[Cybersecurity Architecture] Knowledge Overview (Principles, CIA, DiD, PPT, Zero Trust)

What is Cybersecurity Architecture: The practice of designing computer systems to ensure the security of underlying data.

[Cybersecurity Architecture]

Major Principles - CIA, SOC2 Five Criteria, CIAS Quadrant, DiD, Zero Trust

CIA Triad (confidentiality, integrity, and availability)

Confidentiality - Keeping data secure

Practice:

Data encryption is one way to ensure confidentiality and that unauthorized users cannot retrieve data for which they do not have access.
Access control is also an integral part of maintaining confidentiality by managing which users have permissions for accessing data.
Life science organizations that utilize patient data must maintain confidentiality or violate HIPAA.

How:

Securing Data in-motion

Transport Channel Encryption
Message-level Encryption

Securing Data At Rest

Disk Level Encryption
File-Level Encryption

Integrity - Keeping data clean

Integrity refers to whether your data is authentic, accurate, and reliable.

Practice:

Event log management within a Security Incident and Event Management system is crucial for practicing data integrity.
Implementing version control and audit trails into your IT program will allow your organization to guarantee that its data is accurate and authentic.
Integrity is an essential component for organizations with compliance requirements. For example, a condition of the SEC compliance requirements for financial services organizations requires providing accurate and complete information to federal regulators.

How:

Message Authentication Code (MAC)
Hash-Based Message Authentication Code (HMAC)
Digital Signatures
Message Digest

Availability - Keeping data accessible

Practice

Employing a backup system and a disaster recovery plan is essential for maintaining data availability should a disaster, cyber-attack, or another threat disrupt operations.
Utilizing cloud solutions for data storage is one way in which an organization can increase the availability of data for its users.
As the reliance on data analytics expands, the need for data to be available and accessible grows for sectors like financial services and life sciences.

How:

Denial of Service (DoS)
Threat Modeling and use of Anomaly Detection tools
Resource Throttling
Intrusion Prevention Systems (IPS) Based Prevention
Network Ingress Filtering

Other principles relating to CIA

Authentication

MFA
Password-Less Authentication
Authentication Models (API and Web Applications) - OAuth, Federated Identity SSO
Active Directory (AD) Authentication
Active Directory Federation Services (ADFS)
Simple Authentication and Security Layer (SASL)

Authorization

Access Control Lists (ACL)
OASIS Extensible Control Access Markup Language (XACML)
Java Web Token (JWT)

Auditing

Non-Repudiation

Notes: https://systemweakness.com/a-brief-introduction-to-security-architecture-principles-24f5fbc58dd4

SOC2 Five Criteria

Developed by the American Institute of CPAs (AICPA), SOC 2 defines criteria for managing customer data based on five “trust service principles”—security, availability, processing integrity, confidentiality and privacy.

SOC 2 Certification Criteria

CIAS Quadrant

From Secure Controls Framework

Note: https://www.securecontrolsframework.com/

CONFIDENTIALITY

Confidentiality addresses preserving restrictions on information access and disclosure so that access is limited to only authorized users and services.

INTEGRITY

Integrity addresses the concern that sensitive data has not been modified or deleted in an unauthorized and undetected manner.

AVAILABILITY

Availability addresses ensuring timely and reliable access to and use of information.

SAFETY

Safety addresses reducing risk associated with embedded technologies that could fail or be manipulated by nefarious actors.

Major Principles - DiD - Defense in Depth

Defense-in-Depth (DiD)

Aka security in depth, refers to a cybersecurity approach that uses multiple layers of security for holistic protection. A layered defense helps security organizations reduce vulnerabilities, contain threats, and mitigate risk.

From: https://lucid.app/lucidchart/271dbc7a-e65f-43e7-a278-ee17240c77a7/edit?page=m-5o7ONTd-nK#

From: https://lucid.app/lucidchart/64441e4f-d35f-4065-92a3-a5bcf2886f8f/edit?invitationId=inv_4eec6e85-6cdc-495c-8f8e-50f3c7fc3a79

From:https://youtu.be/goWIKNyAMA0?si=YlbWnAIGAzJLfCG_

Major Principles - Zero Trust

Zero Trust (Assume-Breach)

Zero Trust is a security model that emphasizes the need to verify every user and device before granting them access to company resources.

