The Secure Design Framework- Define, Prioritize, & Strategize Secure Business Enablement
One of the first deliverables needed before securing the business is implementing a high-level security design framework that connects the strategy and funding to the work and technology. A framework is essential as it contains, maintains, and subsequently influences the processes utilized to secure the business. The resulting requirements driven by the framework and its methods identify core security-critical capabilities that, when implemented well, unleash scalable security in a repeatable, easy-to-understand way. The Secure Design Framework is an attempt to define and describe methods and practices to tackle these objectives.
The Process of Protecting
To protect a business, we must answer the first question. What are we protecting? From an Information Security point of view, we are protecting data, specifically access to data, data from and about the business, its clients, customers, associates, and services. To protect this data, we must protect where it is housed, how it is housed, how it is accessed, and how it is transmitted. We must also understand who is accessing it, where they are accessing it from, and what particular part of the data they are accessing.
In essence, all information must be standardized and available for storage, normalization, and query to be effective at scale. The underlying architectural design must deliver integration first while ensuring ease in repeatability and availability.
To protect data, you must understand and declare the states in which data can exist. The three primary states used within this framework are:
- Data At-Rest — Defined as data that is stationary or inactive, i.e., data that is unmoved or unchanged for greater than 30 minutes. This would include cloud storage, file hosting services, databases, data warehouses, disks, archives, tapes, backups, or mobile devices.
- Data In-Transit — Defined as data transmitted between disparate systems or resources, applications, or services, i.e., data en route between source and destination.
- Data In-Use — Defined as active data that is stored in a non-persisted state. This would include computer random-access memory (RAM), CPU caches, CPU registers, or Redis caches.
Data must be protected while in any one of these given states, and each of these different states will require various security controls.
Security Control Capability Categories
Security controls can also be described as security capabilities or security services; controls put in place to secure the business. Different security objectives require the implementation of various security controls. The four high-level categories used to classify security control objectives within this framework are:
- Secure Design — The act, processes, tools, and methods used to secure the environments, the designs, and the design & deployments used by teams to deliver resources.
- Secure Access — The act, processes, tools, and methods used to secure access to resources regardless of state.
- Secure Configuration — The act, process, tools, and methods used to secure the configuration of resources within the enterprise.
- Secure Use — The act, processes, tools, and methods used to secure the runtime, i.e., the active use of data within the enterprise.
Security Control Layers
Robust security consists of layered security, i.e., security controls applied at different technology stack layers to ensure failsafe coverage and incremental alerting and notification. The layers utilized within this model are:
- Device / OS / System / Endpoint
When this model is applied at scale, controls can be defined and subsequently mapped to the appropriate control layer. These controls can then be implemented as required based on the value or risk of protected resources. There will be more on that later in this document.
Control Design Method
In the end, we are securing data by applying security controls focused on secure design and configuration, secure access, and secure use of resources. These security controls can and should be applied at different layers or in cohesive, supplemental, aggregated ways based on the value of the protected data.
The definition and implementation of this framework enables a consistent, dynamic method to organize and categorize these security controls and thereby robustly protect business resources. One part of the why for the framework is to map and manage security controls based on control purpose dynamically.
Having a framework to define how and where controls are applied and for what purpose is excellent. Still, other factors are at play when securing the business, namely the value of the data you are protecting. Security is directly related to cost, so a more secure business will most likely spend more on security. Since not all data is of equal value, it makes no sense to protect it all in the same way or with the same controls. Variables that may influence the level of complexity of the applied security are described below.
Data Value Rating
Data found within the enterprise have differing values. Within this framework, when assessing data value from a security perspective, we look at its value from an attacker's point of view, which correlates directly to revenue on the black market while also correlating to the negative impact to the company's brand if an exploit occurs. In the end, we are trying to establish categories for data to dynamically control access to it and dynamically prioritize events or alerts related to it. Data of differing values must be protected, managed, monitored, and audited in different ways.
