SlideShare a Scribd company logo

Data security in practice

Andres Kütt, profile picture
Andres Kütt

The document discusses the importance of incorporating information security into system design from an architect's perspective, emphasizing that security considerations must be integrated from the outset. It highlights the vital role of defining system boundaries, designing with security requirements, and avoiding the retrofitting of security measures after system development. Additionally, it advocates for a holistic approach to security across all components of a system to prevent vulnerabilities.

Technology
1 of 19
Downloaded 14 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
Information security in practice
 Why do you really need it Andres Kütt Information System Authority / Information System Architect ! 07. March 2014
Agenda today " " " Information security from the architects perspective Implications of security on system design Approaching information security in a standardised fashion It must be emphasised, this is not a security centric view. The speech will not go into specific security details but will rather cover designing systems with security considerations in mind.
So what does an architect do anyway? " " " He or she designs systems What are systems? What does it mean to “design” something To understand what system architecture is and why it is vital, it is important to understand, what does an architect do. ! So an architect designs systems. What do the two elements of that definition actually mean?
What are systems? " " In an abstract sense, collections of things relating to each other " The things might be software, hardware, people, activities etc. So where exactly does my system end? Systems are collections of things (including other systems) relating to each other in a way. It sounds abstract but is a rather important realization as this means people, hardware, processes and software form equally important elements of any system. ! Since this definition is rather abstract, it raises a question about what things are included in the system. Since everything is realted to everything else, don’t we have the entire universe as a single system? While this is, stricktly speaking, true, it is impractical to design the entire universe every time we want to build a website. Thus, there must be an explicit decision about what is included in this particular system and what is not.
On system boundaries In case of information system security, determining the boundaries of the system in question is of paramount importance Information security is about protecting the information in the system against unauthorized use. Therefore, it is absolutely paramount, that all elements of the system are considered when thinking of how to protect the information. ! Typically, for example, people are left out of the system, they are considered just “users”. However, how many of you will happily connect to any open wifi hotspot during this event as long as it is called “somethingsomething FREE Swissotel”? Unfortunately experience shows, the answer is “many” and that people are often the weakest security element of all the systems. The same is true for processes. It is rather pointless to encrypt a database when there is no process in place to ensure the application software does not write a debug log with all database input and outputs in the production environment.
Inputs to the design process " " Functionality or value to deliver Known constraints: " NFR " Execution constraints (competences, time, money) " Information security requirements " Operational constraints The first, but not the only, input to the system design process is the functionality to be delivered. Regardless of whether the customer can express this, there is a structure to the functional requirements that can be referred to as “functional architecture”. The better and more explicit that structure is, the easier the work of the architect is. Level of detail is not necessarily a good indicator but the structure is. ! The second class of input are the NFR (essentially an agreement between technical parties about what constitutes a “good” system), execution constraints (i.e. whom do we have available to build the system using what tools, how long to we have to do this and what are the manufacturing tolerances to be expected) and information security requirements. ! It is important to realize that this is usually where the boundary between the customer and service provider lies (again we are dealing with system boundaries). Unless there are explicit security requirements, they will not be taken into consideration and the system will be insecure. It is not enough to state that “the system must be secure”. It is the responsibility of the customer to procure a secure system exactly as it is the responsibility of the customer to procure a system that performs the necessary business function.
Concept is developed Based on this input, a concept of the system is developed, that embodies basic metaphores, thought patterns and values that form the foundation of the design An architect takes the input described previously and develops some sort of a mental model of the system to be built. This is not necessarily a conscious or explicit process but every architect does this nevertheless. Basically, a concept is about how people think about the system.
System is designed The functions are mapped to elements of the system using the concept within the boundaries of the known constraints At this point the architect takes the functional elements and map them to technical components based on the concept and within the boundaries of known constraints. How exactly this happens, is part of the art of an architect but at this point already it is becoming late to start talking about security.
The described process has a major impact on information security It is almost impossible to retro-fit security to a system that is already designed and/or implemented If one looks at the steps that have been taken in system design up to this point, it becomes clear that retro-fitting security to a system that is already built is neigh to impossible. In the following, lets review in more detail, why this is.
