DigitalWorld: Secure by Design

DigitalWorld: Secure by Design

DigitalWorld: Edition4 Secure By Design

This news letter aims to dissect secure by Design from Secure SDLC perspective .

Its applicability During S/W Technology solution R&D and FOSS , 3PP and Supply Chain .

We have proposed a E2E Technology stack/ Framework that applies to Digital Transformation that can be seamlessly applied to IT/OT , ?Industry vertical , ?hybrid environment of on perm and public Cloud , agnostic of form and shape of the Assets ?( cyber-physical assets in microservices or virtual machine form ) considering technical as well as non technical security and privacy controls . ?

This newsletter have broken down the SDLC into 7 phases ( Req , Design , Deployment , Testing , Release , Deployment and O&M ) and applicable security and privacy activities during each of the SDLC phases .

This shall also cover some of the reference security architecture that are available ?for example Microsoft and AWS .


Secure By Design – Definition

Secure by design” means that technology products are built in a way that reasonably protects against malicious cyber actors successfully gaining access to devices, data, and connected infrastructure.

?Software manufacturers should perform a risk assessment to identify and enumerate prevalent cyber threats to critical systems, and then include protections in product blueprints that account for the evolving cyber threat landscape .

Secure (IT/OT) development practices and multiple layers of defense— known as defense-in-depth—is also recommended to prevent malicious actors from compromising systems or obtaining unauthorized access to sensitive data

The authoring organizations further recommend manufacturers use a tailored threat model during the product development stage to address all potential threats to a system and account for each system’s deployment process

Defense in depth – definition

“Defense in Depth” is a security strategy that involves implementing multiple layers of protection throughout an information technology (IT) /OT infrastructure, covering hardware, software, and human aspects .?This principle implies that if one security control fails, other layers will still provide protection1 .

?

It leverages multiple security measures to protect an organization’s assets.?The thinking is that if one line of defense is compromised, additional layers exist as a backup to ensure that threats are stopped along the way .?Defense in depth addresses the security vulnerabilities inherent not only with hardware and software but also with people, as negligence or human error are often the cause of a security breach .

?

Defense in depth is a comprehensive approach that employs a combination of advanced security tools to protect an organization’s endpoints, data, applications, and networks .?The goal is to stop cyber threats before they happen, but a solid defense-in-depth strategy also thwarts an attack that is already underway, preventing additional damage from taking place .

Antivirus software, firewalls, secure gateways, and virtual private networks (VPNs) serve as traditional corporate network defenses and are certainly still instrumental in a defense-in-depth strategy .?However, more sophisticated measures, such as the use of machine learning (ML) to detect anomalies in the behavior of employees and endpoints, are now being used to build the strongest and most complete defense possible .

?

Defense in depth is needed now more than ever as more employees work from home and as organizations increasingly rely on cloud-based services .?With employees working from home, organizations must address the security risks associated with employees using their own devices for work and their home Wi-Fi connection to enter the corporate network .?Even with IT resources in place, vulnerabilities are inherent in devices used for both work and personal use—vulnerabilities exploited by cyber crimin al .

?

Secure by Design – Reference framework

The? Secure Software Development Framework (SSDF) ?is a specification that defines the software development security requirements .?It is a set of fundamental, sound, and secure software development practices based on established secure software development practice documents from organizations such as BSA, OWASP, and SAFE Code

The SSDF practices are organized into four groups :

Prepare the Organization (PO): Ensure that the organization’s people, processes, and technology are prepared to perform secure software development at the organization level and, in some cases, for individual development groups or projects.

Protect the Software (PS): Protect all components of the software from tampering and unauthorized access.

Produce Well-Secured Software (PW): Produce well-secured software with minimal security vulnerabilities in its releases.

Respond to Vulnerabilities (RV): Identify residual vulnerabilities in software releases and respond appropriately to address those vulnerabilities and prevent similar vulnerabilities from occurring in the future.

Each practice is defined with the following elements

Practice: The name of the practice and a unique identifier, followed by a brief explanation of what the practice is and why it is beneficial.

Task: An action that may be needed to perform a practice

Notional Implementation Example: A notional example of types of tools, processes, or other method that could be used to help implement a task.

The SSDF provides a common language for describing secure software development practices, which can be used to foster communications for procurement processes and other management activities .?Following these practices should help software producers reduce the number of vulnerabilities in released software, reduce the potential impact of the exploitation of undetected or unaddressed vulnerabilities, and address the root causes of vulnerabilities to prevent recurrences

?

E2E Technology framework? for Digital Transformation

To Consider a purist view of Assets and applicable security and Privacy Controls below layered framework has been designed .

This framework helps two folds

§? This provides a clear E2E View in terms of End user/customer devices along with the various traffic Flow /interaction that shall be protected and supported? .This layer diagram acts as a reference diagram helping in identifying what and how assets needs to be protected , what security and privacy controls and associated security and privacy activities shall be in R&D , preproduction and production scenario including threat Intelligence .

