Security Architecture and Engineering Flashcards
Secure Design Principles
Least Privilege
Defence in depth
secure defaults
fail securely
Seperation of duties (SOD)
Keep it simple and small
Zero trust
Secure access service edge
privacy by design
trust but verify
shared responsibility
least privilege (PoLP)
individuals are only be granted access necessary to perform their required functions
PoLP
Seperation of duties (SOD)
designed to limit risk associated with critical functions/transactions
Risk mitigation : by requiring multiple individuals in carrying out sensitive transactions
Defence in depth
uses multiple layers of overlapping controls to provide security
key concept: any one control may fail but all controls will not fail (hopefully)
Eg: Client pC
Patching, hardening, antivirus, app whitelisting, host based firewall, HIP etc
Secure Defaults
means systems and applications are delivered in their most secure state
- some settings may be relaxed later after thorough risk analysis
Fail securely
Note: It is usually better to lose functionality rather than security
means a system that encounters a critical error or failure will ‘fail closed’ as opposed to failing open
Eg: Older unix systems would often fail open in the case of critical damage to the disk
- A system reboots, detects damaged disk sectors, and tries to automatically repair via fsck command (file system check)
- if this system failed to repair, the system would boot to a single user console session, automatically logged in as root (superuser)
- this is violation of fail securely
Keep it simple and small (KISS)
A design maxim
emphasizes that simple designs are more secure than complex designs
more complexity is equal to more attack surface
As systems becomes more interconnected, security will get worse
Zero trust
Removes the concept of internal is trusted, external is not
assume that all traffic is untrusted
build security into the DNA of IT architecture by investing in situational awareness, and developing robust vuln and incident mgmt capabilities
3 concepts of zero trust
ensure all resources are accessed securely regardless of location
Adopt a least privilege strategy, n strictly enforce access control
inspect and log all traffic
Key network components of zero trust
SDN
Network virtualization
Perimeter design versus
zero trust
Traditional single perimeter defence, everything behind the firewall is trusted
Zero trust defence focusses on resource protection ( nothing is trusted)
The ‘implicit trust zone’ shrinks as much as possible from the entire private network down to an individual comp system or very small cluster
Access is granted thru a policy decision point (PDP), and corresponding policy enforcement point (PEP)
ZERO TRUST provides a set of principles/concepts around moving the PEPs/PDPs closer to the resources.
Note: Idea is to explicitly authenticate and authorise all subjects, assets, workflows that make up the enterprise
SASE - Secure access service edge
SASE architecture combines networking and security as a service functions into a single cloud delivered service at the network edge
delivers converged network and security as a service capabilities, including
SD-WAN
SWG
NGFW,
CASB
ZTNA
Trust, but Verify
- considered a middle step between traditional perimeter defences and zero trust
- focuses on forensic integrity of data n systems, requiring accountability via strong authentication, and enhanced logging
- states that actions on a network should be undeniable, certifiable, and tamper evident
Privacy by design
framework based on embedding privacy into the design and operation of IT systems, n/w infra, and business practices
privacy by design - 7 foundational principles
proactive not reactive
privacy as the default setting
privacy embedded into design
full functionality
end to end security
visibility and transparency
respect for user privacy
Shared responsibility
used by cloud providers like amazon, azure, google
Security Models
MAC (Mandatory access control)
Bell-LaPadula (confidentiality)
Biba (Integrity)
Lattice
Commercial - Clark-wilson
MAC - Mandatory access control (confidentiality)
is a system enforced access control based on a subject’s clearance, and an object’s labels
subjects and objects have clearance and classification labels respectively
subject may access an object only if the subject’s clearance is equal to or greater than the object’s label
MAC is expensive, and difficult to implement
focussed on preserving the confidentiality
Bell-LaPadula - BLP ( Confidentiality)
Deals with confidentiality
data flow model- data flows up ( top secret, secret, confidential)
2 key principles
- no read up (simple security property - NRU
- no write down (* property) - NWD
BIBA (Integrity)
Deals with integrity
opposite of BLP
Data flow model where data flows down
2 key principles:
No read down ( simple integrity property)
No Write up (Integrity * property)
Tips : security models which deal with integrity , have letter I in it
Eg: Biba, clark wilson, non-interference, chinese wall
Lattice
deals with info flow
formalizes network security models
shows how info can / can’t flow
lattice model requires that every sub n object be labelled with one of a number of security designations
user of a certain designation can only access resources of the same designation or lower
designations - top secret, secret, confidential n unclassified
compartments - laser, nuclear, spy
Clark-wilson (Integrity)
- hyphen reminds the seperation of duties
deals with integrity
ensures internal n external consistency
integrity enforced thru
- well-formed transactions
- seperation of duties
Chinese wall model (COI)
proposed by Brewer n Nash
deals with conflict of interest
no info flow allowed that could cause info leakage that could lead to a COI
Reference monitor
mediates subject’s access to objects
responsible for enforcing system security policies, subjects access objects
the reference monitor is always enabled, cannot be bypassed
Trusted computing base (TCB)
Consists of security relevant parts of a system - that include
-access control mechanisms
-reference monitor
- the kernel
- the protective mechanisms
TCB defines a security profile including hardware, software, inter- process communication and will ensure a computing device will maintain the confidentiality, integrity and availability of the data residing on that system.(MIKE)
Domain seperation
protects objects in the system
Domain: set of objects that a subject is able to access
Domain seperation - implemented by
- execution rings
- base address registers
-segmentation descriptors
