notes blog about

Security is a neverending process.

Security is elusive and hard to measure.

There’s no secure system. There are just more or less secure systems.

You need some level of security. To achieve it you need patience, vigilance, knowledge and persistence.

Goals

Security is the ability to resist attack.

CIA triad represents the traditional (since 1977 - see picture below) security goals.

image

Confidentiality

Integrity

Availability

Sometimes non-repudation is added to these three.

Principles

These security principles will help you to increase your security.

Clarity and simplicity

Least privilege

Defense in depth

Limiting attack surface

Areas

Asset and risk management

Identity and access management (IAM)

Data encryption

Vulnerability management

Network security

Security monitoring

Approach

The ultimate security goals don’t change with the adaption of a new paradigm (e.g. cloud services or DevOps). Security teams must still focus on reducing business risk from attacks and work to get confidentiality, integrity, and availability (CIA) security controls built into information systems and data. How those goals are achieved will change.

Basic steps

Understand the business of the organization you are trying to protect.

Think about what you need to protect (assets: VMs, containers, DBs) and who is most likely to cause problems (threat actors: criminals, hacktivists, script kiddies, inside attackers, state actors).

Understand what areas you need to secure - this depends on the cloud model you are using and whether you are a consumer or provider:

Figure out what needs to talk to what in your application. You should first secure places where line crosses a trust boundary:

Know your risks (have at least a spreadsheet) and how you approach them:

Continuous security

More