The key tenets of a modern defense-in-depth strategy include:

Protect privileged access – use privileged access management solutions to monitor and secure access to privileged accounts (superuser accounts, local and domain administrator accounts, application administrative accounts, etc.) by both human and non-human identities (applications, scripts, bots, etc.).
Lockdown critical endpoints – use advanced endpoint privilege management solutions to lock down privilege across all endpoints, prevent lateral movement, and defend against ransomware and other forms of malware.
Enable adaptive multifactor authentication – use contextual information (location, time of day, IP address, device type, etc.) and business rules to determine which authentication factors to apply to a particular user in a particular situation.
Secure developer tools – use secrets management solutions to secure, manage, rotate and monitor secrets and other credentials used by applications, automation scripts, and other non-human identities.

Solutions:

1. Threat detection and response solutions

2. Identity and privileged access management

3. Endpoint and data protection

4. Security services

Best Practices:

1. Always Verify the User with Multi-factor Authentication (MFA)

2. Always Validate the Device

3. Ensure the Device Measures Up to Your Security Standards

4. Least Access and Least Privilege for IT and Everybody Else

5. Use a Solution that Learns and Adapts

Zero Trust vs Defense in Depth

The main difference is that Zero Trust requires continuous verification of users and devices, whereas Defense in Depth relies on multiple layers of security defenses. Additionally, Zero Trust focuses on protecting data and systems from external and internal threats, while Defense in Depth mainly focuses on external threats.

5 Steps to Create a Zero Trust Network

1. Identify your toxic data sources (Crown jewelry)

2. Map the transaction flows regarding toxic data

3. Architect a Zero Trust network based on the toxic data sources and the way it's used transitionally

4. Write your rules on your segmentation gateway based on expected behavior of the data (users and applications)

5. Monitor the network; inspect and log the traffic; and update rules based the intelligence you get from your security analytics systems

Example:

1. Conduct a data discovery exercise cross the entire organization. For each business area / department, determine the sensitivity of data, data store, the roles of people who need to access the data. Implemented sso and mfa.

2. Have all workstation identified, inventoried, patched, with anti-virus software, now, starting whitelisting all applications.

3. Mapped out all applications and data flows and beginning to configure segregation gateway to allow microcore capabilities. Began implementing PAM.

4. Plan to protect financal and accounting information. Configure Microcore segment, and develop roles and priviliege for finance team. Enforce 2FA.

5 and last. Developing policy for continuous logging and monitong to detect malicous behavior.

6. Additionally, in a long term, use SIEM more proactively , so we can use login information to have better access decisions.

Note: MS Learn Zero Trust Guidance Center

Note: https://www.paloaltonetworks.com/zero-trust

Zero Trust Secrutiy

○ Identy verify constantly (people, application, SSO (MFA, Passwordless, no legacy auth), ,

○ Least privilege, (RBAC, JIT, PAM)

○ Assume breach

○ Endpoint (TPM, Device Certs, Mgmt, Compliance)

○ Network (end 2 end encryption (TLS, IPSec), DiD (Layers, tiers), Micro-Segmentation (NSG, ASG, AZ FW))

○ Administration

§ Monitoring session

§ Policy, Conditional Access,

○ Infra

○ App

○ Data

Tools

Network Traffic Analysis Tools

From: https://www.techtarget.com/searchsecurity/feature/Experts-say-CIA-security-triad-needs-a-DIE-model-upgrade

PPT - Three Pillars Model

Three Major Elements (PPT) - Three Pillars Model:

People : Trained with the latest cyber security skills and qualifications to implement the controls, technologies, and best practices for your organisation.