§? This shall also give? a view what are the Cyber security and privacy activities including GRC shall be performed ?and what is the current Level of compliance


·???????? Application Layer and device verticals includes? VM Based? workload , Microservices based workload ,? Propriety Applications? , Mobile App etc? , Mobile or Laptop end point devices .

·???????? Connectivity Layer – connectivity from the devices to Enterprise public facing application

·???????? Infrastructure layer – H/W , Virtualization and Cloud infrastructure layer , this is pre-re???? quisite for running VM based workload , micro services based workload??

·???????? Security and Privacy Controls are based on Cyber? security and privacy framework and applicable regulation and compliances .?

?

?E2E Technology Stack for Digital Transformation – Layer and Applicable S/W Development Components

This layered stack is created to highlight the security and privacy needs from an E2E Perspective .?

In Modern days of S/W Solution/Technology product development ,? Security should not be? focussed only from the S/W a specific organization is developing .

Infact quite some ?software are being developed using Free and open source and 3PP Components . ?In Addition the use case of Mobile App? , Server Side Development for Mobile App ,? Microservices and VM based workload requires IaaS and CaaS platform as a pre-requisite to run .Since IaaS/CaaS platform could be on Perm from Vendor such as Redhat/Vmare or ?public Cloud provider ( AWS , GCP , AZURE/Microsoft ) .

?Following the secure by design SDLC requires multiple stakeholders to be involved and each one of those confer to a similar or minimum set of security and privacy controls and activities to ensure a right level of security and privacy for a given s/w solution /product/application .

?Cyber security frameworks , ISO Standards applicable to Digital Transformation E2E Stack – for IT/OT

?

Secure by Design including Industrialization – Secure SDLC Phases ,? Security and privacy Activities in Secure SDLC Phases and beyond irrespective of the Form and shape of the application and devices where these application run .

Industrialization of S/W Solution/Product/Application? shall ideally consider below phases including Secure SDLC

§? Requirement

§? Design? Generic Privacy and security functional area applicable for any S/W Technology product

§? Development

§? Testing

§? Release

§? Deployment

§? Operation and Maintenance

Requirements

Each phase of the SDLC must contribute to the security of the overall application. This is done in different ways for each phase of the SDLC, with one critical note: Software development life cycle security needs to be at the forefront during each stage/step of SDLC .

In this early phase, requirements for new features are collected from various stakeholders. It’s important to identify any security considerations for functional requirements being gathered for the new release.

When considering the security functional area requirements in software development, it’s important to focus on the following aspects:

§? Authentication: The software should have a robust mechanism for verifying the identity of users, systems, and applications.

§? Authorization: Once authenticated, the software should correctly grant or deny access rights to users, systems, and applications.

§? Availability: The software should remain accessible and usable to authorized users whenever required.

§? Confidentiality: The software should protect sensitive information from unauthorized access and disclosure.

§? Integrity: The software should ensure the accuracy and completeness of data. It should prevent unauthorized modification of data.

§? Non-repudiation: The software should provide proof of the origin or delivery of data to protect against denial by one of the parties involved.

§? Auditability: The software should log and audit security-relevant events to provide evidence if a security incident occurs.

§? Privacy: The software should ensure that personal information is handled according to legal and ethical standards.

?

From the above outlined security and privacy requirement and to Institutionalize Secure by Design for any application ,these requirements requires a translation into more technical level security and privacy requirement as captured in the table below .?

Above Table translates the Business level security and Privacy Requirement into more technical functional requirements. These security requirements are applicable to each layer existing in E2E Technology Stack for Digital Transformation . These? Technical security and privacy? requirements shall be considered in subsequent SDLC? phases such as design and development till release .

Though tools and solutions? needed ?to implement the security and privacy requirement for below use cases could be different .

·???????? On perm IaaS Platform

·???????? On Perm CaaS Platform

·???????? Public Cloud IaaS Platform

·???????? Public Cloud CaaS Platform

·???????? Mobile App

·???????? Server Side App S/W ?Development

·???????? Application in VM Form

·???????? Application in microservices form

?

Design

During this phase of the Secure Software Development Life Cycle (SDLC ) , several key considerations are taken into account such as

Reviewing Security Requirements: The specific security requirements of the application are reviewed.?These might include compliance with industry standards, organizational policies, and regulations .

Identifying Weaknesses and Design Flaws : Potential weaknesses and design flaws are identified through brainstorming .?This process involves adopting an “attacker” mindset to find vulnerabilities .

Threat Modelling and Risk Analysis : Threat models are established, and a comprehensive risk analysis is conducted .?This involves assessing different risks using threat modelling techniques and ranking them based on the severity and probability of the risk .

