Feed on

In my previous posts, I wrote a bit about security architecture. Looking at how to implement this in real life you need to start looking at your security posture. But what is your security posture exactly?

When you start implementing your security you will have a number of hardware and software based protections. You will have processes, guidelines, policies. There will be mandated training and awareness sessions etc. All of this will create your security posture. The security posture is in essence the way your organisations stands ready for an attack. Just imagine you are training judo (as my kids are doing) and you are ready for a match. Look at the judokas way of standing ready to catch the opponent at their first attack, how they respond, counter and in the end hopefully get the opponent down on the mat. Your security posture is the way you are standing ready for an attack, how you manage the balance and change depending on the different possible attacks.

So what does this gives you beside a lof of words? Security is complex but when you describe it with an image you understand that putting all your resources in weightlifting heavy hardware you will be off balance and a simple leg swipe with a social engineering attack will bring you out of balance and make you lose the match. Same goes if you are very agile but lacks the stamina to keep moving. The security posture is a way of measuring how well you will withstand an attack.

Now that you understand where a security architecture start it is time to look at the full cycle of security architecture.

When you have a risk register with risk for different assets you need to start working on how to mitigate those. The first task is to define the security mechanisms that are needed to solve your problems. A security mechanism is a description of a security solution to a defined security problem.

For example: Encrypted communication solves eavesdropping on network traffic and is solved by using an encryption technology to change a payload to an unreadable format except for the intended reader.

By mapping your risks to security mechanism, you can start defining your solutions. After you have defined the possible mechanisms you need to check if they are applicable in a specific implementation scenario. One example is a requirement to encrypt information stored on a fileserver in such a way that data is encrypted when not used. A quick glance would make it possible to use Microsoft RMS or a disk-based encryption. When we look a bit further we understand that a disk-based encryption that encrypts the whole disk is not working as a fileserver is online 24/7, hence the data is always accessible.

When you know the mechanisms, you need you map out the possible patterns that you need to solve the problems. In some cases, they will contain more mechanisms or usage of mechanisms in another way than you thought of. The patterns are accelerators but not always the correct way to solve a problem. They seldom adhere to your specific business processes.

With all this information readily available you will create a few artefacts: Changes to different parts of the architecture and suggestions how to implement different security mechanisms technically or using processes.
With this you have managed to run a full circle and could update your risk analysis and the whole circle starts again.

It´s not that easy to start creating a security architecture when it’s hard to define in the first place. A security architecture has a few starting points. The first one is the realisation that you have something to protect. That may sound as a simple thing but without your assets defined you cannot define a security architecture.

Following that you need to start building the list of requirements you need to adhere to.

This list consists of your risk analysis, applicable laws you need to adhere to and compliance schemes you need to follow. Of course, you could have others that are on a voluntary basis and those should be included in the list as well as long as you don´t regard them as strict mandatory.

The list you provide will be your risk register that you will start working with.

I had a client meeting recently where we started to discuss their view on security architecture and quite interesting I got several views of what security architecture actually is. As a result of that I created a set of slides that describes how I work with security architecture. Of course, there are many ways to do security architecture but a common consensus of the how you view the topic is quite important to define.

As you see in the above picture I use IAF (Integrated Architecture Framework) as a model to build my architecture. IAF is part of TOGAF since TOGAF 9. An architecture consists of four large parts: Business, Information, Information System and Technical Infrastructure. Security architecture is not a specific architecture within this framework. In some cases, you model an IAM-system and call it a security architecture but that is not correct. That´s a Technical Infrastructure architecture of a security system. A security architecture is actually something completely but it ends up in changing the current architecture you have to make sure that its secure. The red dots show examples where an architecture could be changed to make it secure.

So basically, security architecture is the process of making an architecture secure.

With the previous posts, I presented on a high level how fake news could be mitigated. However, there will always be some news that passes the filters, always some bully that has the technical skills to beat through. The mitigation for that is a reporting system. The architecture contains an automatic reporting component using text analysing to identify death threats, violence etc. that is punishable by law. With a fully authenticated user we can I real time collect as much information that is needed for the police to be able to start an investigation. This makes it possible for a user that receives such a comment to be able to quickly report it to authorities.