Cyber savvy board of directors.
Cybersecurity officer with team having sound technical knowledge of risk management, compliance, incident response, IAM specialist, security monitoring and analyst, vulnerability and patch management, Security Architecture, audit.
Data protection /security officer.
People skill management program & Process to identify cybersecurity knowledge
Cybersecurity operation embedded program for employees.
Cybersecurity awareness & training for employees.
Strategy on whether outsourcing of security professional or developing in house expertise, Also dependency on vendor till what extend, Need to define ?
IT /Security People should be business enabler, It has been seen people unable to perform business function due to tight security control ?

Process : Bring in a coherent structure, and way of working to mitigate risks or deal with threats in real-time. Continually update documents because hackers are constantly evolving their attack techniques.

Cybersecurity strategy planning.

Information security management program.

Cybersecurity posture assessment & gap analysis.

Cybersecurity risk assessments Strategy

Cybersecurity Policy and Procedure Framework.

Design & Implementation of business continuity management system.

Security Architect Design & Secure Network Architecture Review.

Cyberthreat intelligence & Threat modelling.

IT security governance model.

Cyber Crisis & Release management Process.

Cybersecurity Assessment program & Audits.

Cybersecurity Assurance & compliance management Program.

Vulnerability Threat Risk Framework.

Vulnerability Assessment and Penetration Testing.

Identity of People & Assets, Secure Access & Authorization policies.

Privacy & data protection policies & procedure.

Data Management & Data recovery processes.

Policy for Utilisation & Maintaining Security Appliances & Security software.

Incident Response & Management process.

Continuous monitoring and assessment process.

Active vulnerability scanning and threat detection from a 24-hour operation

Baseline your assets with CIS benchmark.

Information security metrics framework.

Third party risk management & Mitigation program.

Cybersecurity awareness training program.

Cyber resilience Strategy.

Cyber Insurance policy program

Implementing continuous process improvements.

T(echnology) or T(ools) : Technology without a doubt raises the levels of defence. However, if implemented without proper planning, or a limited understanding of the environment it is intended to defend, it will become a root cause of many more problems.

Perimeter Security : Perimeter firewall, IDS/IPS, Application Gateway firewall, physical security, Deception, Mail security, DNS Security, Secure DMZs.
Network Security : Network firewall, UTM, Secure remote access,NAC, Inline Patching, Wireless access control , VOIP security.
End Point Security : EDR, AMP/Anti-virus/Anti-Malware , Browser Isolation, End Point Encryption, Endpoint DLP, Sandboxing/APT, Mobile device security.
Application Security : Devsecops : SAST,DAST,RASP, IAST, SCA, WAF,API Security, D-DOS Services, CDN security, Bot Management, Database security.Application Encryption, Application shielding. Application security testing, Secure coding practices.
Data Security : Data discovery, Data classification, Data Encryption, Data Masking/Tokenization, IAM,PAM, Key Management, DLP, FIM, EDRM,FIM,SFTP, (Data Backup & recovery).
Security operation : SIEM,XDR, SOAR, Log management, UBA.
Cloud Security : CSPM,CWPP,CASB,CIEM, Docker Container Security.

PPT Design Example:

360° Cybersecurity approach (or Framework)

note: https://www.linkedin.com/pulse/layered-approach-cybersecurity-people-processes-singh-casp-cisc-ces/

This Approach covers the three main domains of people, process and technology & these three steps-

Step 1 is to identify and assess your current level of threat, risks and protection.
Identify –> Threat----> Risk ----> Strategy ----> Security review.

Step 2 is to take corrective action where gaps are identified.
Protect –> People ---->Process ----> Technology.

Step 3 is to monitor the system, respond to threats and incidents and allow you to report to your board and regulators"
Monitor –> Real Time ---->Scheduled---->Unscheduled ----> Security Review.

(These steps explained in below infographics)

Cybersecurity (People + Process + Technology) = Successful Organization Transformation.

