Active Directory certificate services
Eric Maurer
On the Use of Security Concepts
time to read: 14 minutes
It is of vital importance to screen the development of new or the further development of already existing services, applications or IT-infrastructure for existing vulnerabilities or risks. This is even more important due to the fact that there is critical information and data involved.
In dynamic environments such as today’s companies there’s a number of important applications, services and a lot of infrastructure, that can’t be monitored so that every vulnerability and every risk can be systematically catalogued.
This might be due to the fact that an IT-environment is subject to various influences:
- Projects: Projects integrate and provide new applications and new services. They are either developed internally or bought externally. Sometimes, they’re completely outsourced.
- Momentum: IT-companies, daily business as well as maintenance and other factors require the keeping up to date with release- and lifecycles of soft- and hardware as well as the steady improvement of applications, including extension of functionality
- Market Trends and Standardizing: New trends, technologies and concepts appear on the market, which will sooner or later be adapted by companies (virtualization, Cloud computing…) due to their striving for standardizing their technology in use in the hope to keep complexity at bay.
These factors influence the IT-environment simultaneously while adding the ever-increasing pressure generated by costs, urgency and requirements by lawmakers, regulators and customers.
This pressure leads to the following unfortunate situations: Security that requires special care due to the momentum and complexity of it, is being ignored or neglected.
In IT, you suffer acutely under the everyday misgivings of the field and not directly under the latent vulnerabilities that might maybe arise in an unknown future.
This momentum can turn out to be too much of a challenge one some occasions and lead to the IT-department turning into some sort of maintenance crew, that tackles daily challenges and implements half-solutions in order to deal with the pressure even if it only treats the symptoms and not the illness itself. This behaviour open doors for new vulnerabilities and risks. Often, this behaviour is even accompanied by some sort of wishful thinking along the lines that it will all work out somehow because, thus far, it has always worked out somehow.
Instead, it would be useful to seriously incorporate security into the planning of projects and other ventures. An efficient tool to get a good overview of the complex affair that is security as well as project planning are Security Concepts, which I will talk about in this article.
Definition
A security concept is a clear and targeted analysis of information systems or an application, a service or parts or all of the IT-infrastructure. It documents the requirements in terms of security as well as its goals, the implemented security architecture and all relevant security configurations as well as processes that aim to manage and observe the security of the solution that’s being described. Furthermore, it contains a systematic analysis of risks and vulnerabilities and a documentation of the measures necessary for the treatment of the identified vulnerabilities and risks, including responsible operatives and scheduled dates.
The security concept should be an obligatory object while tackling projects that touch the IT-environment of a company: The implementation and restructuring of new applications, technologies, services and so on… as well as changes of the already existing IT-architecture, network technologies, interfaces and in every case, where the flow of information and data is being altered (this includes outsourcing-projects that see third parties enter the equation). This means that there must be a sanctioned off security concept before a system is being implemented. h1. Goals
The security concept aims to give an overview in terms of speciality, conceptionality and security.
It should be a stringent, self-contained document which can be consulted at any given time in order to be able to reconstruct and follow the thoughts behind security thoughts and measures that are necessary for a specific solution. It shows the risks and remaining risks of the implementation of said solution. It is also well suited to ease the workload put on auditors and internal revisers, because it shows and explains the situation as well as the relevant arguments pro and contra potential measures, vulnerabilities and risks.
The security measures in an IT-environment are being defined according to their requirements, which will reflect in the realization and keeping with the definitions set once the solution is realized. Unnecessary effort and security gaps are made nigh-impossible.
The security concept should remain as flexible as possible, though, consisting of modules that can be applied depending on the place where they’ll be deployed when needed, depending on whether the solution is an abstract and conceptual analysis or a single application.
Elements of the Security Concept
Generally, there should be a basic framework for the construction of a security concept, which has chapters that can be skipped, should the final concept require it. A simple basic framework could look like this:
| Chapter | Content |
|---|---|
| Description of the situation/Scope | Even the title of the concept describes the content of it (avoid abbreviations and acronyms). General intentions, plans, use, goals, naming of the owners and other responsibilities |
| Borders | Borders, restrictions, framing conditions, dependencies |
| Targeted security goals | What is to be protected from what? Which factors must be paid attention to (confidentiality, integrity, availability, non-repudiation, liability, authenticity, operational security…) |
| Technical-conceptional description of the system and solution with clear illustrations | Overview of the system, the infrastructure in use, rough system-architecture (including locations), system descriptions, requirements, functions, sequence of events, components, parts of the system, configurations, communication matrix, interfaces (technical, organisational, external, internal…), schematics |
| Definition of assets and protected objects | Informational or data objects (i.e. personal or financial data of a company, customer data, mandates, HR…), end user services (application functions and processes), software objects (application software), system and physical objects (hardware, software that is close to the infrastructure and OSes) |
| Analysis (risks or vulnerabilities: informal, detailed, combined) | The risk analysis or vulnerability analysis is a central element, damage and risk assessment (aka. Vulnerability assessment) as well as the delegation and classification of adequate security measures. For the definition of the requirements regarding the measures in a security concept, the following information needs to be provided: Risks and generic security measures (security standards, basic protection, ISO, Cobit and other frameworks), data classification, laws, policies, guidelines and standards, technical and organisational requirements |
| Measures to be taken including description | Description of technical measures, organizational measures, basic organizational measures, sequential measures, access concept |
| Residual risks | Listing of residual risks after the implementation of the measures. |
| Binding planning of implementation of measures | Responsibilities and deadlines for the realization of the measures, responsibilities for the maintenance of the measures, surveillance of use/cost of the measures |
| Controls | Reviews, auditing etc. |
Important security principles must be paid attention to as well, always keeping the question in mind whether or not they are applicable to the current motive:
- Principle of adequacy.
