<div dir="ltr">Hello,<div><br></div><div>I hereby want to poke some sharp sticks/throw stones in a glasshouse into what is known as security architecture and profession of a security architect, esp. it's "enterprise" variant. My accusation is as follows: there isn't anything in enterprise security architecture that can't be summed up as "DMZ-<span class="" id=":uu.1" tabindex="-1" style="background:yellow">esque</span>" or "be suspicious of things that traverse security boundaries". Before I list a few examples, I wanted to state that I have no formal qualifications as a security architect so on one hand, I am not invested, on the other - I'm perhaps ignorant.</div><div><br></div><div>Example number 1. The <span class="" id=":uu.2" tabindex="-1" style="background:yellow">UK's</span> <span class="" id=":uu.3" tabindex="-1" style="background:yellow">CESG</span> has a service offering called "<span class="" id=":uu.4" tabindex="-1" style="background:yellow">CESG</span> IA Policy Portfolio". This closed access collection of documents is a remarkably short list from what I can gather in public sources. The best known public example is the "Walled Garden" (<a href="https://www.gov">https://www.gov</a>.<span class="" id=":uu.5" tabindex="-1" style="background:yellow">uk</span>/government/publications/end-user-devices-security-guidance-<span class="" id=":uu.6" tabindex="-1" style="background:yellow">samsung</span>-devices-with-<span class="" id=":uu.7" tabindex="-1" style="background:yellow">knox</span>/end-user-devices-security-guidance-<span class="" id=":uu.8" tabindex="-1" style="background:yellow">samsung</span>-devices-with-<span class="" id=":uu.9" tabindex="-1" style="background:yellow">knox</span> see image section 4) which is, well, a variant of DMZ. I am not accusing <span class="" id=":uu.10" tabindex="-1" style="background:yellow">CESG</span> of doing a bad job, far from it, I am pointing out that there isn't much to say.</div><div><br></div><div>Example number 2. NSA <span class="" id=":uu.11" tabindex="-1" style="background:yellow">IAD</span> website doesn't even mention security architecture or patterns. If it'd be very useful, I bet they would publish. Yet the folks over there deemed that producing hardening checklists is more useful.</div><div><br></div><div>Example number 3. Google for <span class="" id=":uu.12" tabindex="-1" style="background:yellow">SABSA</span> security patterns or <span class="" id=":uu.13" tabindex="-1" style="background:yellow">TOGAF</span> security patterns and find very little useful.</div><div><br></div><div>Now, if you do look at what official architects are saying like in this presentation (<a href="http://www.slideshare.net/KrisKimmerleCISSP/enterprise-security-architecture-31820298">http://www.slideshare.net/KrisKimmerleCISSP/enterprise-security-architecture-31820298</a>) by Kris Kimmerle there is a lot of emphasis on governance, customer demands, constraints and so on and the architecture artefacts, are in a nutshell - lists of those. That of course is useful in governance, but I ask you, fine people of Dailydave, how the poor infosec builder/contractor equivalent - the lowly programmer and sysadmin be enabled or guided? The answer is, they need rules of thumb and canned configuration templates rather than considerations from afar.</div><div><br></div><div>Now, what I think has legs and merit is doing resilience and by this I mean more than "copy things 3 times and have divergent network links", but rather along the lines of:</div><div>* what happens when your main supplier goes suddenly bust or severs ties with you (e.g. sanctions/buy-out)</div><div>* what happens when your root of trust (AD/PKI) is compromised beyond repair</div><div>* what if your trusted inner circle betray you</div><div>etc.</div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br clear="all"><div><div class="gmail_signature">--<br><span class="" id=":uu.14" tabindex="-1">Konrads</span> <span class="" id=":uu.15" tabindex="-1">Smelkovs</span><br>Applied IT sorcery.</div></div>
</div></div>