Privacy impact Analysis :? Privacy impact assessment goal is to determine the impact a new S/W Solution/Product/Application can have on the privacy of individuals . It is dependent on the kind of users/data that an application either collect, generates or stores/process. The goal of privacy impact assessment is to manage , minimize or eliminate the privacy impact .

Incorporating Security Features : Security features are incorporated into the design before actual development (coding) begins3 .?This allows everyone on the development team to fully understand the significance of security and the importance of ensuring the integration of security features in the software project3 .

During? this phase translates in-scope requirements into a plan of what this should look like in the actual application. Here, functional requirements typically describe what should happen, while security requirements usually focus on what shouldn’t.

?

For example

-????? Sample functional design:?page should retrieve the user’s name, email, phone, and address from CUSTOMER_INFO table in the database and display it on screen.

-????? Sample security concern:?we must verify that the user has a valid session token before retrieving information from the database. If absent, the user should be redirected to the login page.

?

?

Secure Design Principle ?The software should be designed considering security principles such as? least privilege, defense in depth, and fail securely .??

Please? note that ?goal of Secure SDLC is include security in the scope of developer responsibilities and empower them to build secure applications from the outset

?

Threat Modelling

Threat modelling in software development is a structured process of using hypothetical scenarios, system diagrams, and testing to help secure systems and data. By identifying vulnerabilities, helping with risk assessment, and suggesting corrective action, threat modelling helps improve cybersecurity and trust in key business systems.

When performed correctly, threat modelling can provide a clear line of sight across a software project, helping to justify security efforts1 .?It helps an organization document knowable security threats to an application and make rational decisions about how to address them . Threat modelling is best applied continuously throughout a software development project .?Ideally, a high-level threat model should be defined early on in the concept or planning phase, and then refined throughout the lifecycle .?As more details are added to the system, new attack vectors are created and exposed .

?

Overall, threat modelling ?helps to detect problems early in the software development life cycle (SDLC)—even before coding begins, spot design flaws that traditional testing methods and code reviews may overlook, evaluate new forms of attack that you might not otherwise consider, and remediate problems before software release and prevent costly recoding post-deployment

How to Threat Model

·???????? Identify the Scope and Assets: Define the scope and the assets you are trying to protect.?Start by creating an inventory of the systems, applications, and data involved .

·???????? Create a Data Flow Diagram (DFD): A data flow diagram illustrates how data flows through different components of your system.?It helps identify external entities, data sources, data stores, and the flow of data between these entities including user access flows .

·???????? Identify Threats: Once your data flow diagram is in place, you can proceed to identify various threats that can exploit vulnerabilities in your system.?Consider both technical and non-technical threats .

·???????? Evaluate and Prioritize Threats: Evaluate each identified threat based on its impact and likelihood of occurrence.?Assign a risk rating to each threat by considering factors such as potential damage, likelihood, and the difficulty of exploiting the vulnerability .

·???????? Define Countermeasures: After prioritizing the threats, it’s time to define countermeasures to mitigate these risks.?For each threat, brainstorm potential solutions and countermeasures that can be implemented 1 .

·???????? Validate that the Threats have been Mitigated : This is the final step where you validate that the threats have been mitigated

?

Threat Modelling? Methodology for software system /solution/product/application

§? STRIDE : Developed by Microsoft, STRIDE is a well-established threat modelling methodology .?The STRIDE acronym stands for Spoofing identity, Tampering with data, Repudiation, Information disclosure, Denial of service, and Elevation of privilege, representing a comprehensive list of major threat classes that a system may face .

§? PASTA : The Process for Attack Simulation and Threat Analysis (PASTA) is a risk-focused 7-step threat modelling methodology .

§? Trike: Trike is a threat modelling methodology that is designed to be a part of the software development process.?It is used to define security requirements based on a risk model of the application .

§? Attack Trees : Attack trees provide a methodical way of describing the security of systems, based on varying attacks .

§? Continuous Threat Modelling : An explicitly developer-friendly approach .

Each of these methodologies has unique methods and frameworks to identify, analyse, measure, and sort threats.?The choice of methodology depends on the specific needs and context of the organization

?

PIA

A Privacy Impact Assessment (PIA) is a type of impact assessment conducted to determine the impact a new S/W Solution/Product/Application introduction can have on the privacy of individuals .?It sets out recommendations for managing, minimizing, or eliminating that impact . PIA Involves

§? What personal data /info is stored

§? Whether the S/W System is handling sensitive personal data for example in Telco OSS Systems handles the subscriber data making use of telephony or data services has all the unique details stored in HLR/HSS . For Banking/PCI DSS , it is Credit card information .

§? What are the classes of users that gets created and what information gets stored/collected for system or operational user .

§? Does S/W System logs contains any information regarding the user id /user name printed/stored? in the logs . Whether these ?logs gets used as a part of debugging a issue in the system ? .

