Chris F Carroll, profile picture
Uploaded byChris F Carroll
PDF, PPTX236 views

What is Security, anyway? Software architecture for information security part 1 : Expressing requirements with iso27000 annotated

The document discusses the fundamentals of software architecture focusing on information security requirements, emphasizing the importance of understanding core security concepts such as assets, users, and the CIA triad (confidentiality, integrity, availability). It utilizes the ISO 27000 series to provide a vocabulary for establishing security requirements throughout the software development lifecycle. The presentation also outlines how to identify assets, roles, and necessary security measures in creating effective security policies.

Embed presentation

Download as PDF, PPTX
Software Architecture Chris F Carroll Software Architecture for Information Security Part 1: expressing requirements
Software Architecture Chris F Carroll ✤ Definitions & 
 Requirements I: Analysis ✤ Design ✤ Requirements II : Risk & Threats ✤ Implementation ✤ Verification ✤ Handover To deal with software security fully, we would go through the lifecycle. In this talk we’ll just look at the first bullet point.
Software Architecture Chris F Carroll Stating & Analysing 
 Information Security Requirements 
 using ISO 27000
Requirements Threatsvs. All requirements have edge cases but with security they expand into a whole second way of seeing the issue. Threats get all the news. But our understanding of threats remains piecemeal if we don’t understand the core requirements they are threatening. So we start here.
Software Architecture for Security Chris F Carroll How can we think about security? Let’s start at the beginning. To get security right, we want a framework for thinking about it: What are the questions we should ask and what concepts will help us to answer them?
How Can We Think About Security? Chris F Carroll ✤ WHAT are we trying to secure?
 ✤ WHO are we securing for or from?
 ✤ WHAT does security mean anyway? If we can answers these 3 questions then we have done most of the work of thinking about security. To help us answer them, we want some vocabulary or a framework.
Why use ISO 27000? ✓ ISO 27000 provides, if not a complete domain model for security, then at least a vocabulary. ✓ Our security policy and ISMS approach is based on the ISO 27000 series. At some point, our homegrown software has to dovetail with it. Chris F Carroll ISO 27000 series is a standards series for an information security management systems. It starts with a few pages of definitions. Which goes a long way to a framework for thinking about security. (actually you can get the same vocabulary from wikipedia or a software architecture textbook).
Group Policy Statement Information Security Policy v10.1, 2018 “We strive to protect the group’s critical information assets against all internal, external, deliberate or accidental threats throughout its lifecycle
 We protect against unauthorised access threatening the Confidentiality of our information and ensure that the Integrity and Availability of critical information is maintained.
 Our Information security policy is to ensure business continuity, minimising the risk of damage by preventing security incidents and reducing their potential impact. We are committed to continuous improvement, ongoing compliance with legislative and regulatory requirements and to ensuring our employees receive appropriate information security awareness training.” Leaving threats & risk aside for the moment, we could answer our 3 questions with just 5 key ideas: 
 Asset ; (Un)Authorised ; and Confidentiality, Integrity, Availability. Here’s an example attempt to think about security, in a security policy statement. The words in bold are drawn from ISO 27000.
How Can We Think About Security? Chris F Carroll ✤ WHAT are we trying to secure?
 ✤ WHO are we securing for or from?
 ✤ WHAT does security mean anyway? So now, let’s answer our 3 questions with this vocabulary
Chris F Carroll WHAT do we want to secure? Information Assets, typically: 1. Data Stores 2. Systems that let you do things
 WHO are we securing for/from? (Un)/Authorised users
 WHAT does security mean anyway? Confidentiality Integrity Availability Security : Just 3 Questions These are the 2 asset classes of most concern to a software team. So now, let’s answer our 3 questions with this vocabulary
Chris F Carroll WHAT do we want to secure? Information Assets, typically: 1. Data Stores 2. Systems that let you do things
 WHO are we securing for/from? (Un)/Authorised users
 WHAT does security mean anyway? Confidentiality Integrity Availability Security : Just 3 Questions We divide the world into two groups of people: The Authorised and 
 The Unauthorised.
Chris F Carroll WHAT do we want to secure? Information Assets, typically: 1. Data Stores 2. Systems that let you do things
 WHO are we securing for/from? (Un)/Authorised users
 WHAT does security mean anyway? Confidentiality Integrity Availability Security : Just 3 Questions And we get a grip on what security means with the “3 dimensions” defined by the standard, widely referred to as 
 The C.I.A.
ISO 27000 Vocabulary for Secured Assets Chris F Carroll Asset: For us as business to say what needs securing (Un)Authorised: We as business decide who is authorised Confidentiality : “not made available or disclosed to unauthorised individuals, entities, or processes” Integrity : “accuracy and completeness” Availability : “accessible and usable upon demand by an authorised entity”
Relating Other Vocabulary to the Standard Chris F Carroll How do other vocabularies map to/from “Assets + Authorised Users + C.I.A.?” Read-access threatens Confidentiality Write-access threatens Integrity Deny-Read protects Confidentiality by restricting Availability Deny-Write protects Integrity, restricting Availability Access Control addresses C.I.A. requirements
Chris F Carroll Access Control: “to ensure that access to assets is authorised & restricted based on business and security requirements” ISO 27000 Vocabulary for Secured Assets
Relating Other Vocabulary to the Standard Chris F Carroll Users,Groups, Roles Identity, Principal, Claims These (and more) are all used to define 
 Authorised User ISO standard dates from 1990s (BS7799) How do other vocabularies map to/from Assets + Authorised Users + C.I.A.?
Relating Other Vocabulary to the Standard Chris F Carroll Authenticating Identity is our usual way to convince ourselves we have an Authorised User How does a system know that a user is authorised? Authentication : “Provision of assurance that a claimed characteristic of an entity is correct”
