CSSLP Tutorial: Module 01,Part 02: Tenets of Secure Architecture and Design




Architecture and Design

CSSLP Tutorial: There are sixteen tenets of secure architecture and design.

They are: How much security is enough; defense in depth; fail-safe; using the K.I.S.S. to keep the mechanism economical; completeness of design; least common design; open design; weakest link; redundancy; psychological acceptance; separation of duties; mandatory vacations; job rotations; least privilege; need to know; dual  control.  These tenets will work with the actual system you are using.  If it’s a software, or a hardware, or even an infrastructure system, the tenets will help protect each of the several products.  The sixteen basic tenets will work on any of these various systems.  The first element deals with the question of how much security should be applied, and how much is too much.

CSSLP Tutorial: Security isn’t free so if you have heightened security

Then you must pay either in money for the products or in performance.  Also, if there’s too much security then the users can end up  frustrated  if it’s too difficult.  If we give up the performance or even resource availability issues for the sake of increasing security, it could be that there is too much.  The answer to the question of how much is sufficient – the answer is “just enough” and that revolves around risk analysis.  Risk analysis considers the proper balance between cost and benefit.  Most of the decisions we make in our daily lives, in the world are involving a cost-benefit analysis.  In other words, how much cost is involved versus how much value will there be? If there is more value, then we tend to select that choice. So, risk analysis is much like finding the comparative differences between loss and gain.   This kind of analysis is used to discover how much security will be enough for your organization.

CSSLP Tutorial: The second element is known as defense in depth. 

So, in order to understand this second element we’ll explore a metaphor of security around your home.  One mechanism to protecting your home from an unwanted violation like a robber coming into your house could be having locks for your door and having them locked.  However, locks can easily be broken with a tire iron or kicking the door in or other means.  Another mechanism could be a dog watching the house. However, many times these pets are pretty much worthless in the face of a burglar.  Dogs might provide a slight deterrence as they bark, but they could be easily distracted with meat or poisoned to where they are incapacitated.  Dogs might be more of a small part of comprehensive, whole program.  The dog in of itself, however, wouldn’t be sufficient to prevent the robbery from happening.  Even yet a third mechanism could be in place for protecting your home such as an alarm system, however, there’s sometimes up to ten minutes before the police arrive.  There is no one mechanism that will protect the home completely from violation or disaster. 

CSSLP Tutorial: So, what should people do instead?  People have what’s known as defense in depth. 

This is where there are multiple layers of protection rather than just relying on only one mechanism.  Back to the metaphor of the protection of the house, there may be an outward fence, motion detecting light, a dog, locked doors, locked windows, and an alarm system in to protecting the various aspects of the home, as a layered defense.  Similarly, then in security with our design and system, we look for security to occur in multiple layers like one mechanism on top of another and then on top of another.  This is sometimes referred to as layered defense.

CSSLP Tutorial:  The third element is failsafe. 

This is similar to the famous of Microsoft “Blue Screen of Death”.  This is where there can be no additional damage to the system.  When a system fails and no further compromise can be done, this is where a failsafe has been created.  You  want to create a system that responds to security vulnerability where no further breach can occur.

CSSLP Tutorial: The next element is referred to as the K.I.S.S. principle.  

This is Keep It Simple Silly.  Rather than having a design that is so elaborate like a whole network just for the security aspect, it’s better to keep things more simple.  It’s more logical and more straightforward to protect a simple construct than to try to protect something that’s convoluted.  Next, is completeness of design.

CSSLP Tutorial: Completeness of design is where we are making sure to provide security

All the way through the life cycle of the software. Using a secured building as an metaphor, there is a building with a security guard up front, a swipe card access but then the loading dock is wide open.  In terms of the design process, we want to make sure that the design is complete.

Least common mechanism is where we take advantage of what is already out in the world of the internet and already been constructed.

CSSLP Tutorial: The seventh element is open design

Where there are two schools of thought: either make the code known and publish it or hide them and keep the code for our own.  The first is to publish the code for the operating systems and that is referred to as having open architecture.  The second one is where we keep the code to ourselves and refer to it as a closed architecture.  The closed architecture is also referred to as security through obscurity.  In this case, the idea is that you’ve written a code and because you’ve hidden it, and you think I can’t see it, that and so therefore, can’t compromise it.  A metaphor is like a house key that you put under the welcome mat and you think no one else can see it so you think no one can compromise your house.  We prefer to put it out into the open as architecture because it allows for peer review.  It doesn’t guarantee that good peer review will work properly, but it is a possibility.  If you’re familiar with the open SSL, it wasn’t really being reviewed properly so if you’re just making software open, does not make it more secure. But it can make it more secure if the review is done well.  The next element is to consider the weakest link.

CSSLP Tutorial: If you consider the weakest link in your organization,

What would that be, do you think? Most people think it’s users, internal users like employees and they’d be correct.  So, when we are designing a system, we have to consider protection of users. Not all of the errors and compromises are malicious.  Not all users are malicious.  But, it doesn’t take a malicious user to delete a key file or to destroy the integrity of information.  So, we always want to think of our users and to limit the amount of damage our users can do.

CSSLP Tutorial: The ninth element is redundancy. 

We want to avoid a single point of failure.  We want to make sure that if a failure happened somewhere, then the system can withstand having that part not working.  So, having redundancies in the system help prevent having that one single point lead to failure of the whole system. 

CSSLP Tutorial: Psychological acceptability. 

This is the element where you are making sure that the system is workable and where your users can accept it.  If the security is so complicated, the user doesn’t want to participate, then the user may find ways to bypass it.  It’s more important to keep users on your side rather than trying to find a mechanism to bypass the security measures you’ve placed there in the first place. 

The point here is that security is to support the business and if users are having a difficult time, then probably not meeting the goals of the organization.

CSSLP Tutorial: The next element is separation of duties.

The separation of duties is that one person doesn’t gain too much power.  Instead of one single administrator, we would need to have a multiple network administrators.   Each person is assigned certain duties, roles, and such.  If you work in an organization, we don’t want the same person who prints the paychecks to be the one signing the checks.  When there is a conflict of interest, we want to ensure that there is a separation of duties.

CSSLP Tutorial: Other things that are not necessarily having to do with software,

But will still be important for maintaining security are things like, having detective mechanisms in place. These things are like mandatory vacation, job location, job rotations, and so forth.  So, when one person is gone then others can use their system. In other words, no database administrator needs to be the only one who touches their system.   There needs to be an allowance for detective and investigative purposes where anything can be picked up by someone else other than that primary administrator who’s within the organization, outside of the administrator’s area and can test the system for fraudulence or otherwise.  This increases the accountability of the administrator and will help to prevent problems with your administrators going to places or doing things on their computers outside of their pervue.