The PIA process involves examining the organization’s own procedures to see how they influence or potentially endanger the privacy of the people whose data it collects, stores, or processes .?The main objectives of a PIA are to ensure that all privacy-related legal, regulatory, and policy standards are met, identify and assess the risks of data breaches and other incidents, as well as their consequences, and to identify suitable privacy safeguards to reduce unacceptable risks . It’s important to note that a PIA isn’t only a legal checklist or a one-time activity.?It’s also not a marketing tool that simply displays the project’s advantages, nor is it a justification for policies or practices that are already in place2 .?It’s a proactive and systematic way to ensure that privacy considerations are addressed and incorporated throughout the development life cycle of a system or program .

PIA Methodology for software system /solution/product/application

TRIM?and?LINDDUN?are two methodologies that can be used in conducting a Privacy Impact Assessment (PIA).

TRIM (Threat Risk Impact Management) ?is a methodology used to identify and manage risks, including privacy risks .?It involves identifying potential threats, assessing the impact of these threats, and implementing controls to manage them .?TRIM is often used in conjunction with other risk management methodologies to provide a comprehensive approach to risk management .

LINDDUN ?is a privacy threat modeling framework developed by privacy experts at KU Leuven .?It provides a systematic and practical approach to assess the privacy posture of a software system . ?LINDDUN stands for Linkability, Identifiability, Non-repudiation, Detectability, Disclosure of information, Unawareness, and Non-compliance .?These represent different types of privacy threats that need to be considered during a PIA .

In the context of a PIA, both TRIM and LINDDUN can be used to identify potential privacy threats, assess their impact, and determine appropriate mitigation strategies .?They provide a structured approach to privacy risk management, helping organizations to ensure that privacy considerations are effectively addressed throughout the development life cycle of a system or program

Development

The?development phase?in the?Software Development Life Cycle (SDLC)?is a critical stage where the actual creation of the software takes place.?During this phase, programmers and developers write code and build the software based on the requirements and design specifications outlined in the earlier phases, such as the design phase and requirements analysis phase

Following are the practices/guidelines that must be adhered by Developer and programmer during Software development phase .

·???????? Secure Coding Practices: Developers should follow secure coding practices to prevent common vulnerabilities. This includes avoiding known insecure coding patterns, using secure libraries and frameworks, and regularly updating and patching these dependencies.

·???????? Input Validation: All user inputs should be validated before processing to prevent attacks such as SQL injection, cross-site scripting (XSS), and command injection.

·???????? Authentication and Authorization: Implement strong user authentication and ensure that users can only access data and functions that they are authorized to. Implementing strong user authentication and authorization mechanisms is key to preventing unauthorized access to your software and data

·???????? Secure Dependencies: Ensure that all third-party libraries, frameworks, and other dependencies are kept up-to-date and checked for vulnerabilities.

·???????? Data Security: Protecting the data that your software collects, processes, and stores is crucial. This includes encrypting sensitive data, implementing proper access controls, and ensuring compliance with data protection regulations. Sensitive data should be encrypted both in transit and at rest. Also, consider privacy requirements for data handling

·???????? Error Handling and Logging: Proper error handling can prevent the leakage of sensitive information. Logging can help in detecting, investigating, and resolving security incidents. Do not reveal sensitive information in error messages. Maintain logs to help in detecting and investigating security incidents

·???????? Software Release Update/Migration

?

SCA - Software Composition Analysis (SCA) is a crucial aspect around the identification and management of 3PP/FOSS third-party code and open-source software used in software development. The objective of SCA is to identify any potential security vulnerabilities, license compliance problems, and code quality issues that may arise in the software supply chain and could become a potential issue at the time of deployment or in O&M phase of SDLC .

Testing

?

Security Testing is the process of testing, analysing, and reporting on the security level of an S/W Technology product/solution as it moves through the SDLC. Regularly conducting security testing , vulnerability assessment and? Code reviews can help identify and fix security issues early in the development process.It makes a given S/W Product/Solution/Application more resistant to security threats by identifying security weaknesses? and vulnerabilities in the source code. Security Testing can be static, dynamic, or interactive, and it can be manual, automated, or a combination of both. Most organizations use a combination of severalsecurity testing methodologies .

???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

SAST ( Static Application Security Testing ) .

SAST is a testing methodology that helps scan or analyze source code for security vulnerabilities. SAST is also known as static code analyzers and source code analysis tools, SAST tools are application security tools that detect security vulnerabilities within the source code of applications. The output of a SAST is a list of security vulnerabilities, including the type of vulnerability and the vulnerability location in the application’s codebase

DAST ( Dynamic Application Security Testing )

DAST is a type of security testing that focuses on identifying vulnerabilities in web applications and APIs by actively testing them from the outside

Dynamic Application Security Testing (DAST) Also known as web scanners, DAST tools find security vulnerabilities in web applications while the application is running, verifying the security during run time by testing different attack types against the running application. DAST does not require access to the application’s source code. The vulnerability assessment is conducted from the exterior, with no access to the application source code architecture, so DAST is considered a black-box assessment approach. DAST simulates controlled attacks on a running web application or service to identify exploitable vulnerabilities in a running environment.