Relating Other Vocabulary to the Standard Chris F Carroll Confidentiality presumably implies Access Control: Deny-Read Integrity presumably implies Access Control: Deny-Write Availability may imply Grant-Read Grant-Write Uptime, backups, connectivity, resilience to attack How does C.I.A map back to other vocabularies? Note the last bullet. Security includes both functional and non-functional requirements (NFRs).
Security : Just 3 Questions Chris F Carroll ✤ WHAT are we trying to secure? ➡ Assets: Data Stores & Systems ✤ WHO are we securing for & from? ➡ (Un)Authorised Users ✤ WHAT does security mean anyway? ➡ C.I.A.
 N.B. the need to prove & improve security may result in requirements for audit, accountability, monitoring, etc. Thinking about security: We answered our 3 questions using only a few key ideas, but this is enough to state and analyse requirements.
Software Architecture Chris F Carroll How can we use this?
Security Requirements Chris F Carroll HLD or Architecture Template Express security requirements using the 3 Questions 1. WHAT Assets must this system secure? List Assets Accessed or Exposed
 1.1 Data Stores 1.2 Other Systems 2. WHO Are we securing For/From? Identify Authorised Roles and Authentication Mechanisms 3. WHAT do we mean by Security? State C.I.A. Requirements Per Asset Per Authorised Identity PROPOSAL A typical software architecture document includes a placeholder for security requirements. We can use the 3 Questions to structure the statement of requirements
Security Requirements Chris F Carroll HLD Security Requirements 1.1. Data Stores Accessed or Exposed by this Project Data Store Category or Risk Level New Exposure? 1. Shiva DB Confidential
 GDPR Yes PROPOSAL System Accessed or Exposed? New Exposure? 1. Adobe Campaign Manager Accessed Yes 2. SMS & Email Accessed Yes 1.2. Other Systems Accessed or Exposed by this Project 1. Let’s start with, simply, a list of assets that our new project will, or may, expose or access.
Security Requirements Chris F Carroll HLD Security Requirements 1.1. Data Stores Accessed or Exposed by this Project Data Store Category or Risk Level New Exposure? 1. Shiva DB Confidential
 GDPR Yes PROPOSAL System Accessed or Exposed? New Exposure? 1. Adobe Campaign Manager Accessed Yes 2. SMS & Email Accessed Yes 1.2. Other Systems Accessed or Exposed by this Project We didn’t discuss RISK earlier. Some assets are more risky, or valuable, than others. For each asset, assess the risk of a breach of C.I.A. requirements.
Security Requirements Chris F Carroll PROPOSAL User/Role/Principal Authentication Mechanism Online Customer OAuth2 provider Auth0 CCA Permission X AD Login CCA Permission Y AD Login HLD Security Requirements 2. Authorised Users/Roles & Authentication Mechanisms 2. 
 Divide the world into authorised and unauthorised. We often use Roles or Groups to define this division, because managing for hundreds or thousands of individuals is just too burdensome and error prone
Security Requirements Chris F Carroll PROPOSAL User/Role/Principal Authentication Mechanism Online Customer OAuth2 provider Auth0 CCA Permission X AD Login CCA Permission Y AD Login HLD Security Requirements 2. Authorised Users/Roles & Authentication Mechanisms If there is a more than one identity or login mechanism, then it helps to list them
Security Requirements Chris F Carroll PROPOSAL Asset Authorised User Confidentiality (Read Access is restricted to…) Integrity
 (Operations
 restricted to…) Customer DB Authenticated Customer Read access to own data only Permissions detailed below… Adobe Campaign Manager Service Account NONE needed Permitted Operations below… Email & SMS Service Account NONE needed Permitted Operations below… HLD Security Requirements 3. List CIA Requirements Per Asset Per Authorised User 3. Finally the detail of permissions: 
 User A is authorised to perform operation X on data Y Coming back to the System Assets, we are concerned about the risk raised by connectivity. The more we can restrict the connections—the interfaces—the more simple and easy to do the security
Security Requirements Chris F Carroll HLD Template Express security requirements using the 3 Questions 1. WHAT Assets must this system secure? List Assets Accessed or Exposed
 1.1 Data Stores 1.2 Other Systems 2. WHO Are we securing For/From? Identify Authorised Roles and Authentication Mechanisms 3. WHAT do we mean by Security? State C.I.A. Requirements Per Asset Per Authorised Identity PROPOSAL
Security Requirements Analysis Chris F Carroll Asset Id Assets Where is it? Type of Asset Who's Asset? Required Confidentiality Level Required Availability & Integrity Level 1 LB code and scripts BitBucket, Dev Machines, Private NuGet Our labour LB Low Medium 2 AWS Dev AWS Dev Our labour LB Low Medium 3 AWS Live Infrastructure Design & Runtime AWS Live: ECS EC2 Operations LB Low Business Process Critical 4 All Customer's Business Data AWS Live: ECS EC2 DB Customers' Data Customers Business Critical Business Process Critical 5 All Customer's Customers Personal Data AWS Live: ECS EC2 DB Logs Personal Data Customers' Customers Business & Regulatory Critical Business Process Critical 6 Single Customer's Business Data AWS Live: ECS EC2 DB Customer's Data Customers Business Critical Business Process Critical 7 Single Customer's Customers Personal Data AWS Live: ECS EC2 DB Logs Personal Data Customer's Customers Business & Regulatory Critical Business Process Critical Asset List for a cloud-hosted multi-tenant service More complex example
Design for Security Requirements Chris F Carroll Confidentiality : per-customer confidentiality for an online system implies we must design row-level security and be able to verify it is implemented correctly Integrity : If all write access goes through a single tightly controlled interface, we can prove that no unexpected modifications are possible Auth (login, lockout, password reset): Buy or Build? Design Decisions, Tactics, Implementation Rules
 follow on from Security Requirements
Chris F Carroll WHAT do we want to secure? Information Assets, typically: 1. Data Stores 2. Systems that let you do things
 WHO are we securing for/from? (Un)/Authorised users
 WHAT does security mean anyway? Confidentiality Integrity Availability Security : Just 3 Questions
Software Architecture Chris F Carroll ✓ Definitions & 
 Requirements I : Analysis ✤ Design ✤ Requirements II : Threats & Risks ✤ Implementation ✤ Verification ✤ Handover