Common Cybersecurity Related Frameworks

TOGAF: The Open Group Architecture Framework, or TOGAF, helps determine what problems a business wants to solve with security architecture. It focuses on the preliminary phases of security architecture, an organization's scope and goal, setting out the problems a business intends to solve with this process. However, it does not give specific guidance on how to address security issues.
SABSA: Sherwood Applied Business Security Architecture, or SABSA, is a quite policy driven framework that helps define key questions that must be answered by security architecture: who, what, when and why. Its aim is to ensure that security services are designed, delivered and supported as an integral part of the enterprise's IT management. However, while often described as a 'security architecture method', it does not go into specifics regarding technical implementation
OSA: Open Security Architecture, or OSA, is a framework related to functionality and technical security controls. It offers a comprehensive overview of key security issues, principles, components and concepts underlying architectural decisions that are involved when designing effective security architectures. That said, it can typically only be used once the security architecture is already designed.
COBIT:
COBIT 5, from ISACA, is “a comprehensive framework that assists enterprises in achieving their objectives for the governance and management of enterprise IT.”1 This framework includes tool sets and processes that bridge the gap between technical issues, business risk and process requirements. The goal of the COBIT 5 framework is to “create optimal value from IT by maintaining a balance between realising benefits and optimising risk levels and resource use.” COBIT 5 aligns IT with business while providing governance around it.
ISO IEC 27001
NIST CSF
MCSS

Key Deliverables:

TOGAF EXAMPLES:

Definition of business principles, goals and drivers.
Security architecture roadmaps - or in other words, a list of individual work packages that will define the target security architecture and show progression from the as-is state to the desired state within agreed timelines.
Security architecture building blocks. A building block is a package of functionality designed to meet the business needs across an organization.
Specification of security architecture requirements. This provides a quantitative view of the solution, stating measurable criteria that must be met during implementation.

SABSA EXAMPLES:

The business attribute model - the heart of SABSA. The business attribute model is an abstraction of real-life business requirements, detailing definitions and guidelines for a variety of important business attributes.
A defined security strategy, mapped to control objectives and business attribute profile.
Security policy architecture, which covers security and domain policies that an organization should follow, complied to the latest security standards and regulatory bodies.
Defined security services. These should be based on security policies, business strategies and control objectives.

OSA EXAMPLES:

Functionality and technical security controls. These provide a definition of technical security controls such as access controls, system hardening, security scans, etc.
Software and data integrity protection, a taxonomy of software integrity protection techniques

Notes: https://www.dig8ital.com/post/what-is-security-architecture-and-what-do-you-need-to-know

Enterprise Cybersecurity Architecture

From: https://www.jamesjfisher.org/esa/esa.html

Holistic: Enterprise Cybersecurity Architecture requires a holistic approach when dealing with complex systems across an organization. This means having a proper understanding of requirements, design philosophy, interoperability, component integration, and how the system will operate. Likewise, holistic is not a checklist-based approach, or other necessary components, either technical or process-oriented, may get missed.
Business-Driven: Enterprise Cybersecurity Architecture must be business-driven, focusing on securely enabling the business’ strategic directions in current and new markets, channels, and products. Therefore, a firm understanding of where the company is today and where the business wants to be in the future is necessary.
Risk-Driven: An Enterprise Cybersecurity Architecture focuses on a realistic perspective of risks facing an organization and the remedies in terms of security mechanisms to reduce those risks. It is neither cost nor operationally efficient to put security mechanisms in that are not relevant or required based on the risks present or support a risk the organization does not inherently have.

When developing enterprise cybersecurity architectures for an organization, the key is to remember it is like building a house. Houses are designed first before someone starts constructing them, where building architects defer on specifics to engineers and specialized resources (HVAC, Plumbing, Electrical) when needed. They also include building codes and zoning laws in addition to client requirements. Likewise, enterprise security architectures answer the design's what, why, who, where, when, and how. In addition, Enterprise Cybersecurity Architects defer to specializations (SOC, Threat Intelligence, Incident Response, Forensics, Internal Audit) and Cybersecurity Engineering. They also include regulatory compliance, contractual compliance, industry standards, and stakeholder requirements in designs. Otherwise, an untenable, unsustainable, and unmaintainable system is built that is costly, inefficient, and ineffective that is inherently full of risks and potentially exploitable.