Downloaded 11 times
Uploaded byPhil Huggins FBCS CITP
Security Architecture
Phil Huggins gave a presentation at the Private Security Conference Spring 2010. He discussed his experience delivering large, complex security systems for customers over multiple years. These systems involved teams of 20+ customer employees and 40+ supplier employees. He stated that 4 of the systems would be considered as threatening as the Death Star from Star Wars. Huggins also talked about the importance of having shared security principles and design constraints to guide development teams and ensure consistent security application across all aspects of the system design.
More Related Content
![First Responder Course - Session 9 - Volatile Evidence Collection [2004]](https://cdn.slidesharecdn.com/ss_thumbnails/publiccopy-9-volatileevidencecollection-130419072103-phpapp02-thumbnail.jpg?width=600ounds&width=560&fit=bounds)
![First Responders Course- Session 1 - Digital and Other Evidence [2004]](https://cdn.slidesharecdn.com/ss_thumbnails/publiccopy-1-digitalandotherevidence-130419070259-phpapp01-thumbnail.jpg?width=600ounds&width=560&fit=bounds)
![First Responders Course - Session 8 - Digital Evidence Collection [2004]](https://cdn.slidesharecdn.com/ss_thumbnails/publiccopy-8-digitalevidencecollection-130419071830-phpapp02-thumbnail.jpg?width=600ounds&width=560&fit=bounds)
![First Response - Session 11 - Incident Response [2004]](https://cdn.slidesharecdn.com/ss_thumbnails/publiccopy-11-incidentresponse-130419072430-phpapp01-thumbnail.jpg?width=600ounds&width=560&fit=bounds)
![First Responder Course - Session 10 - Static Evidence Collection [2004]](https://cdn.slidesharecdn.com/ss_thumbnails/publiccopy-10-staticevidencecollection-130419072255-phpapp02-thumbnail.jpg?width=600ounds&width=560&fit=bounds)
Similar to Security Architecture
Security Architecture
- 1. Phil Huggins Private SecurityConference Spring 2010
- 2. My recent experiencehas been: Large, complex systems Multi-year delivery 20+ people customer delivery teams 40+ people supplier delivery teams Need to know High threat 4 of them would be considered ‘death stars’
- 4. A set principles or maxims used to guide design decisions AND The design decisions taken (or constraints adopted) during the design process.
- 6. Everyone in a design process has models Implicit (intuition) or Explicit (written down) Usually somewhat wrong Usually somewhat incomplete People like to follow established practice Hard to challenge even in new circumstances
- 7. Tools to aid thinking not replace thinking Reference architectures are not a design Risk is just one security model Most models are good for the purpose they have been created If you’re doing something exceptional expect the model to be less useful
- 8. Constraints for design decisions Shared amongst all designers Consistent application across all design streams Long history in security Saltzer & Shroeder (1975)
- 11. 1. Economy of mechanism 2. Fail safe defaults 3. Complete mediation 4. Orthogonal security mechanisms 5. Semantically consistent defence in depth 6. Separation of privilege 7. Least privilege 8. Least common mechanism 9. Psychological acceptability
- 12. 10. Threats change 11.Design for failure 12. Use configuration control 13. Product certifications are of little utility 14. Design security in from the start 15. Include the flexibility to change security controls in the future 16. No single points of failure 17. Don't virtualise across security boundaries
- 14.