More Related Content

PDF
Security Testing for Test Professionals
byTechWell
 
PDF
Cyber Security Resilience & Risk Aggregation
byRamiro Cid
 
PDF
Vulnerability threat and attack
bynewbie2019
 
PDF
Slide Deck CISSP Class Session 3
byFRSecure
 
PDF
Software Technical Design for Information Security: A short intro for Tech Le...
byChris F Carroll
 
PDF
Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Los...
byEC-Council
 
PPTX
Purple Teaming - The Collaborative Future of Penetration Testing
byFRSecure
 
PDF
Thinking on risk analysis
byRamiro Cid
 
Security Testing for Test Professionals
byTechWell
 
Cyber Security Resilience & Risk Aggregation
byRamiro Cid
 
Vulnerability threat and attack
bynewbie2019
 
Slide Deck CISSP Class Session 3
byFRSecure
 
Software Technical Design for Information Security: A short intro for Tech Le...
byChris F Carroll
 
Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Los...
byEC-Council
 
Purple Teaming - The Collaborative Future of Penetration Testing
byFRSecure
 
Thinking on risk analysis
byRamiro Cid
 

What's hot

PDF
Source Code Security the Symantec Way
bySymantec
 
PDF
Symantec Data Loss Prevention- From Adoption to Maturity
bySymantec
 
PPTX
New Paradigms for the Next Era of Security
bySounil Yu
 
PPTX
Employee Awareness in Cyber Security - Kloudlearn
byKloudLearn
 
PDF
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
bySounil Yu
 
PDF
Preserving the Privilege during Breach Response
byPriyanka Aash
 
PDF
Securing Access to PeopleSoft ERP with Duo Security and GreyHeller
byDuo Security
 
PDF
Using Hackers’ Own Methods and Tools to Defeat Persistent Adversaries
byEC-Council
 