SAST and DAST Tools for E2E Digital Transformation Stack

Release

The?release stage?in the?Software Development Life Cycle (SDLC)?marks the point where the software product is ready and can be deployed in the customer environment .

During this stage SBOM , Release Notes , Deployment and Configuration Guide ,including security and privacy documentation such as security and privacy user guide , hardening guide and security Compliance documentation shall also be released .

SBOM

A Software Bill of Materials (SBOM) is a comprehensive list of all the software components, dependencies, and metadata associated with an application .?It functions as the inventory of all the building blocks that make up a software product .

In the context of a software release, an SBOM plays a crucial role in ensuring transparency, managing open-source software and third-party dependencies, identifying and mitigating security vulnerabilities, and complying with legal and regulatory requirements .

SBOM Contains below information

  1. Inventory: An SBOM provides an inventory of all software components and dependencies. Modern software applications often leverage third-party libraries and frameworks. Many of these dependencies have their own dependencies on other components.?The result is a complex nesting of interconnected components
  2. Component Origins and Licenses: Included with this inventory is information about component origins and licenses.?By understanding the source and licensing of each component, an organization can ensure that the use of these components complies with legal requirements and licensing terms .
  3. Security Vulnerabilities: An SBOM also plays a vital role in identifying and mitigating security vulnerabilities. With an inventory of components and dependencies, an organization can systematically check the inventory against databases of known vulnerabilities (such as the Common Vulnerabilities and Exposures database).?Security teams can proactively identify and address potential threats in software application dependencies before attackers can exploit them .

In microservices, each service is built and deployed independently.?An application is a logical collection of microservices .?Therefore, an SBOM is associated with each microservice, and each new released version of a microservice requires a new SBOM .

Similarly? each VM Can be built independently and collection of VM’s makes an application . for any change in any component of any VM shall also trigger a change in SBOM.

?Software Product Release Notes:

  1. Release notes, on the other hand, are documents prepared by software developers to communicate changes, enhancements, and bug fixes in a new software release.
  2. They provide users with information about the new features, improvements, and issues resolved in the latest version of the software.
  3. Release notes may also include known issues that have not been resolved in the current release, as well as any workarounds for these issues.
  4. Unlike an SBOM, release notes focus more on the functional aspects of the software rather than its composition .

In summary, while an SBOM provides a detailed inventory of all components and dependencies in a software product, release notes provide a high-level overview of what has changed in a new version of the software.

Deployment

Deployment is the stage where a Released S/W Product/Solution/Application? is to be run in the Customer Environment or Target environment . From security stand point , it is assumed that all prior security steps has been well taken care in Secure SDLC prior to deployment . Deployment requires software to be deployed in a secure environment using secure configuration? using firewall , hardening and other applicable security and Privacy activities ?.This stage considers aspect such as form and shape of the S/W? ( VM Based application/workload , microservices based workload , Mobile App , Server Side S/W ) ?and associated infrastructure platform such as IaaS/CaaS and deployment scenario i.e on Premises or Public Cloud . During the deployment . S/W Release Notes , SBOM? , Deployment and Configuration Guide , Security and Privacy user guide? and hardening guide gets used while deploying the S/W . Deployment also requires consideration of? IaaS and CaaS environment on which a given S/W release has been ?tested/validated .

During secured deployment and configuration? , PKI and encryption algorithms? ,? role based user /password and? Digital Certificates like SSL/TLS gets considered . Post secured configuration , Hardening is performed , Hardening helps in reducing the attack surface .??

Security Solutioning and Engg ( if new security and privacy solutions/controls shall need to be introduced ) and principle? like Network segmentation/Micro segmentation and? defining trust boundaries shall find their relevance during the S/W Deployment Phase? .??

Once the S/W is deployed securely ?,? S/W must be integrated with the existing security and privacy Controls as highlighted in E2E Technology stack for Digital Transformation. Minimum set of controls where the integration shall be? required for a cybersec/infosec program is IAM/PAM , SIEM/SOAR and firewalls and DLP? .

For IaaS/CaaS infrastructure and workload in Addition to Traditional Security and privacy controls , there are newer set of solutions that has evolved from 2010 onwards .? These Tools such as CWAPP , CSPM , CIEM and CNAPP helps during the Deployment and O&M for security and privacy incidents mgmt.

