Security - The Structured Way

Introduction:

Having worked with risk and security matters for banking, pharmaceutical, financial, gaming, retail, and exchange entities, I found only one security expert who can answer security coverage satisfactorily as compared to the garden variety of security models out there, mostly covering only fragments of the big picture. That security expert worked in a financial institute with a US$1 billion dollar yearly security budget around early 2000.

Combining what I have learned from the aforementioned expert and my own exposure to security as IT auditor, technical lead, solution architect, and protection measures implementer dealing with standards like Big 4’s, ISO, PCI-DSS, SOC1, SOC2, FDA, IEEE, Aviation and others, I would like to propose a more comprehensive security model, which I will label as S2M (Structured Security Model) for ease of reference.

Disclaimer: Like many other subjects in life, security is something that you more you know, the less you think you know. So, I am definitely not claiming myself as a security expert. Just chipping in what I know. Use the concepts here at your own risks and costs.

S2M in a Nutshell

S2M is comprised of 5 key concepts:

1. Security is On-going

Because things change unavoidably, and new security holes will surface and need to be filled. As technology advances, so are the hackers’ weapons, and hence the needs for on-going defense improvement. It is best to think of security as an on-going race, because whoever can stay ahead of the vulnerabilities discovery and prevention waves, whoever can stay safer. So, never think that you are secure is the secure mindset.

2. Security Action Flow

The following flow encapsulates the major tasks always needed in dealing with security:

• Identify new and changed protection targets.
• Evaluate security targets for their risks, impacts, and costs to secure
• Implement security measures against security targets based on evaluation
• Monitor and measure security matters
• React to security findings
• Review and revise security model and processes
• Repeat the above

3. Protection Targets

These are the components that will need to be secured. A lot of companies have missed out or underestimated some resulting in exposure to risks. Many such protection targets are related to each other. Separately considering them help conceptualization and management. Here is an encapsulation:

People: People possess the knowledge, information, and access that can be compromised by attacks using social engineering, phishing, bribery, kidnapping and all sort of tactics. So, people should be a key protection target.

Information: Any information/data requiring protection, e.g. passwords, contracts, health records, secret formulas, investment movements, etc.

Operations: Operations here refer to both services and processes. For processes, it includes software development, testing, production, incidents response, product launch, turnover management, R&D, and etc. For services, it can be services for customers or internal staff. One extreme example will be rocket launching. A hacker does not have to own or know about the rocket to hack to the point of pressing the launch button. Such launch button is a service.

Physical Assets: Any physical fixtures that house the information or operations are part of this class of protection target, for example, paper, server machine, laptop, hard disk, trash can, top of the desk, etc.

Virtual Assets: Any protection targets, mainly information and operations, that are stored, processed, serviced, and transmitted electronically/digitally/programmatically can be considered virtual assets, which include the computer programs, OS, drivers, etc as well. Virtual assets are contained in, operated on, and serviced by physical assets. However, because of the ease and speed of change and hack, vast knowledge and technologies involved in virtual assets, it is worth handling separately. A lot of security models focus on this layer alone.

Environment: Environments refer to the surroundings and conditions in which the physical and virtual assets reside. While environment can be considered part of the physical/virtual asset protection target, it is isolated out for ease of conceptualization and management. Some environments like like the office building, the meeting room, the data center, or even financial cloud (semi-private cloud for financial institutes only) can be controlled by the entity in question, there can be public environments that the company cannot control, like the internet, DNS servers, blockchains, network provider, power grid, or the city facilities the company assets needs to reside on and use.

Technology: Any technology that is used to support other protection assets can be subject to vulnerabilities as time goes by. New technology can also be so ground breaking that renders protection measures to be obsolete. E.g. with the advance in quantum computing, it is speculated that most encryption algorithms can be broken in 10 years. Generative AI has grown in power so as to capable of doing much better video phishing attacks. Naturally then new technology development must be monitored and regarded as a protection target as well. So, technology use stock take should be an important regular enterprise architecture task.

4. Access Paths

To access the security targets, there need to be touch points, which can be virtual (like a website, a mobile app, or an API, etc.) or physical (like the server, the desk, the trashcan, the head of a system administrator, the DBA etc). Access paths are the routes from any touch points to reach the security targets. Such touch points can be virtual or physical, or a mix of both. In security jargon, such touch points are called attack surfaces, and the access paths are called attack vectors.

5. Points of Failure Control

Each access path to protection targets and the protection targets themselves can be protected by multiple security measures, so that if a single measure fails, the security targets won’t be compromised. Mandating an enterprise policy of no single point of failure implies needing at least one redundant measure for each access path, and also each protection target. So, evaluation of risks/impacts/costs will help decide effective and practical implementation of points of failure control. For example, some subset of the security targets can require X points of failure control, while some can do with just Y. Security is like a chain in that it is as strong as the weakest link only.

Putting it Together in Practice

S2M can be practically implemented using the Security Action Flow (point #2):

1. Identify new and changed protection targets => taking into accounts the targets mentioned under Protection Targets (point #3).
2. Evaluate security targets for their risks, impacts, and costs to secure => taking into account the Protection Targets (point #3), Access Paths (point #4), and Points of Failure Control (point #5) considerations.
3. Implement security measures against security targets based on evaluation => balancing risks and costs for the optimal security protection investment
4. Monitor and measure security matters => look for security incidents, security scanning, security audits findings, and relevant technology updates
5. React to security findings => fix security incidents, security review findings, or technology risks discovered
6. Review and revise security models and processes => effectiveness of the security, model, methodology, tools, and processes including the S2M model shall be reviewed often to evolve when necessary
7. Repeat the above => perform the Security Action Flow periodically, say yearly depending on the nature of the business

Don't forget the starting point, especially the starting point. Any security holes introduced right from the start will lurk in there and proliferate the risks.

Philosophy of S2M

With these concepts understood and implemented, one can state clearly the what, who, how, when, and why questions about security. Feel free to comment if there is any missing elements. I offer this model in good will, and I look forward to incorporate valuable ideas from you to strengthen the model.

S2M is created with the intention to ease of conceptualizing and planning security matters in a structured fashion. So, to balance detail versus abstraction, S2M does not mention any particular security measures, e.g. IDS, IPS, CCTV, MFA, security education, segregation of duties, turnover management, physical separation of VIPs, etc etc.

S2M does not categorize further the protection targets into sub-categories. This is done on purpose, because once we have the right security conceptualization framework, we can dig out such abundantly available security measures relatively easily.

The S2M model helps the security experts to do their sundry check/recollect any missing details per security compartments. Colloquially, with the right model rooting as the foundation, further branching into more granular conceptual sub-categories/processes according to specific organization needs can take place, without being loss in incoherent details. These are the benefits of having a clear big picture.

Since S2M emphasizes an on-going flow, even the first cut foundation is not perfect, for example security experts forgetting about some protection targets, discounting some new technology threats, excluding some conceptual elements in the flow, etc, in an iteration of the Security Action Flow, these misses can be added, because of the monitor, review and revision step in the continuous flow. S2M is a model that allows growth in a documented and structured fashion.

Finally…

Being consciously paranoid in a cost-effective way is the best way to security.

This purely human generated information here should be useful not only for enterprises, but especially smaller companies, because they are less likely to have the buffer and expertise to deal with security issues. Generative AI can only generate from known material. But I have not seen any of my ideas available elsewhere before.

Security is a fundamental right for all! So, please share :)