PPTX
Cyber Security Management in a Highly Innovative World
bySafeNet
 
PPTX
InfraGard Webinar March 2016 033016 A
byWard Pyles
 
PDF
Security Fact & Fiction: Three Lessons from the Headlines
byDuo Security
 
PPT
An apporach to AIM - A strategy proposal and recommendation - ver 0.1
byMichael Clarkson
 
PPTX
Not Going Quietly: Gracefully Losing Control & Adapting to Cloud and Mobility
bySafeNet
 
PPTX
How to Pass the CISSP Exam For the First Time
byMercury Solutions Limited
 
PDF
IBM Security AppExchange Spotlight: Threat Intelligence & Monitoring Microso...
byIBM Security
 
PDF
DATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPARED
byPriyanka Aash
 
PDF
Security For The People: End-User Authentication Security on the Internet by ...
byDuo Security
 
Source Code Security the Symantec Way
bySymantec
 
Symantec Data Loss Prevention- From Adoption to Maturity
bySymantec
 
New Paradigms for the Next Era of Security
bySounil Yu
 
Employee Awareness in Cyber Security - Kloudlearn
byKloudLearn
 
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
bySounil Yu
 
Preserving the Privilege during Breach Response
byPriyanka Aash
 
Securing Access to PeopleSoft ERP with Duo Security and GreyHeller
byDuo Security
 
Using Hackers’ Own Methods and Tools to Defeat Persistent Adversaries
byEC-Council
 
Cyber Security Management in a Highly Innovative World
bySafeNet
 
InfraGard Webinar March 2016 033016 A
byWard Pyles
 
Security Fact & Fiction: Three Lessons from the Headlines
byDuo Security
 
An apporach to AIM - A strategy proposal and recommendation - ver 0.1
byMichael Clarkson
 
Not Going Quietly: Gracefully Losing Control & Adapting to Cloud and Mobility
bySafeNet
 
How to Pass the CISSP Exam For the First Time
byMercury Solutions Limited
 
IBM Security AppExchange Spotlight: Threat Intelligence & Monitoring Microso...
byIBM Security
 
DATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPARED
byPriyanka Aash
 
Security For The People: End-User Authentication Security on the Internet by ...
byDuo Security
 

Similar to What is Security, anyway? Software architecture for information security part 1 : Expressing requirements with iso27000 annotated

PDF
CCA study group
byIIBA UK Chapter
 
PPT
Chapter 3: Information Security Framework
byNada G.Youssef
 
PDF
Information Security basic introduction by professor
byadityakatare35
 
PPTX
Information security principles
byDan Morrill
 
PPT
information security management
byGurpreetkaur838
 
PPT
Lecture2-3-CIAin Cyber security with details.ppt
byMuhammadSaleemKhan26
 
PPTX
Forget cyber, it's all about AppSec
byAdrien de Beaupre
 
PDF
Mergers and Acquisition Security - Areas of Interest
byMatthew Rosenquist
 
PDF
Designing Security Architecture Solutions 1st Jay Ramachandran
bypianondorman
 
PPT
PBL PROJECT - B2- (54,56,50,40) (2) (1).ppt
byItzsonya
 
PPTX
Conceptual security architecture
byMubashirAslam5
 
PPTX
Security Foundation and Incident Mgmt and BCMS.pptx
byMohsenMojabi1
 
PDF
ISO / IEC 27001:2005 – An Intorduction
byn|u - The Open Security Community
 
PDF
CNIT 125: Ch 2. Security and Risk Management (Part 1)
bySam Bowne
 
PDF
CISA-Exam-Prep-Domain-5-2019.pdf. CISA exam
bygregtap1
 
PPT
InfoSecConcepts.ppt
byMobileAntitheft
 
PPTX
FROM STRATEGY TO ACTION - Vasil Tsvimitidze
byDataExchangeAgency
 
PPTX
crisc_wk_5.pptx
bydotco
 
PPTX
Overview of ISO 27001 [null Bangalore] [Dec 2013 meet]
byn|u - The Open Security Community
 