CWAPP

According to Gartner, a?Cloud Workload Protection Platform (CWPP) ?is a “workload-centric security solution that addresses the unique requirements of server workload protection in modern hybrid data center architectures that span on-premises, physical, and virtual machines (VMs), and multiple public cloud infrastructure as a service (IaaS) environments.” A CWPP deployment would ideally support container-based application architectures as well.?

The purpose of CWPP technology is to secure server workloads in the public cloud. A CWPP solution discovers workloads that exist within an organization’s cloud-based deployments and on-premises infrastructure, offering a centralized solution for extending visibility into cloud resources in order to secure cloud workloads.

CSPM

Cloud Security Posture Management (CSPM) ?is a market segment for cloud security tools that aredesigned to identify misconfiguration issues and compliance risks in the cloud. An important purpose of any CSPM solution is to continuously monitor cloud infrastructure for gaps in security policy enforcement.

CSPM platforms automate the identification – and in some instances the remediation – of risks across cloud infrastructures. Monitoring of the cloud infrastructure can be done through periodical queries that return a series of alerts about security policy or best practices violations. CSPMs provide organizations with centralized visibility and risk assessments of their entire cloud infrastructure.

CSPM solutions cover cloud environments and alert staff to misconfiguration mistakes that could expose the cloud environment to security risks or operational inefficiencies. In this way, CSPMs can also help organizations save money, identify important security risks, and educate teams for training.

CIEM

A?Cloud Infrastructure Entitlements Management (CIEM) ?solution identifies anomalies in account entitlements. IT and Security organizations use Cloud Infrastructure Entitlements Management (CIEM) solutions to manage identities and access privileges in public-cloud and multi-cloud environments. CIEM solutions apply the?Principle of Least Privilege ?access to cloud infrastructure and services, helping organizations mitigate the risk of data breaches due to excessive entitlements.

Organization’s cloud environments can have hundreds of millions of discrete permissions granted to people, systems, and cloud services, and many of these may include unused permissions, non-federated accounts, and default and misconfigured permissions. Left unchecked, these permissions become an easy path for attackers to infiltrate cloud deployments. CIEM solutions allows your security team to govern which users (both human and non-human) can access which resources, across multiple clouds, services, users, and nonhuman entities.?

CNAPP

A Cloud-Native Application Protection Platform (CNAPP) provides a holistic view of cloud security risks in one platform. As noted, a CNAPP integrates multiple cloud security capabilities, including CSPM, CWPP, and CIEM, with compliance and cybersecurity risk management.

Instead of siloed views, the right CNAPP solution provides full coverage and visibility into cloud estates and can detect risks across the tech stack, including cloud misconfigurations, insecure workloads, and mismanaged identity access. Furthermore, a? CNAPP should incorporate ‘shift-left’ capabilities to identify risks earlier in the development lifecycle. By combining vulnerabilities, context, and relationships, some CNAPPs are able to perform?cloud attack path analysis , recognizing how seemingly unrelated low severity risks can be combined to create dangerous attack vectors.

?

Once the deployment and integration is completed on target infrastructure /platform ?, ??Vulnerability assessment shall? be performed? on the full stack to check and identify the vulnerabilities and mitigation plan for those vulnerabilities .? Mitigation can be either using patching/updating or via other security controls/counter measures . Post Deployment depending on the operational Model of the Customer , the RACI Matrix has to be agreed on between S/W Supplier/manufacturer and Customer . This shall allow the right focus on cyber security and privacy controls? and also help in cyber security issues/incidents handling .

Operation and maintenance

O&M refers to a broad set of activities involved in managing and maintaining large facilities. O&M from security and privacy point of view shall require managing and maintaining security controls and technologies. Responsibilities of the Security Operations team include:

§? Monitoring and Responding to Security Incidents: Detecting and addressing security threats promptly.

§? Implementing and Maintaining Security Controls: Ensuring that security measures are in place.

§? Conducting Security Assessments: Identifying vulnerabilities ( using vulnerability assessment or penetration testing ) ?and taking corrective actions.

§? Developing Security Policies and Procedures : Establishing guidelines for secure practices .

§? Maintenance and Updates: Regularly update and patch the software to fix any newly discovered vulnerabilities. This also includes monitoring for any unusual activity or potential security incidents.

?

?

?

?


Secure by Design - SDLC Phases - Applicable Security Assurance activities

Microsoft cybersecurity solutions – Key Offering

Protect multi-cloud identities and network access

?Securely connect all of your users, apps, and devices with a complete identity solution. This is an adaptable solution that protects every identity and secures access to every resource

Unified security operations platform

A unified security operations platform breaks down security silos and empowers security teams to detect? and disrupt cyberthreats in near real?time, streamline investigation and response, and provide guided recommendations to help prevent repeat and future cyberattacks.

Data security

Secure sensitive data across your digital landscape with multilayered protection.

Cloud security

Get integrated protection for your multicloud apps and resources

Internet of Things security solutions

Safeguard your Internet of Things (IoT) environment, the fastest-growing cyberattack surface in your organization.

