4.3 Other Enterprise Security Areas Part 3

00:00

Welcome

00:01

to Episode 10 Off cybersecurity Architectural Fundamentals.

00:08

Today we should recovering the topics on

00:11

Internet off Thanks security

00:14

and manage Security Service's consideration When architect ing a system.

00:22

Let's begin

00:23

with I o T Security.

00:25

Are you t security covers the protection off sensors and the collected data.

00:32

There is a need to consider the physical security off the devices

00:37

and the validity off the data collected

00:41

In this case, we're not just talking about the data being stolen,

00:46

but more that data being corrupted by a cyber attack.

00:53

What other threats toe I ot security?

00:56

Well, listen, formals,

00:59

it is still very consumer centric.

01:02

Many off the OT devices today are still focused on the consumer market. Like your I P cameras, all your well, a senses and so on.

01:11

There seems to be a lack off security considerations in many of these products,

01:17

although that is changing. But this is still one of the biggest problem

01:23

s with Mobil's. There are way too many variants off i ot platform.

01:29

Although many of them have built their platform on open source platforms like clinics or android,

01:36

they're still very preparatory components in many off these devices.

01:42

Furthermore,

01:42

the support for protocols is not uniform. There are still many ways in these devices. Communicate back to your service. This is the evolving space. Many off these concerns will not go away soon.

01:57

As the security architect, you need to design the security of systems to cater. For these to be swapped out when the time is right,

02:07

here is another view off I ot security threats

02:14

using the model off threats and versus assets. This view lets you identify assets in your eye, OT eco system and the treads pertaining to it.

02:27

There is no right and wrong way to model it, but choose one that works

02:31

for your environment and one that you can use to communicate to your stakeholders.

02:38

Do visit the link shown below to understand more about this model and see if it's applicable to your environment.

02:49

Here are some off the common tools and techniques that can help you secure your eye ot environment.

02:54

One off the emerging techniques is the use off micro certificates, too and crypt

03:01

and secure your traffic between devices.

03:05

Traditional P k I might be too heavy

03:07

for the small computer capabilities off the devices.

03:13

Therefore, there was an emerging market off, creating micro certificates to replicate what p. K I does for systems on a micro level

03:23

checking the implementation of Io ti. It's also very important. This includes getting people with the right knowledge to do I ot penetration testing.

03:34

It's a different skill set from the typical weapon application. Therefore, you need people well versed in the various treads and how to do a proper penetration test.

03:45

You can also consider using highly scalable VPN to secure the traffic. For example, Siskel's group and group that traffic VPN, which helps aggregate and combined data through one big V P and pipe.

04:00

This is just one way to secure

04:03

such amount of traffic that are located near each other.

04:09

And if you're using industries that protocol like M. Q T T, make sure you secure the transport for example, using T. L s on your amputee T

04:19

as this is an emerging feel,

04:23

pay attention to publications in journals and find out more about what can be done

04:29

to secure your T devices.

04:32

Moving on to manage security service is

04:36

many architects do not pay enough attention to how their design with affect a managed service or the constraints of manage security Service's

04:47

on the architecture off a system.

04:50

Today. Most manage security service providers are usually very focused

04:57

on the network

04:59

and the perimeter,

05:00

and less so on the application

05:03

and most off the service delivery.

05:06

Our constraints by your contracts and service level agreements that you have signed, too,

05:12

pay particular attention to what is the S. L. A's promise, and does it fit into your security posture

05:21

as it is a managed service,

05:25

you have to be very clear on the scope off coverage.

05:30

Do not assume an incident it's covered or type of tread is covered. Do make sure you go through all the use cases were negotiating. A managed security service's

05:41

also understand what it's the contractual obligation off these providers to you.

05:46

How much information do they need to give you and how much openness will they give you an excess to some of the locks collected.

05:54

Service level agreements need to be reviewed regularly to see if it is relevant to the current threat landscape

06:02

and ensure that the service provider is delivering on them.

06:08

S most managed service is is provided off site.

06:12

Do take care off. What is the on site remediation plan and how much of it is the responsibility versus your responsibility.

06:23

This diagrams helped you to clarify areas which you need to discuss with your service provider.

06:30

On the top will be some service management like S L. A. And service provisioning

06:36

and their lifecycle. Also pay attention to things like the change management, incident management, forensics investigation and event monitoring.

06:48

Also, do not forget the items on the right that covers governance, but it's a policy to strategy the risk management. And if you are regulated industries, what are your legal and regulatory compliance

07:02

obligations?

07:04

Also ensure the boundaries off the scope?

07:09

Where is the handoff and where do they stop monitoring or pick up monitoring?

07:14

It pays to go true. Various use cases to ensure that your entire and toe end security coverage it's managed both by you and your service provider.

07:28

Some off the additional tools and techniques. You can do this, for example,

07:31

have a technical measure off in tunnel second line defense. What that means is, maybe in some critical areas you have your own monitoring and lyrically do an audit on the events you pick up versus the events picked up by your service provider

07:49

and, as mentioned earlier as it is

07:53

a contract that service, please ensure that your contractual protections are in place,

08:00

that you have sl a management and you have to write toe ordered their processes and the work they deliver.

08:07

Another way to medicate risks here,

08:09

this partnership all core saucing.

08:11

That means maybe the service providers sits on your premise. I r

08:18

intermix with your team so that there is an easy way to exit, if necessary

08:24

in summary

08:26

today. Recovered. I ot security

08:28

What we need to look up for.

08:31

Pay attention to not only data exploitation but data manipulation.

08:37

Many cases data collected from Io ti is used in the Data Lake to help feed

08:46

you're a I or ml engines.

08:48

An attack could be feeding back data. True, you're I oti senses to skew your artificial intelligence.

08:56

Also do ensure that if your architect ing a solution and using a manage security service provider

09:05

that your system will allow them to pick up events and that their alerts will come back to you in a timely fashion,

09:15

here are two good resource is to read up on this topic

09:18

one the next publication off consideration for managing I ot cyber security and privacy risks.

09:26

And the second is from an information each article six things to look for in a managed service provider.

09:33

Thes would give you a little bit more details on the topics cover earlier.

09:39

This episode concludes

09:43

theat Vons and the price security areas.

09:46

Next, we will look into cybersecurity processes and how they would affect the architecture off a system.

09:54

If you have time, please join me for a next session.