PPT
Intro kavindu rasanjahshdjdhhjxjxuxgxjdjs
byrasanjakavindu54
 
CCA study group
byIIBA UK Chapter
 
Chapter 3: Information Security Framework
byNada G.Youssef
 
Information Security basic introduction by professor
byadityakatare35
 
Information security principles
byDan Morrill
 
information security management
byGurpreetkaur838
 
Lecture2-3-CIAin Cyber security with details.ppt
byMuhammadSaleemKhan26
 
Forget cyber, it's all about AppSec
byAdrien de Beaupre
 
Mergers and Acquisition Security - Areas of Interest
byMatthew Rosenquist
 
Designing Security Architecture Solutions 1st Jay Ramachandran
bypianondorman
 
PBL PROJECT - B2- (54,56,50,40) (2) (1).ppt
byItzsonya
 
Conceptual security architecture
byMubashirAslam5
 
Security Foundation and Incident Mgmt and BCMS.pptx
byMohsenMojabi1
 
ISO / IEC 27001:2005 – An Intorduction
byn|u - The Open Security Community
 
CNIT 125: Ch 2. Security and Risk Management (Part 1)
bySam Bowne
 
CISA-Exam-Prep-Domain-5-2019.pdf. CISA exam
bygregtap1
 
InfoSecConcepts.ppt
byMobileAntitheft
 
FROM STRATEGY TO ACTION - Vasil Tsvimitidze
byDataExchangeAgency
 
crisc_wk_5.pptx
bydotco
 
Overview of ISO 27001 [null Bangalore] [Dec 2013 meet]
byn|u - The Open Security Community
 
Intro kavindu rasanjahshdjdhhjxjxuxgxjdjs
byrasanjakavindu54
 

More from Chris F Carroll

PPTX
Software Architecture: Why and What?
byChris F Carroll
 
PDF
Agile Software Architecture
byChris F Carroll
 
PPT
Doing Architecture with Agile Teams IASA UK Summit 2013
byChris F Carroll
 
PDF
XP-Manchester 2013 Software Architecture for Agile Developers Intro
byChris F Carroll
 
PPTX
Deep Learning in 90 seconds. With a side of Algorithm Bias
byChris F Carroll
 
PDF
Clojure (and some lisp) in 10 mins for OO developers
byChris F Carroll
 
Software Architecture: Why and What?
byChris F Carroll
 
Agile Software Architecture
byChris F Carroll
 
Doing Architecture with Agile Teams IASA UK Summit 2013
byChris F Carroll
 
XP-Manchester 2013 Software Architecture for Agile Developers Intro
byChris F Carroll
 
Deep Learning in 90 seconds. With a side of Algorithm Bias
byChris F Carroll
 
Clojure (and some lisp) in 10 mins for OO developers
byChris F Carroll
 

Recently uploaded

PPTX
OpenChain at Okinawa Event on the 4th of December 2025
byShane Coughlan
 
PPTX
OpenID AuthZEN Overview - Gartner IAM 25
byDavid Brossard
 
PDF
Reusable technology: Saving development time with shared Unity plug-ins and S...
byBruno Cicanci
 
PDF
API_SECURITY CONSULTANCY SERVICES IN USA
bydavidjohansen1597
 
PPTX
Reimagining Service with AI Voice Agents | Webinar
byCEPTES Software
 
PDF
Advanced Prompt Engineering: The Art and Science
byMaxim Salnikov
 
PDF
Navigating SEC Regulations for Crypto Exchanges Preparing for a Compliant Fut...
byzak jasper
 
PPTX
The Future of Surgical Practice How AI is Transforming Diagnostics, Schedulin...
byEasy Clinic
 
PPTX
application security presentation 2 by harman
byharmanideapad
 
PPTX
Modern Claims Automation Solutions for Operational Agility
byInsurance Tech Services
 
PPTX
Why Your Business Needs Snowflake Consulting_ From Data Silos to AI-Ready Cloud
byChetu
 
PPTX
GDS Integration Solution | GDS Integration Service
byyugababu033
 
PPTX
#15 All About Anypoint MQ - Calicut MuleSoft Meetup Group
bycalicutmulesoftmeetu
 
PDF
Resource-Levelled Critical-Path Analysis Balancing Time, Cost and Constraints
byOrangescrum
 
PDF
From Boroughs to Browsers: Naresh Ramaiya’s Digital Journey
bynareshramaiyaus
 
PPTX
Deep Dive into Durable Functions, presented at Cloudbrew 2025
byJoonas Westlin
 
PDF
Influence Without Power - Why Empathy is Your Best Friend.pdf
bySuzanne Lagerweij
 
PDF
nsfconvertersoftwaretoconvertNSFtoPST.pdf
byNSF Converter Software
 
PDF
Data structure using C :UNIT-I Introduction to Data structures and Stacks BCA...
byKuvempu University
 
PDF
Josh Chu Boston - A Respected Technology Executive
byJosh Chu Boston
 
OpenChain at Okinawa Event on the 4th of December 2025
byShane Coughlan
 
OpenID AuthZEN Overview - Gartner IAM 25
byDavid Brossard
 
Reusable technology: Saving development time with shared Unity plug-ins and S...
byBruno Cicanci
 