Fundamentally, it is about the concept " " " All design decisions, big and small are based on the concept Unless the concept already contains the notion of security, the decisions down the line will not consider it It is also impossible to tell, which ones do and which ones do not If the concept forms the basic mental model about the system and that model does not involve security, the system will not be secure. The main reason for this is that, either consciously or subconsciously, all design decisions made during the design and build process of the system, are based on that basic mental model. And unless the foundation includes some premise of security, there is no way to tell, if any of the subsequent decisions are taking security into account or not. Even worse, it is impossible to tell, where security is thought of and where it is simply forgotten or bypassed as a project-induced shortcut.
Level of detail in the design " " " Rule of thumb: the more secure the system, the more detailed the design The less freedom the developer has Or, we could choose to trust the developer As a rule of thumb, a more secure system requires a more detailed and thoughtful design process. Whether that process is undertaken explicitly or is offloaded to the heads of good developers, matters little. The point is that both the choice of the level of detail in system design and the selection of developers can only be made once. Re-iterating these decisions basically means re-engineering the entire system and building it from scratch.
Security domains across layers Security domain A Security domain B Security domain C Functionality Implementation Infrastructure Security domain is defined as a system area with similar security requirements. The boundaries of the security domains of the system must be clearly defined and protected through functionality, implementation and infrastructure layers. As the uncertainty about the details of the system decreases while the system is built, it becomes more and more difficult to draw boundaries between the security domains and thus, it is very hard to retro-fit security domains to an already built system.
Security domains " " " If the system contains multiple security domains, they should be aligned There should be clear boundaries with access control and logging between the domains External boundaries of the system are also security domain boundaries! To have the security domains aligned across layers means, that the boundaries of components on the layers must not cross the boundaries of the security domain. If there is one functional piece (i.e. data warehouse, self-service etc), it must not belong to two separate security domains. If there are two functional pieces belonging to separate security domains (internal application administrator interface and external end-user interface, for example) they must not be deployed into the same virtual box. ! Clear boundaries with access control and security monitoring must be in place between the domains. By the way, the external boundary of the system is also a security domain boundary and thus needs to be considered carefully. Usually, only user interfaces are considered but technical interfaces need as careful consideration. It is perfectly possible to have an SQL injection attack vector through a machine-machine interface that is nicely encrypted and authenticated.
Holistic security of the whole system " " " " It makes no sense to protect one part and neglect others What were our system boundaries again? It is very easy to over-react It is also easy to under-react and forget things It is important to have the same level of security across a security domain. It makes no sense to invest into protecting one part of the system while neglecting others. Again, the question of system boundaries appears as often things on the vague edges of the systems are where security breaks down. For example, is a data warehouse part of your system? If you choose to encrypt your database but do not protect the results of functions that, by definition, are meant to increase the value of the information, there is a problem. ! It is easy to err on both sides by either over-spending on security or under-spending. You do not want to build a cast iron gate to a simple wooden garden fence, neither do you want to have a latch-and-hook in a stone wall.
Holistic security built in Information security has to be built into the entire system up front, retro-fitting is expensive and likely to leave gaps
Approaching security: baseline " " " " Use a baseline security standard to validate the measures in place Cheap to impelement, easy to under/overshoot In Estonia, ISKE is obligatory for the public sector, OWASP ASVS becoming more prominent This does not relieve anybody of the burden of thinking! The idea of baseline security is to take a hypothetical, standardized, system and perform a risk analysis on it under typical conditions. The results should then, to an extent, be applicable to all similar systems under similar conditions. While it is relatively cheap to implement, it is easy to over/under shoot as it is not necessarily clear how your system or risks deviate from the standard. Therefore, baseline security is exactly what the name says: a good baseline. Nothing more and nothing less. There is still a need to think about what you are doing in terms of security.
Approaching security: risk analysis " " " Conduct a tailored risk analysis of the systems at hand and the processes surrounding them How often are you really willing to do this? How to respond to both of risks and the systems changing continuously? As an alternative, one can choose to perform a thorough risk analysis of the systems including processes around software. While, when done properly, this produces very good results, the choice between the approaches is not trivial as it is not about a one-time effort. Security needs to be holistic over space and time, thus one needs to be ready and willing to spend resources of repeating the analysis frequently.
Summary " " " " Security has to be built in. There is no other way Think before spending money Think after spending money Pick a sustainable approach to security and stick to it
Thank you! Andres Kütt andres.kutt@ria.ee

More Related Content

PDF
System thinking in public sector architecture
Andres Kütt
 
PDF
Architecting estonia
Andres Kütt
 
PDF
Talking to organisations with x-road
Andres Kütt
 
PDF
Foundations of digital government
Andres Kütt
 
PDF
Service centricity in public sector
Andres Kütt
 
PDF
Systems Thinking workshop, given at Lean UX NYC
johanna kollmann
 
PDF
Interusability: Designing a Coherent System UX
Claire Rowland
 
PDF
Over the Air 15: Experience design for the IoT: system UX & interusability 15...
Claire Rowland
 
