Patterns of Secure Architecture & Security Engineering II

Organizations around the world are openly sharing their response to the cyber revolution: Patterns, Models & Frameworks are as helpful in Business as they can be for your Career.

• Patterns provide a proven solution in a consistent format for each piece of the puzzle
• Combining them allows you to work through complex problems and build your design or architecture
• Solutions you can conjure up ultimately rely on technical mechanisms available to you

You will benefit from breaking things down into more straightforward to comprehend pieces when designing custom solutions for security problems.

Today we’ll cover modern defensive patterns, check out part I for the history of security patterns.

About the Author

Andrew Douma is a vendor-neutral IT Security Professional. He performs professional audits, penetration tests, and risk assessments. He designs secure networks and engineers high-assurance systems in the Cloud.

You can connect with him on GoodReads, LinkedIn, Medium, and Twitter.

More stories by Andrew

Buying a professional penetration testing laptop| Evaluating QubesOS as a Penetration Testing Platform | Finding the right exploit code | Antivirus in 2017: Why? Which? How? | Penetration Testers’ Guide to Windows 10 Privacy & Security | Full Disk Encryption with VeraCrypt | Hacker to Security Pro! On the Shoulders of #InfoSec Giants | Securing an Android Phone or Tablet (LineageOS) | Password (IN)SANITY: Intelligent Password Policy & Best Practices | Security Architecture Patterns I & Patterns II

Anti Patterns

I am reasonably confident that the security practice of Threat Modeling partly inspired the creation of MITRE’s ATT&CK Framework.

MITRE ATT&CK enables Information Security professionals to conduct structured adversary emulation exercises as well as model their security defenses against modern-day techniques.

Its adversarial tactics, techniques, and knowledge database are the most consulted anti-pattern for security architects. It spans attack preparation, cross-platform endpoint, and mobile device compromise.

Patterns by Arcitura Education

A vendor-neutral and modern training provider has done a terrific job sharing their design patterns with the world, from the basics to the advanced.

Currently, Arcitura covers Cloud Computing, Microservices and Containerization, Big Data, DevOps, and Blockchain — with plans to launch Machine Learning, Artificial Intelligence, and Internet of Things soon.

• https://patterns.arcitura.com/ (browse menu on left)
• Cloud Data Breach Protection
• Automatically Defined Perimeter

IOA Knowledge Base

I strongly recommend joining this impressive open community of IT Architects championing the Interconnection Oriented Architecture framework.

IOA aims to enable you with blueprints, playbooks, and design patterns for a modern interconnected world. Their knowledge-base provides a wealth of information.

• https://ioakb.com/register/

Currently, IOAKB covers Networking, Hybrid Multicloud, Security, Data, Applications, Internet of Things, Digital Payments, Analytics, CDN, Collaboration, and both Security and Distributed Security — in addition to many industry-specific designs.

IOA Security Blueprint

• Design Pattern: Boundary Control
• Design Pattern: Inspection Zone
• Design pattern: Policy Administration & Enforcement
• Design Pattern: Locate Identity and Key Management
• Design Pattern: Security Analytics & Logging

IOA Distributed Security Blueprint

• Design Pattern: Control Digital Communications
• Design Pattern: Integrate Multicloud and Data Controls
• Design Pattern: Security as a Digital Business Enabler

There is a wealth of information in each of the non-security designs as well.

Azure Design Patterns

Microsoft is making headway now that more conglomerates are reluctant to fund what is often their direct competitor — Amazon.

Between their improved stance on Linux and the Azure confidential computing program, I expect they will continue to attract customers from heavily regulated industries.

GCP Design Patterns

Google Cloud Platform is the talk of the town these days.

Google does an excellent job maintaining detailed product documentation, including security best practices, and enterprise adoption checklists.

A few public solution patterns:

• HIPAA HITRUST
• Hybrid and Multi-Cloud
• Identity & Federation
• Microsoft Active Directory
• PCI DSS
• Virtual Private Cloud

Most of their design patterns remain locked up till you participate in their (very affordable) Cloud Certification training on Coursera.

AWS Design Patterns

Amazon AWS has a clear first-mover advantage and is by far the furthest along in their reference architectures and security guidance.

• https://aws.amazon.com/architecture/
• https://aws.amazon.com/blogs/security/

To get up to speed quickly with AWS Security, I can recommend this training provider. But never discredit the value of reading vendor documentation.

DISA Implementation Guides

Since 1998, DISA has played a critical role in enhancing the security posture of DoD’s security systems by providing the Security Technical Implementation Guides (STIGs).

The STIGs contain technical guidance to “lockdown” information systems/software that might otherwise be vulnerable to a malicious computer attack.

Using a Java-based STIG Viewing Tool you can turn the files from the STIGs Document Library into actionable check-lists.

NIST Special Publications

For 20 years, the Computer Security Resource Center (CSRC) has provided access to NIST’s cybersecurity-related projects and special publications.

I recommend taking time to review the excellent publications on Digital Identity:

I am personally excited to dig into the draft on implementing a Zero Trust Architecture (ZTA) to improve an enterprise’ security posture!

Continue with part III >

Do you have any advice? Corrections or additions?

Do not hesitate to reply. Feel free to share your experiences, advice, and questions in private or through the comments section.