The standard way we will categorize data value is:
- Public — Information made freely available outside of the company or is intended for public use.
- Business Use — Data that is not classified as Confidential or Restricted but that the company still considers valuable to the organization and is unlikely to result in material financial loss or brand damage.
- Confidential — Sensitive information that the company has a legal or regulatory obligation to safeguard, or for which unauthorized use or disclosure could result in adverse financial outcomes via loss of customer trust, brand damage, regulatory penalties, or civil complaint.
- Restricted — Highly sensitive information that the company has a legal or regulatory obligation to safeguard, or for which unauthorized use or disclosure could result in serious negative financial impact via loss of customer trust, brand damage, regulatory penalties, or civil complaint.
- Highly Restricted — Restricted or confidential data in bulk.
User Persona Rating
Not all user accounts are created equal. The persona model helps to categorize your accounts to enable better alerting and prioritization.
- Productivity — Accounts used for accessing business productivity applications in production.
- Non-Production — Accounts used for accessing non-production systems and/or environments, i.e., resources that support the development of production systems that run the business.
- Production or High-Value Productivity — Accounts used for accessing production systems and/or environments or high-value productivity accounts like those of your C-Suite.
- Production Restricted — Break-glass, domain-admin, or enterprise-admin accounts.
Access Risk Ratings
Access risk also influences what control or rigor of control should be applied to a user requesting access to a resource. Access risk relates to the risk associated with the source resources posture or its behavior.
- User & Endpoint Posture Risk — Risk based on the current state snapshot of known existing design or configuration risk.
- User & Endpoint Behavior — Risk based on recent event vs. correlated historical baseline event data.
Control Influencer Method
In the end, we are securing data through controls focused on secure design and configuration, secure access, and secure use; however, we are seeking to manage cost as well. The control influencer method expands upon the control design method above, providing a dynamic framework to influence and direct where and what controls should be applied based on risk and value, which helps manage cost by ensuring controls are focused where they are the most beneficial to the business.
This method also fulfills the purpose of being a meta-data access and alerting abstraction framework. As events flow into the SIEM and are alerted upon, these alerts can be bounced across contextualized lookups kept and created within the SIEM dynamically. The header of the alert can be incrementally adjusted to include these meta-data tags that help articulate contextualized risk for the organization. These meta-data tags are now part of the alert as it flows through the system. Based on this normalized formatting, dedicated visualizations can be created on the far end of the process, enabling a visualization abstraction layer, thereby simplifying visualization management.
Alert priority can also be dynamically influenced through this process, as the more lookups an alert occurs within, the greater the probability its priority score will change. This dynamic method enables the SOC to focus on those alerts deemed the most critical. These are the second and third reasons for the framework; the ability to dynamically control access based on value and risk and dynamically manage and influence alerting and prioritization for the SOC.
Gartner refers to the conceptual design above, as the CSMA or the Cyber Security Mesh Architecture. Strategically, organizations have the opportunity to implement this architectural approach themselves regardless of the selected technology stacks, however, the implementation requires meticulous alignment throughout the organization. Technology selection and planning must be second in line with use-case definition and requirements gathering coming first. Teams responsible for architectural design, engineering and integration must be cohesive and in lock-step. Rowing in the same direction isn’t good enough. Teams responsible for planning and design must also row with the same pace and cadence due to the interconnectedness of the mesh. In the future, the complexity of establishing and maintaining this design will fade as effective security companies look to expand the portfolio of the capabilities they offer and thereby implement this design within their stack as a matter of practice. When evaluating vendors now, look to those who see this architecture as a way of doing business in the future.
The next step in declaring and implementing a functional framework is defining the capabilities required to deliver the overall intention of the framework itself. The diagram below depicts high-level security capabilities utilized to provide information security services within this framework. Secure Access, Secure Design, and Secure Use details are dynamic and ever-changing as needs and technologies evolve. Feel free to use the capabilities defined here as a starter, and add, delete or change them based on the use-cases experienced within your business vertical.
