to ensure communication data security and in so doing, also complies with country-specific and applicable legislation that requires users’ communication content to be protected.
Protecting user privacy
Huawei has analysed the European General Data Protection Regulation (GDPR), the Protection of Personal Information Act (POPIA) as well as other privacy laws and regulations of different countries, such as Germany, France, the UK, Canada, and China.
Based on the analysis and industry practices, such as the GSMA’s Privacy Design Guidelines, Huawei has summarised seven basic privacy protection principles to guide product design and development: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and conﬁdentiality; and accountability.
Huawei will never implant or allow others to implant backdoors in its equipment.
Prevention of malware and malicious behaviour
Huawei does not allow products to contain malicious software such as viruses and Trojan horses, or malicious behavior such as malvertising, fee-absorbing and/or malicious traffic consumption.
Access channel control
Huawei uses several ways to control access channels, such as isolation and authentication, to effectively reduce the attack surface and secure product access.
Security hardening is performed on products by conﬁguring security features and functions, installing patches, and removing or disabling unnecessary services, to improve product security and anti-attack capabilities
Various applications, such as web and mobile applications, are vulnerable to attacks by hackers and malware, resulting in unauthorised access and modiﬁcation. Authentication and authorisation are basic security protection mechanisms for applications.
Cryptographic algorithms are the basis of security and using them correctly is critical to product security. Only public, professionally reviewed, veriﬁed, and secure cryptographic algorithms, as well as correct algorithm parameters and options, can be used.
Sensitive data protection
During product design, sensitive data in the product must be identiﬁed based on possible applications. Typical sensitive data includes authentication credentials (such as passwords, private keys, and dynamic tokens), encryption keys, and sensitive personal data (such as bank accounts and users’ communication content).
Security mechanisms, such as authentication, authorisation, and encryption, must be used to secure data in storage, transmission, and processing.
Management and maintenance security
Various security mechanisms, including strict account password veriﬁcation, secure access protocols, and complete log auditing, are used to ensure product operation and maintenance security.
Secure boot and integrity protection
Software package integrity is veriﬁed during product installation and upgraded to prevent tampering. For products that are expected to deliver high security, secure boot veriﬁcation must also be considered during product startup.
Product documentation must include security documentation, such as a communication matrix, list of accounts and security hardening and conﬁguration documents, in order to help customers deploy, use, and maintain products in the most secure way
Generally, a large number of security vulnerabilities are caused by code quality defects, such as non-standard coding, improper understanding of programming language features and improper interface invocation.
These defects can be identiﬁed through routine static code security, quality scanning and by minimising unsafe functions. This can improve the quality of code and reduce potential security vulnerabilities.
The compiler provides a variety of security options to harden software security. Enabling compiler security options in software hardens the security of code quality.
It also makes it more difficult for attackers to launch an attack, thus reducing the risk of code quality defects becoming exploitable vulnerabilities.
Product software shall use open-source and third-party components that have a good security record and are within their lifecycle.
Any vulnerability shall be promptly ﬁxed through patching or upgrading, in order to control the security of the product software throughout the software lifecycle.
Today, cybersecurity is an opportunity for us to promote security and digitisation through enhanced cooperation.
All stakeholders in the digital space – including governments and regulators, industry and standards organisations, communication service and technology providers, and digital service providers – share a joint responsibility to address cyberspace challenges and improve the level of cybersecurity.
Kannenberg is Head of Legal Affairs and Cyber Security at Huawei South Africa.