00:00:00
In the previous two videos on Cybersecurity Architecture Fundamentals,
00:00:03
we discussed principles that you should follow--essential security principles.
00:00:09
The next video, we discussed the CIA Triad, where you could basically use this as a checklist
00:00:14
to know that you've done a cybersecurity architecture correctly.
00:00:18
In this video, we're going to focus on the cybersecurity architect.
00:00:22
In particular, their role, the mindset that they have to adopt in developing a secure solution,
00:00:27
the tools that they use-- tools of the trade --and the domains that they have to operate in.
00:00:33
All right, we're going to start off with the role and their mindset.
00:00:37
Where this all begins is with stakeholders.
00:00:40
These are the people that have a vested interest in getting this solution right.
00:00:44
So we're going to take a look at two examples here of an architect
00:00:48
who is working on a building and an IT architect who's working on building an IT system.
00:00:55
In both cases, we're going to start with stakeholders and we're going to take their inputs into the architect.
00:01:01
The architect is going to wonder, "Okay, we're building a building, but what kind of building is this going to be?
00:01:07
Is it going to be a business?
00:01:08
Is it going to be a home?" Well, in this case, we're told it's going to be a home.
00:01:12
It's going to be a multi-family dwelling.
00:01:14
So it's a townhouse, maybe, for instance.
00:01:17
So we have an idea already what it's going to be, what sort of size we want, what kind of price range we want it to be in.
00:01:23
Those are the things the stakeholders are giving the architect.
00:01:27
The architect is going to take that and develop a blueprint.
00:01:30
That blueprint then becomes the plan that the contractors come along and implement.
00:01:35
So we've got contractors--who are plumbers and carpenters and things of that sort.
00:01:42
They're going to be the ones that do the actual implementation.
00:01:45
If the architect shows up on the job site with a hammer in hand,
00:01:48
you might be in trouble because that's not their area of expertise.
00:01:52
You want these people that are experts in doing and these guys who are experts in planning and coming up with the big ideas.
00:01:59
So that's a little bit of analogy.
00:02:01
Now, an architect might say this is what I generally want this thing to look like.
00:02:05
But we need to take into account some other things after I've kind of come up with the basic sketch of what this is.
00:02:11
I need to think about safety and security as well with this building.
00:02:15
So, for instance, I want locks on the doors, of course, I don't want just anybody to be able to to walk in.
00:02:21
I might put security cameras in each of the units, at least on the outside, maybe on the inside.
00:02:28
So that, again, I have an ability to monitor, maybe even alarm systems.
00:02:33
I might be concerned about fire in one of the units.
00:02:36
So I put a smoke detector on the ceiling in each one of these so that we can detect that.
00:02:41
And then, if I actually do have a fire, well, I'd like to have something that we call a firewall
00:02:47
that slows the spread of fire from one unit to the next.
00:02:51
It doesn't prevent it completely, but at least it keeps it from spreading really, really fast.
00:02:56
So these are kind of mitigations things that we add on to the architecture to make it more safe, to make it more secure.
00:03:03
And the architect dreams those up and the contractors implement and put those things together.
00:03:09
Now let's take a look at an IT example of the same sort of thing.
00:03:13
Here once again, we just start with stakeholders.
00:03:16
And they're going to work with the architect.
00:03:19
The architect, instead of coming up with a blueprint, is going to come up with an analogy to that,
00:03:24
which is going to be some type of reference architecture, or some type of architecture overview diagram
00:03:30
or diagrams that show the interrelations of the high level components of the system.
00:03:36
That then is going to get translated into an actual IT architecture.
00:03:42
So here we've got in particular a user who is going to use a workstation, maybe a mobile device, or a desktop device.
00:03:51
They're going to come across a network to hit a web server.
00:03:54
That's going to hit an app server, which is going to hit a database and we're going to get their data.
00:03:59
This is a very simple type of architecture.
00:04:02
Now, the architect is then going to ask the engineers--the architect has been doing their work basically from a whiteboard.
00:04:11
Think of it this way: architects--whiteboard, engineers--keyboard.
00:04:17
This is where they're going to be doing their work as they start implementing this system.
00:04:22
This architect now also has to consider what might be some failure cases.
00:04:27
This is the difference between a sort of normal IT architect and a cybersecurity architect.
00:04:32
The normal architect thinks about how a system will work.
00:04:36
The cybersecurity architect thinks about how it will fail.