- Use of proven practises such as Good Practices, standardized security, ISO 27000 family of standards, unified and established processes and methods.
- Standard of application security, security architecture, basic protection
- Standards of physical security, protection of information, defence-in-depth, least privilege, need to know, access control, audit, compliance, and traceability
- Management of weaknesses and events, business continuity management etc.
Approaches to the conducting of an analysis
| Approach | Description |
|---|---|
| Informal approach | Using the informal approach means that you assume that gaps in security can be spotted without looking too closely. They are obvious. There are no guidelines when it comes to compiling a list of risks. The documents as well as the methods used to research said documents are based on individual decisions that the situation calls for. The advantage of this approach lies in its simplicity (the disadvantages are the possibility of not seeing the hidden risks and the lack of structure. You’re dependent on intuition. Even if people can rely on their gut feeling more often than not, this intuition has to be less emotional intuition and more intuition born of experience). However, this un-reflected approach can lead to it being seen as a capitulation of sorts when facing a complex IT-context. An adequate dealing with the analysis is not a given with this lackadaisical approach. |
| Baseline approach | In this approach, you are going on the assumption that risks are spread out evenly over the area of analysis that you’re focussing on. This strategy relies on the insight, that known and established standard products are being deployed, which can furthermore be adequately secured by using a standardized set of measures. The advantages of this approach are in the quick realization, its standardization and its simplicity. However, basic assumptions are seen as the factual truth in this approach. This means that before this approach is implemented, knowledge predating the measure should be checked for its veracity. In fact, knowledge must always be checked for veracity and applicability to the current situation. |
| Detailed analysis | Opposed to the informal approach, the detailed analysis looks not just at the obviously visible vulnerabilities but also those that have to be researched and looked at in great detail. A great help to achieve the desired level of detailed information in order to spot and treat these more hidden vulnerabilities is a structured methodology. The advantages of this approach are its high attention to detail. The disadvantages lie in the high cost needed as well as the long periods of research that are needed to get to all the details. |
| Combined approach | The combined approach differentiates between bigger and smaller risks, whereas both kinds are to be treated adequately. To tackle the smaller risks, maybe the baseline approach suffices. The bigger risks must be looked at using the detailed risk analysis. |
Prerequisites
Of course, a company has to be willing to allocate the resources necessary for the management of security concepts. Their creation, realization, proper and consistent implementation as well as their effectiveness have to be checked by the CSO and his team.
The CSO checks the security concepts for formal shortcomings as well as weaknesses. The things he and his team point out are to be followed up upon.
To do a security concept justice, the CSO can get advice from internal expert and review the security concept in a discussion. In regularly occurring meetings, there can be targeted review-sessions with the various groups of interest planned and executed. This means, next to the people responsible for security, all stakeholders in the discussion and permission are involved. For example, depending on the direction of the concept, auditing, legal & compliance, HR, business owners etc. could be invited to the review.
Where’s the use?
- Security concepts are a standardized method and represent a standardized approach to acknowledge and treat information security risks to achieve risk transparency.
- The systematic documentation of risks, assents, vulnerabilities, measures and residual risk per solution enables a quick evaluation of the state of security.
- The result is a comparative evaluation of risks of different information systems, applications and services.
- If security concepts aren’t just seen as isolated analyses, then the comparison and combination of security concepts can lead to the insight of whether or not risks accumulate in certain areas or whether already existing measures are being subverted by the introduction of new technologies.
- Because security concepts have to be created in the early stages of a project: After the creation of functional specifications and before the decision of realization of the system, you have enough time to plan and implement all aspects relevant to security.
- By including the CSO and his team in the creation and maintenance of security concepts, all parties involved in the review process are being kept up to date.
- Because the concepts represent a security solution that is described thoroughly and are self-contained, the concepts can be used for auditing purposes.
- They’re a reliable instrument to determine responsibilities and deadlines for the implementation of security measures.
- A systematic archive of all concepts amounts to a comprehensive documentation/library of all the important security measures per solution.
Where are the possible difficulties?
- Lack of interaction between teams and groups.
- Lacking security awareness of all people involved and responsible owners as well as project leaders, and – in the worst case – management.
- Risks have been centrally logged in a sort of risk register. The security concepts alone are not enough to qualify as a complete ISMS and risks management.
- Long periods of waiting between separate steps of the process (creation, review, approval etc.)
- Unclear borders as well as undefined handling of different concepts: detailed security concepts, analysis of vulnerabilities or risk analysis.
- The necessity of a regular re-check can lead to great time and work consumption depending on the number of security concepts.
- Quality check before review: which criteria must be met by a security concept so that it can be submitted for approval? Depending on significance and exposition of the solution described in the concept, there can be big differences in these criteria.
Summary
Security concepts are a form of magnifying glass. They allow us to see things clearly. Even things that we wouldn’t have seen without them or things that we wouldn’t even know existed without the concepts. These insights require the willingness to deal with the discoveries. One should be wary of investing energy into security concepts that are only created because there’s some sort of formal necessity to do so, be it in form of a policy or because a CSO says so or because it’s always been done this way. This would amount to some sort of alibi-exercise that would be of little use to anyone. A systematic approach with standardized processes for creation, judgment and management of security concepts on the other hand is an excellent tool to remain up to date even in a highly dynamic context.
About the Author
You are looking for a speaker?
Our experts will get in contact with you!
×
Foreign Entra Workload Identities
Marius Elmiger
Active Directory certificate services
Eric Maurer
Specific Criticism of CVSS4
Marc Ruef
You need support in such a project?
Our experts will get in contact with you!