Common Security Architecture Principles
Common #Security #Architecture #Principles
The principles concept in security architecture is the most enduring and the principles are generally do not change much with the flow of time.
There are common principles I encountered in many organisations that make common sense.
Not all principles that I provide here are adopted with the same rigor and diligence. In many cases their adoption depends on the organisation size, business it is in, type of data, regulations, and many other criteria.’
Let’s have a look at some of them and what they mean
1.??????Least Privilege – or in military terminology – “Need to know”.
In this the people in your organisation have just enough access to do their jobs. This leads to many security controls, some of them in Identity and Access management space, for example regular User Access Reviews with removal of unneeded access. Another example would be firewall rule policies that should be as explicit as possible.
2.??????Defence in depth
This principle assumes that some of your systems have been compromised and it leads to layered approach with additional controls on the next layer of defence, should your first one be breached. For example, you have perimeter firewall with explicit rules, then you have intrusion detection system on the firewall and on the network past it, then you have endpoint detection systems, etc.
3.??????Segregation of duties
This is not just security principle, but more general enterprise governing principle. An example of that would be one person preparing money transfer to pay for an invoice and another person authorising actual transfer. Another example would be dual control, where certain action requires approval by 2 people.
领英推荐
4.??????Fail safely
This means that if the system fails in some way, none of its security controls are compromised. Good example from physical security would be that doors remain locked in case of power failure. In the firewall example, it is better to stop all traffic in case it fails, instead of allowing all.
5.??????Principle of Open Design
It means you do not rely on the secrecy of your control implementation. Good example is modern cryptography algorithms, most common ones are well known by all who is interested, and the strength of encryption is provided by the keys/certificates/passwords that are secret.
6.??????Minimise attack surface
This principle is a bit like Least Privilege. It leads to keeping your systems as simple as possible and implementing only absolute minimum of services required. For example, when hardening an operating system, disabling any service/application that is not needed by the applications that will run on it.
What are not security principles?
I have a couple of good examples.
So widely used buzz words “Zero trust” is not a principle, it is more of a strategy or framework. Converting it to principles, one of them would be something like: Treat your local network the same as it is external internet. There will be others as well for zero trust, but it is a topic for another article.
Secure by design is not a principle, more of a strategy and approach as well.
Any other security principles you found useful? Please comment, I want to make it article a reference material and promise to process all your feedback and input.