Dailydave mailing list archives
[enterprise] security architecture is snake oil
From: Konrads Smelkovs <konrads.smelkovs () gmail com>
Date: Sat, 19 Dec 2015 16:53:50 +0000
Hello, I hereby want to poke some sharp sticks/throw stones in a glasshouse into what is known as security architecture and profession of a security architect, esp. it's "enterprise" variant. My accusation is as follows: there isn't anything in enterprise security architecture that can't be summed up as "DMZ-esque" or "be suspicious of things that traverse security boundaries". Before I list a few examples, I wanted to state that I have no formal qualifications as a security architect so on one hand, I am not invested, on the other - I'm perhaps ignorant. Example number 1. The UK's CESG has a service offering called "CESG IA Policy Portfolio". This closed access collection of documents is a remarkably short list from what I can gather in public sources. The best known public example is the "Walled Garden" (https://www.gov.uk /government/publications/end-user-devices-security-guidance-samsung -devices-with-knox/end-user-devices-security-guidance-samsung-devices-with- knox see image section 4) which is, well, a variant of DMZ. I am not accusing CESG of doing a bad job, far from it, I am pointing out that there isn't much to say. Example number 2. NSA IAD website doesn't even mention security architecture or patterns. If it'd be very useful, I bet they would publish. Yet the folks over there deemed that producing hardening checklists is more useful. Example number 3. Google for SABSA security patterns or TOGAF security patterns and find very little useful. Now, if you do look at what official architects are saying like in this presentation ( http://www.slideshare.net/KrisKimmerleCISSP/enterprise-security-architecture-31820298) by Kris Kimmerle there is a lot of emphasis on governance, customer demands, constraints and so on and the architecture artefacts, are in a nutshell - lists of those. That of course is useful in governance, but I ask you, fine people of Dailydave, how the poor infosec builder/contractor equivalent - the lowly programmer and sysadmin be enabled or guided? The answer is, they need rules of thumb and canned configuration templates rather than considerations from afar. Now, what I think has legs and merit is doing resilience and by this I mean more than "copy things 3 times and have divergent network links", but rather along the lines of: * what happens when your main supplier goes suddenly bust or severs ties with you (e.g. sanctions/buy-out) * what happens when your root of trust (AD/PKI) is compromised beyond repair * what if your trusted inner circle betray you etc. -- Konrads Smelkovs Applied IT sorcery.
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- [enterprise] security architecture is snake oil Konrads Smelkovs (Dec 20)