MICROSOFT Cybersecurity Reference Architecture ?

The Microsoft Cybersecurity Reference Architectures (MCRA) are the component of?Microsoft's Security Adoption Framework (SAF) ?that describe Microsoft’s cybersecurity capabilities and technologies. The diagrams describe how Microsoft security capabilities integrate with Microsoft platforms and third party platforms like:

·???????? Microsoft 365

·???????? Microsoft Azure

·???????? Third party apps like ServiceNow and Salesforce

·???????? Third party platforms like Amazon Web Services (AWS) and Google Cloud Platform (GCP)

·???????? First and third party AI capabilities

?

The MCRA includes key information about:

·???????? Antipatterns (common mistakes) and best practices

·???????? Guiding rulesets for end to end architecture

·???????? Threat trends, and attack patterns

·???????? Mapping Microsoft capabilities to organizational roles

·???????? Mapping Microsoft capabilities to Zero Trust standards

·???????? Securing privileged access

·???????? Reference plans in SAF (including example of patching modernization)

The MCRA also includes detailed technical/solution? diagrams for:

·???????? Microsoft cybersecurity capabilities

·???????? Zero trust user access

·???????? Security operations (SecOps/SOC)

·???????? Operational technology (OT)

·???????? Multicloud and cross-platform capabilities

·???????? Attack chain coverage

·???????? Infrastructure and Development Security

·???????? Security organizational functions

?

Security Adoption Framework

The Security Adoption Framework (SAF) provides guidance for organizations through end-to-end security modernization across a 'hybrid of everything' multicloud and multi-platform technical estate.

Microsoft Security Adoption Framework

?

MCRA Security Resources

Key Takeaway from Microsoft Cybersecurity Reference Architecture .

-????????? ?It applies to Deployment and O&M Phase of the Secure SDLC . This helps in GRC? Activities and also the cyber security and posture management . Modern security operation centre (SoC ) helps in the cyber security Incident mgmt.

-????????? For cloud native application to be deployed on AZURE or public Cloud Platform , MCRA provides security and privacy controls /constructs that shall avoid the need to integrate with Traditional IAM/PAM , Firewall and workload protection and infrastructure security .

-????????? Data Security and governance ?helps in securing? Data Loss prevention on ?Documents and Office 365 and mobile App.??

?

AWS Key Offerings

Security, Identity, and Compliance on AWS

Secure your workloads and applications in the cloud

Identity and access management

AWS Identity Services help you securely manage identities, resources, and permissions at scale. With AWS, you have identity services for your workforce and customer-facing applications to get started quickly and manage access to your workloads and applications.

Learn more ?

Detection and response

AWS detection and response services help you enhance your security posture and streamline security operations across your entire AWS environment by continuously identifying and prioritizing security risks, while integrating security practices earlier in the development lifecycle.

Learn more ?

Network and application protection

Network and application protection services help you enforce fine-grained security policy at network control points across your organization. AWS services help you inspect and filter traffic to prevent unauthorized resource access at the host-, network-, and application-level boundaries.

Learn more ?

Data protection

AWS provides services that help you protect your data, accounts, and workloads from unauthorized access. AWS data protection services provide encryption capabilities, key management, and sensitive data discovery to help you protect your data and workloads.

Learn more ?

Compliance

AWS gives you a comprehensive view of your compliance status and continuously monitors your environment using automated compliance checks based on the AWS best practices and industry standards your organization follows.

?

AWS Security Reference Architecture

The following diagram illustrates the AWS SRA. This architectural diagram brings together all the AWS security-related services. It is built around a simple, three-tier web architecture that can fit on a single page. In such a workload, there is a?web tier?through which users connect and interact with the?application tier,?which handles the actual business logic of the application: taking inputs from the user, doing some computation, and generating outputs. The application tier stores and retrieves information from the?data tier. The architecture is purposefully modular and provides high-level abstraction for many modern web applications

AWS Security Reference Architecture

For this reference architecture, the actual web application and data tier are deliberately represented as simply as possible, through Amazon Elastic Compute Cloud (Amazon EC2) instances and an Amazon Aurora database, respectively. Most architecture diagrams focus and dive deep on the web, application, and data tiers. For readability, they often omit the security controls. This diagram flips that emphasis to show security wherever possible, and keeps the application and data tiers as simple as necessary to show security features meaningfully.

The AWS SRA contains all AWS security-related services available at the time of publication. However, not every workload or environment, based on its unique threat exposure, has to deploy every security service. Our goal is to provide a reference for a range of options, including descriptions of how these services fit together architecturally, so that your business can make decisions that are most appropriate for your infrastructure, workload, and security needs, based on risk.

AWS Privacy Reference Architecture

?