System thinking in public sector architecture
Andres Kütt
 
Architecting estonia
Andres Kütt
 
Talking to organisations with x-road
Andres Kütt
 
Foundations of digital government
Andres Kütt
 
Service centricity in public sector
Andres Kütt
 
Systems Thinking workshop, given at Lean UX NYC
johanna kollmann
 
Interusability: Designing a Coherent System UX
Claire Rowland
 
Over the Air 15: Experience design for the IoT: system UX & interusability 15...
Claire Rowland
 

What's hot (19)

PDF
Antwerp Management School Alumni Internet of Things Meetup June 24th 2015
Antwerp Management School
 
PDF
Socio Technical Systems
Joe Christensen
 
PPT
Future Internet Arch - Open Workshop
SOFIProject
 
PDF
Kimberley Peter and Michael Schaus: Understanding Bitcoin Currency and Blockc...
RSD Relating Systems Thinking and Design
 
PPTX
Perspectives on Enterprise Architecture and Systems Thinking
Richard Veryard
 
PDF
Interusability: designing a coherent system UX: NUX 23.10.15
Claire Rowland
 
PDF
Hci unit 2(3rd final) (2)
BekiTamirat
 
PDF
Hci activity#1
Desalegn Aweke
 
PDF
Direct manipulation is broken: O'Reilly Design Conference Jan 2016
Claire Rowland
 
PDF
Interusability: designing a coherent system UX
Claire Rowland
 
PDF
UX for the internet of things: ThingsCon 150505
Claire Rowland
 
PDF
2009-C&T-NodeXL and social queries - a social media network analysis toolkit
Marc Smith
 
PPT
Social Informatics Lecture 2 Salzburg Selection
Mark A.M. Kramer
 
PDF
Value stream mapping for complex processes (innovation, Lean, service design)
Teemu Toivonen
 
PDF
Getting the IoT into Tesco: Internet of things UX for the mass market - IoT 14
Claire Rowland
 
PPT
Social Informatics Lecture 1 Salzburg Selection
Mark A.M. Kramer
 
PDF
Tapia fireside chat-towns
John Towns
 
PPTX
Digital Business
Lisa Harris
 
PDF
The network as a design material: Interaction 16 workshop
Claire Rowland
 
Antwerp Management School Alumni Internet of Things Meetup June 24th 2015
Antwerp Management School
 
Socio Technical Systems
Joe Christensen
 
Future Internet Arch - Open Workshop
SOFIProject
 
Kimberley Peter and Michael Schaus: Understanding Bitcoin Currency and Blockc...
RSD Relating Systems Thinking and Design
 
Perspectives on Enterprise Architecture and Systems Thinking
Richard Veryard
 
Interusability: designing a coherent system UX: NUX 23.10.15
Claire Rowland
 
Hci unit 2(3rd final) (2)
BekiTamirat
 
Hci activity#1
Desalegn Aweke
 
Direct manipulation is broken: O'Reilly Design Conference Jan 2016
Claire Rowland
 
Interusability: designing a coherent system UX
Claire Rowland
 
UX for the internet of things: ThingsCon 150505
Claire Rowland
 
2009-C&T-NodeXL and social queries - a social media network analysis toolkit
Marc Smith
 
Social Informatics Lecture 2 Salzburg Selection
Mark A.M. Kramer
 
Value stream mapping for complex processes (innovation, Lean, service design)
Teemu Toivonen
 
Getting the IoT into Tesco: Internet of things UX for the mass market - IoT 14
Claire Rowland
 
Social Informatics Lecture 1 Salzburg Selection
Mark A.M. Kramer
 
Tapia fireside chat-towns
John Towns
 
Digital Business
Lisa Harris
 
The network as a design material: Interaction 16 workshop
Claire Rowland
 
Ad

Similar to Data security in practice (20)

PPT
Software Security Engineering
Muhammad Asim
 
PPTX
Security architecture, engineering and operations
Piyush Jain
 
PDF
The 5 Layers of Security Testing by Alan Koch
QA or the Highway
 
PDF
The 5 Layers of Security Testing by Alan Koch
QA or the Highway
 
DOCX
In this assignment, you will propose a quality improvement initiat.docx
pauline234567
 