API_SECURITY CONSULTANCY SERVICES IN USA
bydavidjohansen1597
 
Reimagining Service with AI Voice Agents | Webinar
byCEPTES Software
 
Advanced Prompt Engineering: The Art and Science
byMaxim Salnikov
 
Navigating SEC Regulations for Crypto Exchanges Preparing for a Compliant Fut...
byzak jasper
 
The Future of Surgical Practice How AI is Transforming Diagnostics, Schedulin...
byEasy Clinic
 
application security presentation 2 by harman
byharmanideapad
 
Modern Claims Automation Solutions for Operational Agility
byInsurance Tech Services
 
Why Your Business Needs Snowflake Consulting_ From Data Silos to AI-Ready Cloud
byChetu
 
GDS Integration Solution | GDS Integration Service
byyugababu033
 
#15 All About Anypoint MQ - Calicut MuleSoft Meetup Group
bycalicutmulesoftmeetu
 
Resource-Levelled Critical-Path Analysis Balancing Time, Cost and Constraints
byOrangescrum
 
From Boroughs to Browsers: Naresh Ramaiya’s Digital Journey
bynareshramaiyaus
 
Deep Dive into Durable Functions, presented at Cloudbrew 2025
byJoonas Westlin
 
Influence Without Power - Why Empathy is Your Best Friend.pdf
bySuzanne Lagerweij
 
nsfconvertersoftwaretoconvertNSFtoPST.pdf
byNSF Converter Software
 
Data structure using C :UNIT-I Introduction to Data structures and Stacks BCA...
byKuvempu University
 
Josh Chu Boston - A Respected Technology Executive
byJosh Chu Boston
 

What is Security, anyway? Software architecture for information security part 1 : Expressing requirements with iso27000 annotated

