[Dailydave] [enterprise] security architecture is snake oil

Konrads Smelkovs konrads.smelkovs at gmail.com
Sat Dec 19 11:53:50 EST 2015 

Hello,

I hereby want to poke some sharp sticks/throw stones in a glasshouse into
what is known as security architecture and profession of a security
architect, esp. it's "enterprise" variant.  My accusation is as follows:
there isn't anything in enterprise security architecture that can't be
summed up as "DMZ-esque" or "be suspicious of things that traverse security
boundaries".  Before I list a few examples, I wanted to state that I have
no formal qualifications as a security architect so on one hand, I am not
invested, on the other - I'm perhaps ignorant.

Example number 1. The UK's CESG has a service offering called "CESG IA
Policy Portfolio". This closed access collection of documents is a
remarkably short list from what I can gather in public sources. The best
known public example is the "Walled Garden" (https://www.gov.uk
/government/publications/end-user-devices-security-guidance-samsung
-devices-with-knox/end-user-devices-security-guidance-samsung-devices-with-
knox see image section 4) which is, well, a variant of DMZ.  I am not
accusing CESG of doing a bad job, far from it, I am pointing out that there
isn't much to say.

Example number 2. NSA IAD website doesn't even mention security
architecture or patterns.  If it'd be very useful, I bet they would
publish. Yet the folks over there deemed that producing hardening
checklists is more useful.

Example number 3. Google for SABSA security patterns or TOGAF security
patterns and find very little useful.

Now, if you do look at what official architects are saying like in this
presentation (
http://www.slideshare.net/KrisKimmerleCISSP/enterprise-security-architecture-31820298)
by Kris Kimmerle there is a lot of emphasis on governance, customer
demands, constraints and so on and the architecture artefacts, are in a
nutshell - lists of those. That of course is useful in governance, but I
ask you, fine people of Dailydave, how the poor infosec builder/contractor
equivalent - the lowly programmer and sysadmin be enabled or guided? The
answer is, they need rules of thumb and canned configuration templates
rather than considerations from afar.

Now, what I think has legs and merit is doing resilience and by this I mean
more than "copy things 3 times and have divergent network links", but
rather along the lines of:
* what happens when your main supplier goes suddenly bust or severs ties
with you (e.g. sanctions/buy-out)
* what happens when your root of trust (AD/PKI) is compromised beyond repair
* what if your trusted inner circle betray you
etc.






--
Konrads Smelkovs
Applied IT sorcery.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20151219/a7f215b0/attachment.html>

More information about the Dailydave mailing list