From the course: CISSP Cert Prep (2021): 3 Security Architecture and Engineering

Secure design principles

From the course: CISSP Cert Prep (2021): 3 Security Architecture and Engineering

Start my 1-month free trial

Secure design principles

- [Instructor] System engineering is an important technology discipline where practitioners are charged with taking many different and complex technical components and assembling them into a functional system that meets business objectives and security requirements at the same time. We'll be exploring many different aspects of security engineering throughout this course, including many of the technologies you used to build secure systems, but let's begin with a look at some general security engineering principles, including incorporating security in the design process, the Subject/Object Model, failure modes, isolation, and validation. Security must be treated as a key component of the design process. If you look back at major security failures over the past decade, many shared a common theme. Some aspect of security was either entirely overlooked or treated as an afterthought after the system design was complete. In this approach known as bolt-on security, security engineers attempt to retrofit an existing system with security features designed to protect confidentiality, integrity, and availability. While this approach is sometimes successful, it is much less effective and much more expensive than simply including security in the design from the start. One of the core security models underlying many system designs is the Subject/Object Model of computer security. In this approach, every access request is seen as having two different components, a subject who is requesting access to a resource and an object, which is the resource being requested. For example, if a user requests access to a file, the user is the subject of the request and the file is the object of the request. Similarly, a process might request access to a memory location. In this example, the process is the subject of the request and the memory contents are the object. When designing a system, it's often helpful to describe access requests in these terms, making the identity of the subject and object explicitly clear for each request. Working in this way allows the design of access control systems with easily defined and implemented rules. Another important security decision is how a system should behave in the event of a failure. Now there are two possible failure modes. In a fail open system, if the security controls fail, they are automatically bypassed. This approach favors continued business operations, but it may pose an unacceptable security risk. In a fail secure or fail closed system, if a security control fails, the system locks itself down to a state where no access is granted. An easy way to understand this is by imagining a firewall at the perimeter of a network. If the firewall fails and it's configured in a fail open state, the network will continue operating after the failure without the benefit of firewall protection. Now, this probably is not a good idea and firewalls are usually configured in a fail secure state that blocks traffic flow in the event of a failure. As a counterexample, an intrusion detection system may play a less critical role in cybersecurity programs. While it is highly desirable to inspect traffic for signs of malicious activity, administrators might decide that even in the event of an intrusion detection system failure, the cost of disrupting network activity doesn't warrant putting the system in a fail secure mode. Another core principle that you'll find throughout discussions of security engineering are the concepts of isolation and segmentation. In many cases, engineers design secure systems so that different components can't communicate with each other unless absolutely necessary. Let's look at a few examples. In the case of network segmentation, an organization's accounting department, executive team, and sales team might reside on different network segments to protect their computers from each other. This way, an intruder gaining access to one network segment would still have some work to do before compromising another network segment. Inside a computing system, process isolation ensures that different programs don't have access to each other. This isolates software so that one malicious program has a harder time affecting other processes running on the same system. Along those same lines, systems also perform memory segmentation to prevent different processes from accessing memory assigned to other processes. And finally, in the world of virtualization, the hypervisor is responsible for virtual machine isolation, ensuring that different virtual machines don't have access to each other's resources.

Contents