9

How can I get my message over to aCIO, a business user or anyone else whois not part of the security community? Ineed to put some kind of reality slantinto the piece.

I need this piece of text to appeal to thebroadest audience possible. I have spent agood number of hours just trying to findthe right real life topics that would enableme to write a simple to understand discus-sion piece with a view on:

“The importance of incorporating secu-rity requirements within system architec-ture, rather than incorporating retrofittingcontrols into an insecure design”.

After toying with a number of analo-gies ranging from an old lady with twonew hip replacements and a new set oflungs, having a heart attack whilst lead-ing the London Marathon, to building acheesecake and how difficult and inap-propriate it would be to add the biscuitbase afterwards. I finally settle on a sub-ject that is quite close to my heart: hous-es and homes. I have just recently movedhome and so this subject should help meto deliver my message.

The analogyThroughout our lifetime, very few of us,will have the opportunity to either archi-tect, build or rebuild our own home. Agood percentage of people would relishthe opportunity to have the time, moneyand expertise to undertake such a task.They would then have the opportunity toutilise an architect to make the layout alittle easier to understand, work with thelocal Neighbourhood Watch or localpolice to ensure they have security tags onall of their property, call in an expert toperform an assessment on the proposedbuilding security and to install not onlymore locks on windows and doors but

tougher and more robust locks. Perhapsthey could find some new processes ortechnologies to be able to filter junk snailmail coming through the letter box orunwanted incoming telephone calls.Performing a little research into the latesttechnologies could help to protect notonly ourselves but also those around us.

If you use a little imagination you willstart to see the similarities between lega-cy systems and architectures and howthey are the same as the description ofbuilding a house given above.

To be offered an opportunity to redrawthe IT infrastructure design / plans and“get it right first time”, albeit second timearound, would be wonderful for any CIO,IT Director, Information SecurityManager, Technical Design Authority orService Manager. And the same goes forany homeowner given the opportunity torebuild his house.

In fact, if IT architectures were houses,they would probably look spectacular, butinside the elevators would fail regularly.Thieves would have unfettered accessthrough open vents. The occupants wouldneed physical security consultants to movein to identify all the weaknesses. Theywould discover that the electronically con-trolled doors unlock whenever someonebrews a pot of coffee. The builders wouldprovide a repair kit and promise that suchissues would not exist in the next buildingthey construct (which, by the way, occu-pants will be forced to move into).

Strangely though, the occupants wouldbe okay with all this. They would acceptthe rising costs and the strangely comfort-ing, yet reoccurring, feeling of failure andrepair that is overpowering their lives. Ifsomeone asked, “Why do we put up withthis building?” shoulders would beshrugged and sighs heaved. “That’s just

how it is. Basically, buildings are built andbehave this way.”

The questionPlease ask yourself the following questions.

If you had the means and the timewould you:

1. Want to have your building reviewed?• All recommendations reported on,

evaluated and then just the majorfindings fixed (you can’t afford tofix everything)?

2. Or would you prefer to start fromscratch?

• Be happy to design a brand newbuilding incorporating all thosethings that used to be “nice tohaves” such as security, safety,manageability and stability.

It is obvious that, if you had no limita-tions on time and money, having theopportunity to source new materials andcutting edge fittings to build this newstructure would be an ideal choice formost. More importantly for this discus-sion, being able to build in appropriatemeasures to protect and maintain thesecurity of the building and its contentswould be a must.

Incorporating core fundamental designvalues into a new design and build,allows architects to provide a safe andsecure environment for both the occu-pants and their visitors.

The realityThis however is not a realistic approachfor a large number of corporations. Theydo not have the time, money or expertiseto hand to design and build a brand newarchitecture and then migrate to it froman original one. In this scenario it is morelikely that the corporation will look toretrofit controls to attempt to enable thesystem’s integrity to be maintained.