00:04:40
Now, the cybersecurity architect has to first understand how the system is going to work, or they don't know how it might fail.
00:04:46
So they have to have that level of understanding.
00:04:49
Then they have to add on to it.
00:04:50
What are the possible things that could go wrong?
00:04:52
So let's ask.
00:04:53
What could go wrong with this user?
00:04:56
Well, it could be someone stole their password, their credentials, so it's not this user anymore.
00:05:02
So what do I need?
00:05:03
Well, I'm going to put in multi-factor authentication, a mitigation, a way to check and compensate for that particular risk.
00:05:12
What if we've got on this workstation a virus, or if it's a mobile device, maybe it's been jailbroken.
00:05:18
Well, if it's a mobile device, I'll add mobile device management software to check for that.
00:05:24
If it's another type of device--endpoint detection and response capabilities or antivirus capabilities to check there.
00:05:32
And we continue across this.
00:05:34
In the case of the network, well, just like over here on this building,
00:05:37
we added firewalls in order to keep the spread of a fire from one unit from immediately spreading to another
00:05:44
and providing a level of protective isolation. That's what we do with network firewalls.
00:05:49
That's where we got that term.
00:05:51
So I'm going to add network firewalls here to slow the spread of contagion or attack across this infrastructure.
00:05:58
And then ultimately over here, I'm going to encrypt the data that's in the database.
00:06:03
And I'm going to ask this IT engineer, whoever it is.
00:06:08
And by the way, we'll have different engineers that are specialized in each of these areas.
00:06:12
So I might have a database administrator that does the database encryption,
00:06:15
a network administrator that implements the firewalls.
00:06:19
Someone else who does the desktop, someone else who does the identity and access management capabilities.
00:06:24
So all of these engineers are analogous to the different contractors.
00:06:29
And the architect in both of these cases is coming up with the big picture, the big plans.
00:06:34
So again, if you're thinking of a cybersecurity architect, think whiteboard rather than keyboard.
00:06:40
And also think how will the system fail and what do I need to do to prevent that?
00:06:48
Okay, now we've covered the role and mindset of the cybersecurity architect.
00:06:52
Now let's talk about the tools of the trade.
00:06:56
Well, it turns out that in the IT architect world, there are certain common diagrams that architects use.
00:07:02
There's a business context diagram, a system context diagram, and an architecture overview diagram.
00:07:08
These are just three examples that I think are particularly important.
00:07:12
So, for instance, we'll talk with a business context diagram.
00:07:16
Here we're trying to show relationships among the different entities in the system.
00:07:22
So an example here, we've got a builder, we've got a marketing team,
00:07:26
we've got tradesmen who are going to build the building, and then a buyer.
00:07:30
And so we're showing the interrelationships amongst those various entities.
00:07:34
It's a very high level, line-of-business sort of view.
00:07:38
In the next one, the system context diagram,
00:07:41
we're going to take that and decompose it further into what it would look like in a system.
00:07:46
Now, this is just one aspect, this doesn't show all of them by any means.
00:07:49
But here we have a project management system.
00:07:52
There's a finance system that's trying to oversee
00:07:55
and make sure we can afford to build this thing the way we need to and on budget.
00:07:59
Blueprints that we're going to call in and do the building with a permitting system that we need to go off and get those.
00:08:05
And then a graphical user interface that interfaces to all of it.
00:08:08
That's just a very simple example of how the IT system that supports this business model might look.
00:08:16
Then we can move further down into an architecture overview diagram.
00:08:20
In this case, now we've got a project database, a scheduler that is getting status and reports
00:08:27
that it's generating and then alerts whenever we're overbudget or behind schedule or things like that.
00:08:33
So you notice with each one of these, it's a further level of detail, a further decomposition.
00:08:39
And as I said, this is sort of the lingua franca, the common language of the architect.
00:08:44
Any IT architect should be able to take these kinds of things and understand what they need to do.
00:08:50
Now, a cybersecurity architect will look at this and need to understand how the system works.
00:08:55
As I said before, they also need to envision how the system might fail.
00:09:00
So in doing that, I'm going to take this architecture that my normal IT architect
00:09:06
came up with and I'm going to try to put the security into this.
00:09:10
Now, that's the typical practice and the way we do it.
00:09:13
Remember in the first video, I talked about security principles--five that you should always do and one you should never do.
00:09:20
And in the second video, I talked about the CIA Triad: confidentiality, integrity and availability.