When it comes to fake news this is most often not illegal but should still be reported. Lets say that a major newspaper starts to report articles from Natural News, a well know source of fake news within alternative health care or Granskning Sverige, that has been exposed to be one of the largest troll factories geared at undermining Sweden. Most of the post under anonymous account and with few possibilities to follow-up on their articles. With authenticated users, I could disallow such articles to appear in my flow, and if they would appear I could easily send a notice to the publisher that this article by this users is possibly fake.

One of the core concepts of this architecture is the management of who is allowed to comment and who is not. Normally you put that in the hands of an administrator or allow anyone to comment but that opens up for trolls and bullies. What we need is the possibility for the single individual to decide if anonymous or identified persons should be allowed to comment. This will be implemented with a component that before allowing the website or social media system checks if the users wanting to comment is authenticated. If so, comments will be allowed. The writer will have the power to allow or disallow anonymous comments.

The simple scenario here is a child being abused by cyber bullies. By not allowing comments from unauthenticated users no comments will be allowed. This could be extended to disallowing comments on posts where the person has been tagged.

The other scenario that is applicable to this is of course fake news. One way to disallow fake news in your media flow is to only allow news that are from a legitimate source. This could be traced back to the source. If that is written by an anonymous user then it should not be possible to make it legitimate by reporting it under a authenticated account.

A challenge to manage is the identity repository. Everyone has an agenda. It´s as easy as that. That creates a problem on whom to trust. But as the solutions is built on putting the power to the receiver the problem with owning the repository is a bit smaller.

The central repository is actually just an identity administration point using a federation service where other identity repositories could connect. BankID would be one but any corporation or organisation could connect, as long as the identity process is vetted. Facebook would for example not be allowed as the identity is not vetted.

When it comes to fake news the common denominator is either a false identity or anonymous identity. To enable a solution for this you need to have a verified identity. No matter how you spell it, if you are going to lie and face the risk of being identified as a liar, you will stand down.

An added feature, that I will describe later, is an integration with the law enforcement and with a strong identity it will be possible to send the information to the law enforcement they need for conducting an investigating.

The verified identity should be as strong as any e-identity that is approved by government. In Sweden, we use BankID. At least it should be a vetted identity using multi factor authentication.

The last two years’ fake news have arisen as a problem in my world. Not only is it a problem within security but it is also a problem in many other areas like health (anti vaccine movement), political (US election) and food (anti GMO) to name a few. Common for everyone is that they either write under fake or anonymous accounts or build their case on unverified (often fraudulent sources).

The common problem is that we have freedom to express whatever we want on internet anonymously. I´m all for that as there is many cases where freedom of speech is very important and we should guard that.

So, I started to do some thinking how to solve this problem and have come up with an architecture for this: Fake news mitigation architecture.

This architecture contains a number of components:
1. Verified strong identity
2. Identity repository
3. Control who is allowed to comment or send you information
4. Automatic reporting of incidents

My following posts will dive deeper into each component.

None of you raises an eyebrow when I say that I work at Sogeti and as all other consulting firms together with my clients we struggle with finding the right people. Finding junior staff is rather easy, keeping them a bit more challenging as it should be. But the senior people, like me, are harder to move into the organisation. I got a question last night from another company how we managed to snatch a very senior consultant from them. Salary wise we were on par with them together with everything else like bonus, freebies etc.

So what do we have to offer that gave us the upper hand his time? I would love to say that it´s my winning personality but, alas, it was in spite of that. 😉 We offer a different way of working with our Security Office. Security Office is a new way of delivering security. Yes, it’s an outsourced security department but it’s even more than that. It gives senior consultants time to work with the hard and complex stuff while giving the junior consultants challenges, all packaged in a way that makes it a competitive offer compared to all other companies.
We also offer a lot of education and courses together with our partners meaning that the challenge is finding time rather than the cost of training.

I´m actually a bit proud to see that my work the last 10 years within the group and outside has grown to this.

Older Posts »