  • 1.
    Software Architecture ChrisF Carroll Software Architecture for Information Security Part 1: expressing requirements
  • 2.
    Software Architecture ChrisF Carroll ✤ Definitions & 
 Requirements I: Analysis ✤ Design ✤ Requirements II : Risk & Threats ✤ Implementation ✤ Verification ✤ Handover To deal with software security fully, we would go through the lifecycle. In this talk we’ll just look at the first bullet point.
  • 3.
    Software Architecture ChrisF Carroll Stating & Analysing 
 Information Security Requirements 
 using ISO 27000
  • 4.
    Requirements Threatsvs. All requirements haveedge cases but with security they expand into a whole second way of seeing the issue. Threats get all the news. But our understanding of threats remains piecemeal if we don’t understand the core requirements they are threatening. So we start here.
  • 5.
    Software Architecture forSecurity Chris F Carroll How can we think about security? Let’s start at the beginning. To get security right, we want a framework for thinking about it: What are the questions we should ask and what concepts will help us to answer them?
  • 6.
    How Can WeThink About Security? Chris F Carroll ✤ WHAT are we trying to secure?
 ✤ WHO are we securing for or from?
 ✤ WHAT does security mean anyway? If we can answers these 3 questions then we have done most of the work of thinking about security. To help us answer them, we want some vocabulary or a framework.
  • 7.
    Why use ISO27000? ✓ ISO 27000 provides, if not a complete domain model for security, then at least a vocabulary. ✓ Our security policy and ISMS approach is based on the ISO 27000 series. At some point, our homegrown software has to dovetail with it. Chris F Carroll ISO 27000 series is a standards series for an information security management systems. It starts with a few pages of definitions. Which goes a long way to a framework for thinking about security. (actually you can get the same vocabulary from wikipedia or a software architecture textbook).
  • 8.
    Group Policy StatementInformation Security Policy v10.1, 2018 “We strive to protect the group’s critical information assets against all internal, external, deliberate or accidental threats throughout its lifecycle
 We protect against unauthorised access threatening the Confidentiality of our information and ensure that the Integrity and Availability of critical information is maintained.
 Our Information security policy is to ensure business continuity, minimising the risk of damage by preventing security incidents and reducing their potential impact. We are committed to continuous improvement, ongoing compliance with legislative and regulatory requirements and to ensuring our employees receive appropriate information security awareness training.” Leaving threats & risk aside for the moment, we could answer our 3 questions with just 5 key ideas: 
 Asset ; (Un)Authorised ; and Confidentiality, Integrity, Availability. Here’s an example attempt to think about security, in a security policy statement. The words in bold are drawn from ISO 27000.
  • 9.
    How Can WeThink About Security? Chris F Carroll ✤ WHAT are we trying to secure?
 ✤ WHO are we securing for or from?
 ✤ WHAT does security mean anyway? So now, let’s answer our 3 questions with this vocabulary
  • 10.
    Chris F Carroll WHATdo we want to secure? Information Assets, typically: 1. Data Stores 2. Systems that let you do things
 WHO are we securing for/from? (Un)/Authorised users
 WHAT does security mean anyway? Confidentiality Integrity Availability Security : Just 3 Questions These are the 2 asset classes of most concern to a software team. So now, let’s answer our 3 questions with this vocabulary
  • 11.
    Chris F Carroll WHATdo we want to secure? Information Assets, typically: 1. Data Stores 2. Systems that let you do things
 WHO are we securing for/from? (Un)/Authorised users
 WHAT does security mean anyway? Confidentiality Integrity Availability Security : Just 3 Questions We divide the world into two groups of people: The Authorised and 
 The Unauthorised.
  • 12.
    Chris F Carroll WHATdo we want to secure? Information Assets, typically: 1. Data Stores 2. Systems that let you do things
 WHO are we securing for/from? (Un)/Authorised users
 WHAT does security mean anyway? Confidentiality Integrity Availability Security : Just 3 Questions And we get a grip on what security means with the “3 dimensions” defined by the standard, widely referred to as 
 The C.I.A.
  • 13.
    ISO 27000 Vocabularyfor Secured Assets Chris F Carroll Asset: For us as business to say what needs securing (Un)Authorised: We as business decide who is authorised Confidentiality : “not made available or disclosed to unauthorised individuals, entities, or processes” Integrity : “accuracy and completeness” Availability : “accessible and usable upon demand by an authorised entity”
  • 14.
    Relating Other Vocabularyto the Standard Chris F Carroll How do other vocabularies map to/from “Assets + Authorised Users + C.I.A.?” Read-access threatens Confidentiality Write-access threatens Integrity Deny-Read protects Confidentiality by restricting Availability Deny-Write protects Integrity, restricting Availability Access Control addresses C.I.A. requirements
  • 15.
    Chris F Carroll AccessControl: “to ensure that access to assets is authorised & restricted based on business and security requirements” ISO 27000 Vocabulary for Secured Assets
  • 16.
    Relating Other Vocabularyto the Standard Chris F Carroll Users,Groups, Roles Identity, Principal, Claims These (and more) are all used to define 
 Authorised User ISO standard dates from 1990s (BS7799) How do other vocabularies map to/from Assets + Authorised Users + C.I.A.?
  • 17.
    Relating Other Vocabularyto the Standard Chris F Carroll Authenticating Identity is our usual way to convince ourselves we have an Authorised User How does a system know that a user is authorised? Authentication : “Provision of assurance that a claimed characteristic of an entity is correct”
  • 18.
    Relating Other Vocabularyto the Standard Chris F Carroll Confidentiality presumably implies Access Control: Deny-Read Integrity presumably implies Access Control: Deny-Write Availability may imply Grant-Read Grant-Write Uptime, backups, connectivity, resilience to attack How does C.I.A map back to other vocabularies? Note the last bullet. Security includes both functional and non-functional requirements (NFRs).