PPT
Software security engineering
aizazhussain234
 
DOCX
Corporation DriveSureNumber of Individuals Impacted 38 Millio
AlleneMcclendon878
 
PPT
ch0001 computer systems security and principles and practices
stephen972973
 
PDF
Software Technical Design for Information Security: A short intro for Tech Le...
Chris F Carroll
 
PPTX
Forget cyber, it's all about AppSec
Adrien de Beaupre
 
PPTX
Security Design Concepts
Mohammed Fazuluddin
 
PPTX
02-overview.pptx
EmanAzam
 
PDF
Security overview 2
CMR WORLD TECH
 
DOCX
Running Head 2Week #8 MidTerm Assignment .docx
healdkathaleen
 
DOCX
WHAT IS SOFTWARE ENGINEERING (CYBERSECURITY)
ChristopherAntonius
 
PPT
Chapter 2- Software Security FULL SLIDES.ppt
Lina Shimelis
 
PPT
Software Security Testing
ankitmehta21
 
PPT
Software Security in the Real World
Mark Curphey
 
PDF
Engineering Software Products: 4. software architecture
software-engineering-book
 
PDF
Designing Security Architecture Solutions 1st Edition Jay Ramachandran
wohkwrtliu0660
 
Software Security Engineering
Muhammad Asim
 
Security architecture, engineering and operations
Piyush Jain
 
The 5 Layers of Security Testing by Alan Koch
QA or the Highway
 
The 5 Layers of Security Testing by Alan Koch
QA or the Highway
 
In this assignment, you will propose a quality improvement initiat.docx
pauline234567
 
Software security engineering
aizazhussain234
 
Corporation DriveSureNumber of Individuals Impacted 38 Millio
AlleneMcclendon878
 
ch0001 computer systems security and principles and practices
stephen972973
 
Software Technical Design for Information Security: A short intro for Tech Le...
Chris F Carroll
 
Forget cyber, it's all about AppSec
Adrien de Beaupre
 
Security Design Concepts
Mohammed Fazuluddin
 
02-overview.pptx
EmanAzam
 
Security overview 2
CMR WORLD TECH
 
Running Head 2Week #8 MidTerm Assignment .docx
healdkathaleen
 
WHAT IS SOFTWARE ENGINEERING (CYBERSECURITY)
ChristopherAntonius
 
Chapter 2- Software Security FULL SLIDES.ppt
Lina Shimelis
 
Software Security Testing
ankitmehta21
 
Software Security in the Real World
Mark Curphey
 
Engineering Software Products: 4. software architecture
software-engineering-book
 
Designing Security Architecture Solutions 1st Edition Jay Ramachandran
wohkwrtliu0660
 
Ad

More from Andres Kütt (16)

PDF
API First Government
Andres Kütt
 
PDF
Tarkvarasüsteemi arhitektuuri kavandamisest
Andres Kütt
 
PDF
Digital evolution of Estonia
Andres Kütt
 
PDF
Cryptography and trust
Andres Kütt
 
PDF
Turvalisest pilvest
Andres Kütt
 
PDF
Building government e-services in Estonia
Andres Kütt
 
PDF
Mis toond on meid siia
Andres Kütt
 
PDF
Why agile works
Andres Kütt
 
PDF
E-residency, data embassy and the Cloud
Andres Kütt
 
PDF
Country without borders
Andres Kütt
 
PDF
Praktilised Avaandmed
Andres Kütt
 
PDF
Architecting a country: how Estonia built its e-government success
Andres Kütt
 
PDF
Mõistlikud nõuded
Andres Kütt
 
PDF
Riigi infosüsteemi arhitektuuri juhtimine
Andres Kütt
 
PDF
System architecture in public service context
Andres Kütt
 
PDF
E-riigist. ERAH loeng TTÜs
Andres Kütt
 
API First Government
Andres Kütt
 
Tarkvarasüsteemi arhitektuuri kavandamisest
Andres Kütt
 
Digital evolution of Estonia
Andres Kütt
 
Cryptography and trust
Andres Kütt
 
Turvalisest pilvest
Andres Kütt
 
Building government e-services in Estonia
Andres Kütt
 
Mis toond on meid siia
Andres Kütt
 
Why agile works
Andres Kütt
 
E-residency, data embassy and the Cloud
Andres Kütt
 
Country without borders
Andres Kütt
 
Praktilised Avaandmed
Andres Kütt
 
Architecting a country: how Estonia built its e-government success
Andres Kütt
 
Mõistlikud nõuded
Andres Kütt
 
Riigi infosüsteemi arhitektuuri juhtimine
Andres Kütt
 
System architecture in public service context
Andres Kütt
 
E-riigist. ERAH loeng TTÜs
Andres Kütt
 

Recently uploaded (20)

PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
KodekX | Application Modernization Development
KodekX
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Encapsulation theory and applications.pdf
gurumoop
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Teaching material agriculture food technology
LiaRayya
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Approach and Philosophy of On baking technology
30anthuong17
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 

Data security in practice

  • 1. Information security in practice
 Why do you really need it Andres Kütt Information System Authority / Information System Architect ! 07. March 2014
  • 2. Agenda today " " " Information security from the architects perspective Implications of security on system design Approaching information security in a standardised fashion It must be emphasised, this is not a security centric view. The speech will not go into specific security details but will rather cover designing systems with security considerations in mind.
  • 3. So what does an architect do anyway? " " " He or she designs systems What are systems? What does it mean to “design” something To understand what system architecture is and why it is vital, it is important to understand, what does an architect do. ! So an architect designs systems. What do the two elements of that definition actually mean?
  • 4. What are systems? " " In an abstract sense, collections of things relating to each other " The things might be software, hardware, people, activities etc. So where exactly does my system end? Systems are collections of things (including other systems) relating to each other in a way. It sounds abstract but is a rather important realization as this means people, hardware, processes and software form equally important elements of any system. ! Since this definition is rather abstract, it raises a question about what things are included in the system. Since everything is realted to everything else, don’t we have the entire universe as a single system? While this is, stricktly speaking, true, it is impractical to design the entire universe every time we want to build a website. Thus, there must be an explicit decision about what is included in this particular system and what is not.
  • 5. On system boundaries In case of information system security, determining the boundaries of the system in question is of paramount importance Information security is about protecting the information in the system against unauthorized use. Therefore, it is absolutely paramount, that all elements of the system are considered when thinking of how to protect the information. ! Typically, for example, people are left out of the system, they are considered just “users”. However, how many of you will happily connect to any open wifi hotspot during this event as long as it is called “somethingsomething FREE Swissotel”? Unfortunately experience shows, the answer is “many” and that people are often the weakest security element of all the systems. The same is true for processes. It is rather pointless to encrypt a database when there is no process in place to ensure the application software does not write a debug log with all database input and outputs in the production environment.
  • 6. Inputs to the design process " " Functionality or value to deliver Known constraints: " NFR " Execution constraints (competences, time, money) " Information security requirements " Operational constraints The first, but not the only, input to the system design process is the functionality to be delivered. Regardless of whether the customer can express this, there is a structure to the functional requirements that can be referred to as “functional architecture”. The better and more explicit that structure is, the easier the work of the architect is. Level of detail is not necessarily a good indicator but the structure is. ! The second class of input are the NFR (essentially an agreement between technical parties about what constitutes a “good” system), execution constraints (i.e. whom do we have available to build the system using what tools, how long to we have to do this and what are the manufacturing tolerances to be expected) and information security requirements. ! It is important to realize that this is usually where the boundary between the customer and service provider lies (again we are dealing with system boundaries). Unless there are explicit security requirements, they will not be taken into consideration and the system will be insecure. It is not enough to state that “the system must be secure”. It is the responsibility of the customer to procure a secure system exactly as it is the responsibility of the customer to procure a system that performs the necessary business function.
  • 7. Concept is developed Based on this input, a concept of the system is developed, that embodies basic metaphores, thought patterns and values that form the foundation of the design An architect takes the input described previously and develops some sort of a mental model of the system to be built. This is not necessarily a conscious or explicit process but every architect does this nevertheless. Basically, a concept is about how people think about the system.
  • 8. System is designed The functions are mapped to elements of the system using the concept within the boundaries of the known constraints At this point the architect takes the functional elements and map them to technical components based on the concept and within the boundaries of known constraints. How exactly this happens, is part of the art of an architect but at this point already it is becoming late to start talking about security.
  • 9. The described process has a major impact on information security It is almost impossible to retro-fit security to a system that is already designed and/or implemented If one looks at the steps that have been taken in system design up to this point, it becomes clear that retro-fitting security to a system that is already built is neigh to impossible. In the following, lets review in more detail, why this is.
