Develop Detailed Security Design (Develop Detailed Design)
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
5 hours 58 minutes
Difficulty
Intermediate
CEU/CPE
6
Video Transcription
00:00
>> Welcome back to Cybrarians course,
00:00
I'm your instructor, Brad Rhodes.
00:00
Well, now that we've gone through needs,
00:00
requirements or architecture,
00:00
is now time to develop the detailed security design.
00:00
In this lesson, we're going to talk
00:00
about the ISSE tasks here,
00:00
we're going to talk about the ISSE effort in this area,
00:00
we're going to talk about GOTS and COTS, specifically.
00:00
In IATF3.1, from the NSA in 2002,
00:00
we have five ISSE tasks when we're developing our design.
00:00
One, we're going to allocate security mechanisms.
00:00
We're going to take the things that we
00:00
defined in our architecture,
00:00
we're going to allocate those where they need to go.
00:00
We're going to look at interfaces, internal and external.
00:00
Internal are the connections within our system,
00:00
external are things that connect out of our system,
00:00
usually to the Internet and we're going to qualify those.
00:00
What qualify means is that we're going to test them in
00:00
the environment that they're supposed to
00:00
work in and if we don't do that,
00:00
it's likely they might fail.
00:00
We're going to develop our specifications
00:00
and that's tied to the common criteria.
00:00
Remember those evaluation assurance levels,
00:00
those specifications are incredibly
00:00
important because that helps us
00:00
define our level of maturity.
00:00
Next, we're going to look
00:00
potentially at what we're going to use.
00:00
We're going to either use commercial
00:00
off-the-shelf or we're going
00:00
to use government off-the-shelf.
00:00
We're going to talk about those in detail because
00:00
that's very important to understand those differences.
00:00
Then we're going to look to see if we need to actually
00:00
design custom security products
00:00
from a development perspective.
00:00
Within design,
00:00
the ISSE is looking at a number of things
00:00
and it's the four things really here on the slide.
00:00
One, we start with our constraints.
00:00
Obviously, we probably have things that we can't do.
00:00
The customer tell us that.
00:00
We might have a technical or non-technical constraint.
00:00
Non-technical could be that we're not
00:00
allowed to do it legally.
00:00
A technical constraint is something that maybe
00:00
the tech doesn't exist or the tech
00:00
won't work the way we thought it would.
00:00
Either way, I still consider
00:00
risks here. We do trade-offs.
00:00
Remember that the magical triangle of cost,
00:00
schedule and performance, well, guess what?
00:00
It's shown up again.
00:00
Even ISSE in the design effort we have to look at that.
00:00
We have to look at is what we want to
00:00
do is we want to design cost too much.
00:00
If that's the case, we have to get within cost,
00:00
maybe we give away
00:00
certain requirements that we're looking at.
00:00
We've talked a lot about
00:00
traceability and why it is important to trace
00:00
from the baseline, the bottom-line requirements,
00:00
from the system security requirements to
00:00
the system requirements themselves because that
00:00
traceability allows us to
00:00
ensure that we're building
00:00
the right stuff for our customers.
00:00
Of course, schedule and
00:00
there's two real important things on schedule.
00:00
One is life-cycle.
00:00
We've talked about life-cycle a lot.
00:00
You have got to do life-cycle work
00:00
and management and planning within the design.
00:00
If you don't, you're going to get to the end of
00:00
your system's useful life and you're probably
00:00
not going to have a plan to decommission it or
00:00
dispose of it and then you're probably not
00:00
going to have the replacement waiting in lines.
00:00
But then there's long-lead items.
00:00
You might go, what the heck is long-lead items?
00:00
Well, long-lead items
00:00
are those things that take a long time to build.
00:00
I've had some experience in
00:00
the aerospace industry and I will tell you,
00:00
for example, if we're building or
00:00
buying a component for a satellite,
00:00
it takes a long time to get those,
00:00
sometimes years in many cases,
00:00
because those items have to be qualified,
00:00
remember that word, say in a vacuum chamber.
00:00
There's only so many of those in the world and you
00:00
have to schedule when you get access to
00:00
them and so you've got to plan for that in
00:00
these very technically complex systems.
00:00
Let's talk about COTS and GOTS.
00:00
GOTS first of all, is government off-the-shelf.
00:00
Basically, that's when a government goes out and
00:00
buys a license to
00:00
something and allows all
00:00
the government workers to use it.
00:00
For example, years ago,
00:00
the Federal Government bought
00:00
a large enterprise license set for Symantec and made
00:00
Symantec Antivirus available for free to folks
00:00
that would access
00:00
military or government services from home.
00:00
That's like government off-the-shelf.
00:00
Commercial off-the-shelf is where you just go and
00:00
buy something because it's cheaper from a vendor.
00:00
For example, in the '90s,
00:00
the US military started to buy
00:00
an outfit from an IT perspective,
00:00
information technology perspective organizations
00:00
with commercial off-the-shelf computers.
00:00
Why? Because they were cheaper.
00:00
We used to have these mean green machines in the military
00:00
that we had to buy a special bill
00:00
for that and they were very expensive.
00:00
That's the difference between GOTS and COTS.
00:00
One is on the shelf already
00:00
and the government owns the rights to it,
00:00
whereas COTS is something we buy from a vendor.
00:00
When we develop those detailed security design,
00:00
I want you to remember that the ISSE does trade-offs
00:00
and the ISSE does that life-cycle support.
00:00
We've got to really pay attention to
00:00
life-cycle support here because if we don't,
00:00
we're going to get to the end,
00:00
we're just not going to have
00:00
the replacement system available because we
00:00
didn't think about it and that's something you
00:00
need to really pay attention to here.
00:00
In this video, we've talked about
00:00
detailed security design work that the ISSE do.
00:00
We've talked about the ISSE tasks,
00:00
we've talked about the ISSE efforts
00:00
and we've talked about COTS and GOTS.
00:00
As a reminder, COTS is something you buy from a vendor,
00:00
GOTS is something that's already available and
00:00
the rights to use it are owned by the government.
Up Next
Similar Content