For many, privacy is cross-cutting. Many different teams have a part to play, including regulatory, compliance, and engineering teams. When your organization has started to define the key people and policy components of your privacy program, you can map controls against a privacy compliance framework for consistent operations. A framework can serve as a rubric for implementing foundational and application-specific privacy controls for personal data in your AWS environment.

Regardless of the framework that customers use to categorize their privacy requirements, privacy compliance, privacy engineering, and application teams often need to work together to achieve implementation goals. For example, regulatory and compliance teams might provide the high-level requirements, and engineering and application teams configure AWS services and features to align to these requirements. Starting with a control framework can help you define more prescriptive organizational and technical controls.

When defining the technical controls of AWS services and features, another key decision is whether a control should apply to the entire organization, an OU, an account, or a specific resource. Some services and features are a great fit for implementing controls across your full AWS organization. For example,?blocking public access to Amazon S3 buckets ?is a specific control that is preferably configured at the organization root rather than individually for each account. However, your retention policies might vary from application to application, which means that you might apply the control at the resource leve

?

The following diagram illustrates the AWS Privacy Reference Architecture (AWS PRA). This is an example of an architecture that connects many privacy-related AWS services and features. This architecture is built on a landing zone that is governed by AWS Control Tower.

?


AWS Privacy Reference Architecture

The AWS PRA includes a serverless web architecture that is hosted in the Personal Data (PD) Application account. The architecture in this account is an example workload that collects personal data directly from consumers. In this workload, users connect through a web tier. The web tier interacts with the application tier. This tier receives inputs from the web tier, processes and stores the data, allows authorized internal teams and third parties to access the data, and eventually archives and deletes the data when it's no longer required. The architecture is purposefully modular and event-driven in order to demonstrate many of the foundational privacy engineering techniques without delving into specific use cases, such as data lakes, containers, compute, or Internet of Things (IoT).

?

Key Takeaway from AWS Security and Privacy ?Reference Architecture

-????????? ?It applies to Deployment and O&M Phase of the Secure SDLC . This helps in GRC? Activities and also the cyber security and posture management .

-????????? ?AWS also works on AWS EC2 Cloud Instance and provides security and privacy controls /constructs that shall avoid the need to integrate with Traditional IAM/PAM , Firewall and helps in network and application protection and compliances? .

-????????? Data Protection ?services provide encryption capabilities, key management, and sensitive data discovery to help you protect your data and workload

?

Current Challenges and Road Ahead

-????????? There exists a problem of too many security and privacy solution in the customer environment

-????????? E2E Unified Visibilty of Security and privacy incident monitoring and management is the key across orgnization digital infrastructure landscape

-????????? Consolidation of the tools/solution remains the key ask from Cyber security and privacy customers

-????????? IPR and RACI Matrix , security and privacy compliance and posture management? becomes a key challenge in case people? building the S/W are consuming that 3PP Security services /API , this shall force a different level of alliance and partnership .?

-????????? Focus of the Security and privacy Tool solution? has to be on assets composed of cyber-physical system , data/info , Traffic Flow .

?

References

???????? I.??????????? Secure by Design | CISA

?????? II.??????????? Cross-Sector Cybersecurity Performance Goals | CISA

???? III.??????????? Cloud Native Security Whitepaper | CNCF

??? IV.??????????? Define Security Requirements for Software Development - 16 Practices ( securityscientist.net )

????? V.??????????? Mastering Threat Modeling and Risk Assessment: A Beginner's Guide | LinkedIn

??? VI.??????????? Secure SDLC | Secure Software Development Life Cycle | Snyk

?? VII.??????????? What Is the Secure Software Development Life Cycle (SDLC)? | Synopsys Blog

?VIII.??????????? Cloud Security: A Primer for Policymakers - Carnegie Endowment for International Peace

???? IX.??????????? Cloud Security Services | Microsoft Security

?????? X.??????????? Microsoft Cybersecurity Reference Architectures (MCRA) | Microsoft Learn

???? XI.??????????? Cloud Security, Identity, and Compliance Products – Amazon Web Services (AWS)

?? XII.??????????? AWS Security Reference Architecture (AWS SRA) - AWS Prescriptive Guidance ( amazon.com )

?XIII.??????????? AWS Privacy Reference Architecture (AWS PRA) - AWS Prescriptive Guidance ( amazon.com )

?XIV.??????????? SOC 1? vs. SOC 2?: What’s the Difference and Which Do You Need? ( secureframe.com )

?

.

Om Prakash Singh

Principal Cyber Security Architecture & Consulting || GenAI CGEIT CRISC CySA+ CSPA+TOGAF9 IBM-SOA Watsonx | IBM MS Security | AWS AZ Oracle |Oracle 9i DB2|Data AI |AIX |Rational | CCA CSBA CSM PPSO CBE L6σGB eTOM ||

6 个月

????

回复

要查看或添加评论,请登录

社区洞察

其他会员也浏览了