Having the opportunity of being able todesign, from scratch, the architecture andthen build that architecture, test it andthen implement it, should be the utopiain relation to being able to incorporatesecurity requirements from the bottom up.There can be no doubt that “a job doneright first time” is the best scenario. Butwe must remember that the quick fix of

July 2006 Computer Fraud & Security

SECURE BUILD

Securing the building blocksof system architectureMark Thomson, Insight Consulting

It is late on a Wednesday evening and I find myself comfortablyensconced in my home office. I am deep in thought, paused over mykeyboard, ready to set it alight with my knowledge on security, andyet I am unable to type.

10

Sharing with the Chinese“The U.S. attorney in Detroit…announced charges of stealing tradesecrets against three former employeesof an auto supplier, saying economicespionage stabs at the heart of theMichigan economy and is a growingpriority among his federal prosecutors.

The former employees of MetaldyneCorp., arraigned in U.S. District Courtafter a 64-count grand jury indictmentwas unsealed, are accused of stealing thePlymouth, Mich., company’s tradesecrets and sharing them with Chinesecompetitors. They each face up to 20years in prison and fines of up to

$250,000 if convicted. Metaldyne,which has 45 plants in 14 countries,makes a wide range of auto parts forengines, drivetrains and chassis systems.The company has annual sales of $2 bil-lion and about 6,500 employees.”(Trade-secret theft charged in Detroit,Baltimore Sun, 7-6-06)

retrofitting security controls has its placefor those businesses that suffer from lowfunding, impending regulatory require-ments or just plain old legacy systems thatare difficult to migrate from. They can, inthe short term, benefit from retrofittingsome controls into an inherently insecurearchitecture. There will still be holes butat least some will have been filled?

But retrofitting security into an inse-cure architecture design will, in all prob-ability, cost you far more in the longrun. A more effective way of securingyour system architecture is by designinga new secure architecture utilising a suit-able methodology, such as below:1. Project definition–assist with security

assurance elements.

2. Requirements – Business context &IT environment, security policy, etc.

3. Requirements – actors, roles, businessprocesses, use cases.

4. Requirements – assets & owners.

5. Risk management – initial counter-measures.

6. Derive security design objectivesfrom requirements.

7. Derive security domains.

8. Derive security sub-systems.

9. Derive component models for securitysub-systems.

10.Derive operational models for securitysub-systems.

11.Revisit risk management – analyseanomalous flow.

12.Assistance with security assurance.

However, a note of caution; Utilisingseparate processes for solution architectureand security architecture is not best prac-tice when designing a system. The securityrequirements of the system should beinterwoven into the very fabric of theoverall solution architecture. Adding endto end security, throughout the design,build, test and implementation will, with-out a doubt, provide the most secure,manageable and adaptable architectureupon which the entire corporation canrely on today and build on into the future.

See an optician and getthe full pictureIt is not prudent to be either an architector a security consultant if you are shortsighted. If you find yourself seeing thefuture as tomorrow then you need to have your “industry” eyes tested or renewyour spectacles’ prescription. In the past

security threats have been predominatelysingle-mode and easily eradicated with justone product being applied to an infrastruc-ture. However, over the past few yearsthreats have evolved and become blendedthreats. These threats can no longer be pro-tected against by buying an antidote to asingle illness. They require enterprise secu-rity architectures to be developed andincluded into system architectures to pro-vide long term, in depth protection andprevention measures to safe guard both thecorporation and the corporation’s clients.

The question of strategyBeing able to determine a range of actionsthat a corporation may need to take inorder to reduce risk to an adequate, or atleast financially acceptable level, dependswholly on the business needs of the corpo-ration and the value of the assets to be pro-tected. Your security strategy has to matchbusiness needs, not the latest securityflavour of the month technology ormethodology. Your security architectureneeds to be adaptable to match changingbusiness needs. So the old adage of ‘buildit in is better than bolt it on’ needs amend-ing. ‘Build it in but build it flexibly andwith an eye to the future’ perhaps?

Computer Fraud & Security July 2006

WAR & PEACE IN CYBERSPACE

Thwart the insider threat:a proactive approach topersonnel securityRichard Power and Dario Forte

As we all move deeper and deeper into the global economy of the 21st Century, the spectre of economic espionage grows larger and larger.

Consider some recent news stories from around the world:

Dario Forte Richard Power