Security Architecture
Security architecture is a huge topic and can not be covered in any single document. it requires familiarity with a broad range of network devices, security appliances and their limitations/capabilities to make the best choices.
Types of security architecture:
Enterprise Security Architecture (strategic & program management)
Solution Security Architecture (technology project focused)
Security Engineering (technology implementation focused)
Defensible Design
Characteristics of a defensible network architecture:
Monitored (IDS/IPS/NSM)
Inventored (Knowing every host and application)
Controlled (ingress & egress analysis)
Claimed (ownership identification)
Minimized (reduced attack surface)
Assessed (vulnerability assessment, pentesting, red team engagement)
Failed Mindsets
The LAN is Secure (insider attacks, phishing, physical access)
Perimeter-based Security Model (in-depth compromise, flat network is always vulnerable)
The all-prevent Defense Mindset (prevention and control is critical but defense-in-depth is a must)
Compliance-driven Security (fails in the face of an APT)
We always did it that way (you did it wrong)
Introducing Technology without Analysis (unexpected new attack surface)
Security Architecture Considerations
Network defenses should always operate under presumption of compromise
Preventive controls will fail in the face of a persistent adversary
Know thy network
Architecting with security operations monitoring in mind.
Security Architecture Anti-patters
When administration of a system is performed from a device which is less trusted than the system being administered.
When layered defenses in a network data plane can be short-cut via the management plane
When the same controls are implemented by two firewalls in series, sometimes from different manufacturers.
When you build - in the public cloud - the solution you would have built in your own data centres.
When a third party has unfettered remote access for administrative or operational purposes, without any constraints or monitoring in place.
When a system cannot be patched due to it needing to remain operational 24/7
Time-based Security Formula
prevention time must be longer than detection and reaction time.
P>D+R
P>D+RP : how long our protections last
D : how long it takes us to detect
R : how long it takes us to respond
Common Frameworks
TOGAF: The Open Group Architecture Framework, or TOGAF, helps determine what problems a business wants to solve with security architecture. It focuses on the preliminary phases of security architecture, an organization's scope and goal, setting out the problems a business intends to solve with this process. However, it does not give specific guidance on how to address security issues.
SABSA: Sherwood Applied Business Security Architecture, or SABSA, is a quite policy driven framework that helps define key questions that must be answered by security architecture: who, what, when and why. Its aim is to ensure that security services are designed, delivered and supported as an integral part of the enterprise's IT management. However, while often described as a 'security architecture method', it does not go into specifics regarding technical implementation.
OSA: Open Security Architecture, or OSA, is a framework related to functionality and technical security controls. It offers a comprehensive overview of key security issues, principles, components and concepts underlying architectural decisions that are involved when designing effective security architectures. That said, it can typically only be used once the security architecture is already designed.
Last updated