  • 19.
    Security : Just3 Questions Chris F Carroll ✤ WHAT are we trying to secure? ➡ Assets: Data Stores & Systems ✤ WHO are we securing for & from? ➡ (Un)Authorised Users ✤ WHAT does security mean anyway? ➡ C.I.A.
 N.B. the need to prove & improve security may result in requirements for audit, accountability, monitoring, etc. Thinking about security: We answered our 3 questions using only a few key ideas, but this is enough to state and analyse requirements.
  • 20.
    Software Architecture ChrisF Carroll How can we use this?
  • 21.
    Security Requirements ChrisF Carroll HLD or Architecture Template Express security requirements using the 3 Questions 1. WHAT Assets must this system secure? List Assets Accessed or Exposed
 1.1 Data Stores 1.2 Other Systems 2. WHO Are we securing For/From? Identify Authorised Roles and Authentication Mechanisms 3. WHAT do we mean by Security? State C.I.A. Requirements Per Asset Per Authorised Identity PROPOSAL A typical software architecture document includes a placeholder for security requirements. We can use the 3 Questions to structure the statement of requirements
  • 22.
    Security Requirements ChrisF Carroll HLD Security Requirements 1.1. Data Stores Accessed or Exposed by this Project Data Store Category or Risk Level New Exposure? 1. Shiva DB Confidential
 GDPR Yes PROPOSAL System Accessed or Exposed? New Exposure? 1. Adobe Campaign Manager Accessed Yes 2. SMS & Email Accessed Yes 1.2. Other Systems Accessed or Exposed by this Project 1. Let’s start with, simply, a list of assets that our new project will, or may, expose or access.
  • 23.
    Security Requirements ChrisF Carroll HLD Security Requirements 1.1. Data Stores Accessed or Exposed by this Project Data Store Category or Risk Level New Exposure? 1. Shiva DB Confidential
 GDPR Yes PROPOSAL System Accessed or Exposed? New Exposure? 1. Adobe Campaign Manager Accessed Yes 2. SMS & Email Accessed Yes 1.2. Other Systems Accessed or Exposed by this Project We didn’t discuss RISK earlier. Some assets are more risky, or valuable, than others. For each asset, assess the risk of a breach of C.I.A. requirements.
  • 24.
    Security Requirements ChrisF Carroll PROPOSAL User/Role/Principal Authentication Mechanism Online Customer OAuth2 provider Auth0 CCA Permission X AD Login CCA Permission Y AD Login HLD Security Requirements 2. Authorised Users/Roles & Authentication Mechanisms 2. 
 Divide the world into authorised and unauthorised. We often use Roles or Groups to define this division, because managing for hundreds or thousands of individuals is just too burdensome and error prone
  • 25.
    Security Requirements ChrisF Carroll PROPOSAL User/Role/Principal Authentication Mechanism Online Customer OAuth2 provider Auth0 CCA Permission X AD Login CCA Permission Y AD Login HLD Security Requirements 2. Authorised Users/Roles & Authentication Mechanisms If there is a more than one identity or login mechanism, then it helps to list them
  • 26.
    Security Requirements ChrisF Carroll PROPOSAL Asset Authorised User Confidentiality (Read Access is restricted to…) Integrity
 (Operations
 restricted to…) Customer DB Authenticated Customer Read access to own data only Permissions detailed below… Adobe Campaign Manager Service Account NONE needed Permitted Operations below… Email & SMS Service Account NONE needed Permitted Operations below… HLD Security Requirements 3. List CIA Requirements Per Asset Per Authorised User 3. Finally the detail of permissions: 
 User A is authorised to perform operation X on data Y Coming back to the System Assets, we are concerned about the risk raised by connectivity. The more we can restrict the connections—the interfaces—the more simple and easy to do the security
  • 27.
    Security Requirements ChrisF Carroll HLD Template Express security requirements using the 3 Questions 1. WHAT Assets must this system secure? List Assets Accessed or Exposed
 1.1 Data Stores 1.2 Other Systems 2. WHO Are we securing For/From? Identify Authorised Roles and Authentication Mechanisms 3. WHAT do we mean by Security? State C.I.A. Requirements Per Asset Per Authorised Identity PROPOSAL
  • 28.
    Security Requirements AnalysisChris F Carroll Asset Id Assets Where is it? Type of Asset Who's Asset? Required Confidentiality Level Required Availability & Integrity Level 1 LB code and scripts BitBucket, Dev Machines, Private NuGet Our labour LB Low Medium 2 AWS Dev AWS Dev Our labour LB Low Medium 3 AWS Live Infrastructure Design & Runtime AWS Live: ECS EC2 Operations LB Low Business Process Critical 4 All Customer's Business Data AWS Live: ECS EC2 DB Customers' Data Customers Business Critical Business Process Critical 5 All Customer's Customers Personal Data AWS Live: ECS EC2 DB Logs Personal Data Customers' Customers Business & Regulatory Critical Business Process Critical 6 Single Customer's Business Data AWS Live: ECS EC2 DB Customer's Data Customers Business Critical Business Process Critical 7 Single Customer's Customers Personal Data AWS Live: ECS EC2 DB Logs Personal Data Customer's Customers Business & Regulatory Critical Business Process Critical Asset List for a cloud-hosted multi-tenant service More complex example
  • 29.
    Design for SecurityRequirements Chris F Carroll Confidentiality : per-customer confidentiality for an online system implies we must design row-level security and be able to verify it is implemented correctly Integrity : If all write access goes through a single tightly controlled interface, we can prove that no unexpected modifications are possible Auth (login, lockout, password reset): Buy or Build? Design Decisions, Tactics, Implementation Rules
 follow on from Security Requirements
  • 30.
    Chris F Carroll WHATdo we want to secure? Information Assets, typically: 1. Data Stores 2. Systems that let you do things
 WHO are we securing for/from? (Un)/Authorised users
 WHAT does security mean anyway? Confidentiality Integrity Availability Security : Just 3 Questions
  • 31.
    Software Architecture ChrisF Carroll ✓ Definitions & 
 Requirements I : Analysis ✤ Design ✤ Requirements II : Threats & Risks ✤ Implementation ✤ Verification ✤ Handover