00:09:25
That's a checklist.
00:09:27
So we're going to use those things.
00:09:28
And in this video, I'm going to add another tool to your toolbox, and that's frameworks.
00:09:33
In particular, a framework like this one that comes from the National Institute of Standards in the US.
00:09:39
It's known as the Cybersecurity Framework.
00:09:41
And what it does is it spells out--think of that an architect will need to follow certain building codes
00:09:48
if they're coming up with a building.
00:09:50
If you're an IT architect, we don't exactly have building codes
00:09:54
that spell it out to that level of detail, but this is an analogy to that.
00:09:58
So we're going to specify in the identify stage,
00:10:01
these are the things that you need to do to identify users and data and things of that sort.
00:10:07
We're going to spell out how we're going to protect those things once we've identified them.
00:10:11
What levels of encryption and access control and things like that that we need.
00:10:14
How we're going to detect when we have problems, we will spell that out.
00:10:20
This is all listed as a very nice, comprehensive checklist for you to look at
00:10:25
and consider if you've covered all the bases in the NIST's cybersecurity framework.
00:10:31
How are we going to respond once we've detected a problem?
00:10:34
And then how do we recover once we realize that we have now got to get the system all back and going again?
00:10:41
So think about this as a cybersecurity architect,
00:10:43
I'm going to apply these principles, the CIA Triad and some of these frameworks onto this.
00:10:50
Now, that's the typical practice.
00:10:52
What often happens is I get called in at this phase--
00:10:56
when the architecture is already done and they say, "Jeff, make it secure." Well, we can do it.
00:11:03
That's the typical practice.
00:11:04
But it's not the best practice.
00:11:06
It's not the best practice because in the same way, you wouldn't like to have the building architect say,
00:11:12
"We've got the building built, now come in and make it earthquake-proof." It's a little hard to do now.
00:11:19
It would have been a whole lot better if, instead of at the implementation or architecture phase,
00:11:23
you had engaged me up here.
00:11:25
This is the best practice.
00:11:27
This is when we ideally want to be bringing in the security architect
00:11:31
and involve them at literally every step along the project lifecycle.
00:11:36
So I'm going to do risk analysis and I'm going to see what are the risks in each one of these areas
00:11:42
and apply some of these principles and frameworks.
00:11:45
I'm going to develop a security policy.
00:11:47
I'm going to develop then an architecture that goes along with the overall IT architecture,
00:11:53
the normal mode architecture, so that security is not just a bolt on.
00:11:56
It's something that was baked in to begin with.
00:11:59
And then we add in the implementation.
00:12:01
We're looking architecturally at these security principles and these frameworks and applying them throughout the process.
00:12:08
This is how the architect applies their mindset, applies their role, and uses the tools of the trade.
00:12:15
Okay, now, we've covered the cybersecurity architects role and their mindset. Also the tools of the trade.
00:12:23
Now we're going to talk a little bit about the domains that they operate in.
00:12:27
These are the cybersecurity domains that are the focus of the cybersecurity architect.
00:12:33
So, for instance, they're going to take a look at a user who is coming into a system off of some endpoint device,
00:12:40
traversing a network, hitting an application which pulls data from a database.
00:12:47
Now, we each one of these are domains in cybersecurity.
00:12:51
Identity and access management is where we're looking at the user.
00:12:54
We're looking at making sure they're who they claim to be, that they have the right access, rights and things of that sort.
00:13:00
That's a whole domain.
00:13:02
Endpoint security--making sure their device is secure and can be trusted.
00:13:07
The network itself being secure, the applications can't be broken into and the data is protected.
00:13:14
We'll talk about each one of those domains and then add two more on top of that, because in fact,
00:13:19
what we need to be able to do is take security telemetry and information from all of these parts of the working system,
00:13:25
the functional system, and feed those into a monitoring system, a security information and event management capability
00:13:33
that monitors all of this and lets us know if there is an intrusion, or if there's some reason that we need to go do an investigation.
00:13:41
And then ultimately a response.
00:13:43
If I find a problem, I need to be able to orchestrate my response to that problem so that we get it resolved as quickly as possible.
00:13:51
These are the seven domains that we're going to be covering in the rest of the series.
00:13:56
Thanks for watching.
00:13:57
Before you leave, don't forget to hit subscribe.
00:13:59
That way you won't miss the next installment of the Cybersecurity Architecture Series.