Many or most security professionals focus on the endpoint or the Secure Use portion of the framework since that is where individual exploits occur most often and it is what and where most people interface with systems. It is important to understand, however, that secure design is the foundation for all services and in a cloud-first world, insecure design and configuration places the entire data-center eco-system at risk of exploitation all at once. Design posture management for all aspects of the environment whether cloud, server, or endpoint is a key strategic capability that must be refined and matured for teams to be effective. Leaders must help teams see the importance of secure design & configuration monitoring and auditing and work to ensure there is a balance between this capability and endpoint security monitoring and use.
Secure Design & Configuration
Security Capability Criticality
As with persona's, not all capabilities are created equal so, capability criticality is used to help articulate a categorical 1-n prioritization of all capabilities implemented within the framework. This criticality definition and resulting assignment will assist the organization with strategic planning. Please note, capability criticality definitions are the most immature section of the framework, as I feel better categories could be defined than the ones I have here.
Criticality should be set by the senior leaders, architects, and engineers in the organization. This top town definition of critical to the business is a direct variable within the equation that defines the priority of ongoing, year-over-year work efforts.
The current criticality categories are:
- Compliance/Audit — Key core services required to supply base services to meet compliance and audit requirements. Lack of success here will severely impact Information Security from maintaining compliance status.
- Core — Key services required to supply base protective and detective services. These would be the starting point one would expect any information security team to have in place, above and beyond those required to stay within compliance.
- Enhanced — Key services required to enhance the services in the last two bullets. These would be incremental services a team would implement as they move up the maturity curve in delivering security services. These services provide cumulative or enhanced value, context, or accuracy to improve the overall set of Information Security Services. These would be focused on after the prior services are implemented well.
Security Capability Maturity
As securing the business moves from a framework into a practical, tactical endeavor, it is essential to integrate a feedback loop. This feedback establishes a living method or process when regularly implemented and utilized by the organization.
The critical portion of the feedback process consists of having teams, the doers in the organization, regularly identify the services they are accountable for while also evaluating how mature they feel they are in delivering those services.
The maturity scales used within this framework are listed below. These maturity levels utilize the CMMI maturity scores, with refined definitions that align to an information security perspective.
The Method In Practice
The goal for any CISO is to help articulate to and across their organization what is essential to deliver to enable the business. To do this, there must be:
- An inventory of the capabilities (services) being delivered (shown in the mind-maps above and the excel picture below).
- A comparative declaration of the criticality (importance) of the capability/service
- A measure of the maturity (efficacy) of the organization in delivering these services
- A calculation that provides the priority of the services to work on, calculated as the maturity gap multiplied by the capability criticality
Prioritized List of Capabilities
Earlier I mentioned Gartner is coining the first portion of this framework as the CSMA. The Secure Design Framework evolves the idea of an integrated architecture into an integrated business process within an integrated architecture. In other words, the Secure Design Framework is the organizational embodiment of the CSMA. For the process to be effective, all teams supplying services must participate. This must be a regular process integrated into running the team, and each team should be looking to this information to help identify and align work efforts. If teams feel work needs to be done that is not prioritized, then it becomes their responsibility to communicate and influence leadership on why the item in question is essential to the business. The process demands both communication and accountability within the organization.
Another benefit of identifying capability criticality is that the SIEM ingestion engineers, use-case developers, and audit and compliance personnel now know what's most important. This enables them to ensure events, use-cases, alerting, auditing, monitoring, and reporting for the systems and technologies that support the most critical services are ingested first. Measuring delivery is as easy as tracking what systems support what services and identifying which of those systems have had events, use-cases, alerting, auditing, monitoring, and reporting completed.
The framework's goal is to align people, processes, and technology in a straightforward, scalable way pursuant to the singular purpose of securely enabling the business to efficiently and effectively provide the services it is committed to providing.