Fresh Thoughts #17: Foundations and First Principles
- Newsletter
There's too much noise in cybersecurity. Too many experts try to differentiate by splitting hairs on a detail.
Cybersecurity doesn't need to be complicated.
Here are 2 models to ask questions and find gaps.
Model 1: The CIAAA 5-part 'triad'...
Often shortened to the "CIA triad", there are actually 5 parts... and all are essential.
This model helps define what you're trying to do.
I need to be able to...
- keep secrets. That's Confidentiality.
- keep data accurate. That's Integrity.
- access data and processes when I need them. That's Availability.
- know who is accessing or changing data. That's Accountability.
- know who did what and when. That's Auditability.
Each security product and activity helps with one or more of these.
Firewalls - keep the inside of your network secret... Confidentiality
MFA - identify the people accessing your system... Accountability.
Data backups - get data back when it's deleted... Availability.
Starting with a business need, before the technical answer is defined, means you'll address one of ☝️ and get value for money.
Model 2: The 9 Principles of How You Actually Do Cybersecurity
When you boil it down - how do you actually provide security?
Luckily the NSA has some ideas to help.
They say there are 9 principles that define the "how it's achieved" part of security.
- domain separation: what's in scope (aka things I need to worry about...) and what's not? What's inside vs outside... and where's the boundary?
- process isolation: what parts of the process need to be kept separate? You can't put all the ingredients of a cupcake (cake, frosting, paper cup) in a mixer at the same time and expect a good result... Things need to be separated and sequenced.
- resource encapsulation: keep like things (and processes) together. It's like organising a pantry or a garage.
- least privilege: what do people actually need to do? Limit permissions to that... and no more.
- layering: using just one security measure is fragile. What if it breaks? Better to add layers of defence. It's a bit like Swiss cheese on a bagel... 🧀🥯🤔.
- information hiding: don't share what you don't have to... security is all about the need to know... right?
- simplicity of design: make it as complex as necessary - and no more. Less complex is easier to secure.
- abstraction: cut out the noise and focus on the essential details.
- modularity: when you've got a well defined and secure component - reuse it. Make it a Lego block - it will cut down your effort and helps drives simplicity in the design.
That's it.
You may have heard about DevOps, DevSecOps, Zero Trust etc. But all the big new ideas are based on these two models - or one aspect of them.
May 31, 20222 Minutes Read
