Define System Security Architecture (Define System Architecture)

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
5 hours 58 minutes
Difficulty
Intermediate
CEU/CPE
6
Video Transcription
00:00
>> Welcome back to Cybrary.
00:00
Yes of course, I'm your instructor Brad Rhodes.
00:00
Let's now talk about defining
00:00
the system security architecture.
00:00
In this lesson, we're going to talk about ISSE task.
00:00
A little bit different from the previous lesson
00:00
we're going to talk about tools.
00:00
We're going to talk about the outputs
00:00
of this particular task.
00:00
From my IATF 3.1;
00:00
so the Information Assurance Technical Framework,
00:00
there are six ISSE tasks
00:00
in defining the system security architecture.
00:00
There are decomposition and
00:00
I take all those requirements,
00:00
and I functionally decompose them.
00:00
There's interface allocation.
00:00
We talked about external and internal interfaces,
00:00
we have to map out where those go.
00:00
We are going to look at our components,
00:00
we're going to look at our residual risk assessment.
00:00
Remember, part of our work as
00:00
an ISSE is to do
00:00
that risk management process which we started when we
00:00
were working on this initial design
00:00
and we're probably going to need to look at
00:00
the controls that we're thinking
00:00
about that might be tied to
00:00
this to actually start to do
00:00
some of that risk mitigation work.
00:00
We're going to look at identifying
00:00
specific security mechanisms that
00:00
we may or may not
00:00
use and those could be things that we buy,
00:00
those could be things that we build,
00:00
whatever the case may be.
00:00
I know there's good question and
00:00
the question you're going to ask me
00:00
and you're going to say, Brad,
00:00
why don't we do the system security architecture
00:00
before requirements so we know what we're building to?
00:00
Good question. It's always
00:00
that cart before the horse argument there.
00:00
In my experience if you don't have requirements
00:00
first you have nothing to build an architecture to.
00:00
I've seen that in cybersecurity range design,
00:00
I've seen that in multiple design aspects where if you
00:00
just start building the architecture
00:00
that's where you get to scope creep.
00:00
It is very important to define
00:00
your requirements first and then build your architecture.
00:00
There's some great tools when it comes
00:00
to framing an architecture and doing
00:00
the system security architecture development
00:00
and these are all from
00:00
the Defense Acquisition University.
00:00
One is the functional flow block diagrams.
00:00
Remember we talked about functional analysis and
00:00
taking all those requirements and
00:00
putting them into their functional bins.
00:00
Well, after we've done that,
00:00
we need to map out how those requirements all connect
00:00
and we do that via the functional flow block diagram.
00:00
The next thing we have is a timeline analysis sheet,
00:00
and so probably you're all familiar
00:00
with this. It's called a Gantt chart.
00:00
Microsoft Project, was it Monday is the online one,
00:00
the Jira Atlassian Suite
00:00
provides support for these things.
00:00
Any way you do timeline analysis when you're
00:00
developing how a system is going to
00:00
fit together and how you're going to
00:00
develop it you're obviously you're not going
00:00
to eat that ton elephant all in one sitting.
00:00
You're going to do it one bite at a time,
00:00
and so timeline analysis.
00:00
We're doing architecture development
00:00
is incredibly important.
00:00
Then we have the Requirements Allocation Sheet.
00:00
This is super important where we take across the phase of
00:00
development of a system and outline where we're
00:00
going to actually put them together and test them,
00:00
and so Requirements Allocation is another way to take
00:00
and functionally define your architecture for a system.
00:00
Outputs of our architecture.
00:00
Well, we're going to select our security mechanisms.
00:00
What are the controls we're going to use?
00:00
We're going to define
00:00
our elements and that's where we're going
00:00
to define those interfaces.
00:00
We're going to allocate
00:00
security functions and this is important here,
00:00
this allocation word is incredibly valuable here.
00:00
We may already have stuff in place, IDS, IPS,
00:00
firewall, whatever that we don't need to actually build.
00:00
We're just building the next set of
00:00
elements for whatever new system we're doing.
00:00
We might rely on
00:00
other security functions that are already
00:00
in place so we're going to allocate stuff with them.
00:00
We're going to identify dependencies.
00:00
Now dependencies are important.
00:00
They're both lateral;
00:00
so side to side and then they're up and down all the way
00:00
up to the top-level system that we're integrating into.
00:00
If we do not identify dependencies it's likely that
00:00
whatever our security architecture is
00:00
going to look like isn't going to work,
00:00
and then we're going to do that
00:00
risk analysis and assessment.
00:00
That's a super important part here.
00:00
This is a great place where we get to
00:00
involve the customer because guess what?
00:00
The customer is, who
00:00
decides whether they're going to accept
00:00
our mitigation strategies that we've talked about
00:00
in previous lessons or not,
00:00
and so you got to involve the customer here.
00:00
ISSE activities in our
00:00
defining the system security architecture,
00:00
we're going to figure out the services,
00:00
we're going to select our mechanisms,
00:00
we're going to identify components
00:00
or elements that probably there had to be
00:00
procured or built and we're going to allocate
00:00
those functions as appropriate
00:00
between elements and dependencies.
00:00
Again, here's a chart here.
00:00
We're showing where we've
00:00
defined our system requirements,
00:00
and then really what we've done
00:00
after we define the system requirements is we're
00:00
drawing inside that black box
00:00
what the system interfaces are all going to look like.
00:00
In this lesson, we talked about ISSE tasks as
00:00
relating to defining the system security architecture.
00:00
We've talked about some tools you can use,
00:00
we talked about the functional of block flow diagram,
00:00
the Gantt charts or timeline analysis
00:00
, and requirements allocation.
00:00
Then finally we talked about the outputs,
00:00
and there's many of them that allow us to get
00:00
to what we do in defining
00:00
a system security architecture
00:00
for a system. We'll see you next time.
Up Next