  • 10. Fundamentally, it is about the concept " " " All design decisions, big and small are based on the concept Unless the concept already contains the notion of security, the decisions down the line will not consider it It is also impossible to tell, which ones do and which ones do not If the concept forms the basic mental model about the system and that model does not involve security, the system will not be secure. The main reason for this is that, either consciously or subconsciously, all design decisions made during the design and build process of the system, are based on that basic mental model. And unless the foundation includes some premise of security, there is no way to tell, if any of the subsequent decisions are taking security into account or not. Even worse, it is impossible to tell, where security is thought of and where it is simply forgotten or bypassed as a project-induced shortcut.
  • 11. Level of detail in the design " " " Rule of thumb: the more secure the system, the more detailed the design The less freedom the developer has Or, we could choose to trust the developer As a rule of thumb, a more secure system requires a more detailed and thoughtful design process. Whether that process is undertaken explicitly or is offloaded to the heads of good developers, matters little. The point is that both the choice of the level of detail in system design and the selection of developers can only be made once. Re-iterating these decisions basically means re-engineering the entire system and building it from scratch.
  • 12. Security domains across layers Security domain A Security domain B Security domain C Functionality Implementation Infrastructure Security domain is defined as a system area with similar security requirements. The boundaries of the security domains of the system must be clearly defined and protected through functionality, implementation and infrastructure layers. As the uncertainty about the details of the system decreases while the system is built, it becomes more and more difficult to draw boundaries between the security domains and thus, it is very hard to retro-fit security domains to an already built system.
  • 13. Security domains " " " If the system contains multiple security domains, they should be aligned There should be clear boundaries with access control and logging between the domains External boundaries of the system are also security domain boundaries! To have the security domains aligned across layers means, that the boundaries of components on the layers must not cross the boundaries of the security domain. If there is one functional piece (i.e. data warehouse, self-service etc), it must not belong to two separate security domains. If there are two functional pieces belonging to separate security domains (internal application administrator interface and external end-user interface, for example) they must not be deployed into the same virtual box. ! Clear boundaries with access control and security monitoring must be in place between the domains. By the way, the external boundary of the system is also a security domain boundary and thus needs to be considered carefully. Usually, only user interfaces are considered but technical interfaces need as careful consideration. It is perfectly possible to have an SQL injection attack vector through a machine-machine interface that is nicely encrypted and authenticated.
  • 14. Holistic security of the whole system " " " " It makes no sense to protect one part and neglect others What were our system boundaries again? It is very easy to over-react It is also easy to under-react and forget things It is important to have the same level of security across a security domain. It makes no sense to invest into protecting one part of the system while neglecting others. Again, the question of system boundaries appears as often things on the vague edges of the systems are where security breaks down. For example, is a data warehouse part of your system? If you choose to encrypt your database but do not protect the results of functions that, by definition, are meant to increase the value of the information, there is a problem. ! It is easy to err on both sides by either over-spending on security or under-spending. You do not want to build a cast iron gate to a simple wooden garden fence, neither do you want to have a latch-and-hook in a stone wall.
  • 15. Holistic security built in Information security has to be built into the entire system up front, retro-fitting is expensive and likely to leave gaps
  • 16. Approaching security: baseline " " " " Use a baseline security standard to validate the measures in place Cheap to impelement, easy to under/overshoot In Estonia, ISKE is obligatory for the public sector, OWASP ASVS becoming more prominent This does not relieve anybody of the burden of thinking! The idea of baseline security is to take a hypothetical, standardized, system and perform a risk analysis on it under typical conditions. The results should then, to an extent, be applicable to all similar systems under similar conditions. While it is relatively cheap to implement, it is easy to over/under shoot as it is not necessarily clear how your system or risks deviate from the standard. Therefore, baseline security is exactly what the name says: a good baseline. Nothing more and nothing less. There is still a need to think about what you are doing in terms of security.
  • 17. Approaching security: risk analysis " " " Conduct a tailored risk analysis of the systems at hand and the processes surrounding them How often are you really willing to do this? How to respond to both of risks and the systems changing continuously? As an alternative, one can choose to perform a thorough risk analysis of the systems including processes around software. While, when done properly, this produces very good results, the choice between the approaches is not trivial as it is not about a one-time effort. Security needs to be holistic over space and time, thus one needs to be ready and willing to spend resources of repeating the analysis frequently.
  • 18. Summary " " " " Security has to be built in. There is no other way Think before spending money Think after spending money Pick a sustainable approach to security and stick to it