Reducing Complexity – Introducing a Practical Model for Security Classifications

Thank you so much. Sound is okay. I hope so. Welcome everybody.

Yes, we are going somewhere for something completely different, reducing complexity. Introducing a practical model. I start straight ahead. My name is Elaine Richter. I'm a engineer, business engineering of university of car. As you can see the typical engineer and I'm working then more than 20 years in different positions at a large German energy provider, IT security manager, IT consultant, project manager, system designer, and IT architect.

And right now I'm chief architect for identity and organizational data management at E B W, which is somehow I am, which means identity and access management. And there I'm responsible for design and architecture of a next generations identity management system. And I'm doing a part-time lecturer. I'm working as a part-time lecturer for identity and access management and cyber security architecture at Lucerne University of Applied Science and Arts.

So I brought you a sketchbook and inside that sketchbook we'll take a look at practical cyber security architecture for and will do something on reducing complexity. And I really focus on the practical cart, not on the formal part and not so much on ESO standards and things like that. So building and running a cybersecurity in both worlds, that means if you have to run it in your on premises data center and in cloud and in combination brings you some extra plexity and some of the bare known security patterns and models are not applicable in the cloud systems.

While the modern security models like zero trust better fit into the legacy systems. And so based on a model for security classification will explore some ideas what we can do or what we can't do. It just starts straight ahead. If you have any questions you can interrupt me or welcome or we'll have some time in the end. So important note, all models are based on well on practice and general knowledge and all examples are fictional. So introducing a basic cyber security model. I introduce the last on last use conference.

I'll just repeat it again because I'll need it for the next slides which are coming. We'll a presenter note. So we'll find if you are looking at a cyber system, we'll find actor interactions and services. So we can have persons or services as actors and we have any cyber device which could be a system service, a machine, an application, an enterprise resource which could be a cloud service. And we go there and define a boundary for that system.

The system could be one piece, it could be multiple parts, it could be a cloud service, it could be multi-cloud services or it could be a complete hybrid mixed environment. We find it technically an organizationally definable system boundary. And then we go and distinguish good and bad actors and interaction including wanted and unwanted conditions of the environment.

And then we'll end up in having a basic cybersecurity model, which is very simple, it's it means it's security in one sentences regarding a cyber system only allow good actors doing good actions under wanted environmental conditions. So that means we'll stick with the green ones here. We need to analyze, define and controls server things and we've got make decisions what is good or if talk it in better it would be what is good enough. So now we'll start shrinking the perimeter. How is your system border defined?

So the system security border could be one large parameter, which is a very old fashioned model we use. We used to use in all data centers. It could be some medium size parameters, maybe we got a DZ parameter zone which we use for internet stuff and the internal stuff or something like that. Or it could be many small parameters. It's the more modern approach to that. So we are placing smaller parameters around some of the stuff and maybe we already have some cloud stuff in there and we are also placing some kind of a border in that cloud stuff.

And if we go on with this development, we even get more micro size parameters, which is called per less microper or the perimeter on the system itself, which mean you have very, very small parameters for which applies very good to cloud systems. So where do we place security checks? System security border is usually used for the strong security checks on border crossing, which means if we got in the old fashioned model, we got one large perimeter, one border and one place where we put our checks, we got some medium size parameters.

So then, then we've got two checkpoints, at least many small pyramids. We've got even more places where we have to check things. And now we are in the top modern system, which means we've got on-premise, we've we've got legacy, we've got cloud, we've got semi modern medium size perimeters and we end up like this. So we've got so many points where we've got to check things, okay? That means that's the effect of a permanently shrinking perimeter. I'm using the word perimeter not only in the easel layer 3 cents which would be IP addresses or something like this.

You can take, take any kind of border where you can control something. That's the system border in here. So if you have a zero trust security model which tells you never trust, always verify, which is a very short version of a zero trust security models that mean you've got a rule set, you got a policy enforcement point, policy decision point and then policy administration point, the policy admission ation point is doing somehow the definitions for the rule sets. And then we got these control points. Well then there's one big question we've got left or we've got to how to manage.

The operating staff will ask you who is able to manage all these necessary rule sets because we don't have it only for one point like on the left side we have to put it in there for all those micro pyramids. So we'll start with regarding a cyber system.

Step on, define the cyber system. Well okay, we already had this. We'll find a technically an organizational definable system boundary and a responsible person from business perspective.

Step two, defining business need for protection. So the business person has to tell us what kind of protection the cyber system is needed regarding the business. So that means business risk. So business need for protection. So it should be a business person who's telling us that. So we'll introduce a classification for reducing complexity.

Example, it could be like systems, cyber systems need for protection, public internal confidence strict to confidential. This part is only an example. You could go for two classes, you could go for five classes, you've got to adapt this at your company's situation but it should come from business and this classification should make it easier for him to make a decision on his risks. So next thing is we are, we've regarded a cyber system, we allow only good actors.

That means we derive the quality for an actor that means who is he and what kind of identification process is good enough for this person, again based on a security classification, derive the needed quality for identification and authentication of an actor. So we are introducing a classification for reducing complexity in this case, which means classify the quality of identification processes and authentication methods which are available in your business, which mean quality identification could be none, medium could be partners.

So guests high could be employees, external stuff, very high, additional security, everything is green and green as an example. So you've got adapt it somehow. There are some contracts in there, there are some lifecycle processes which are working in there. So the classification should reflect the business's relationship between a person and your company.

So and then we'll have a classification of the authentication, which could mean something like if you have now authentication you are anonymous, medium might be passport high, could be kind of implicit, multifactor very high, could be an explicit multifactor, maybe including some biometrics. Again you've got to adapt this to your business, but it's a kind of a technical in interaction because it means it's a person he uses who is using his or her account.

So and now we are going in here, so we are taking our service systems need for protection classes and we are matching them on the minimum quality of identification and authentication of a person or person in his account. So output will be used for determining the access on the cyber system. It will not replace any authorization inside and application. That's again important. You've got to do this on top of course. So next step and I wanted environmental conditions so we know need to protect of our cyber system.

We are good actors and now we're taking a look at the wanted environmental conditions. Well that is the impact on the cyber environment determination of the repercussion risk class for the cyber infrastructure and the cyber system environment that if something, if there's a risk of lateral movement or there's a risk of backfiring something, then we should look at this at this point.

Okay, so we got to talk with the responsible business person as as far as he's the ordering part in most cloud scenarios and or the irresponsible IT manager because if we should always talk to him if there's an impact on his data center, which is happening mostly on premises, sometimes it can happen on cloud scenarios. This is pretty much depending on the company's organization of IT business and how much cloud you have or not Classify the potential effects on cyber environment, especially regarding lateral movement.

So again, introduce a classification for reducing complexity. So the first one, that could be a repercussion risk class for cyber environment. If you are in a low risk typical environment, it could be a cloud provider's responsibility, low lateral movement, risk protected, secured and control and controlled exchange with on premises like example, if you've got some gateway content control or whatever and the it's focused on the security model of zero trust or microper. It could be any SaaS cloud services which is good secured or something like office 365.

If you've got a repercussion class medium, the typical protection environment is dominated by legacy applications. You've got somehow network as segmentation, you've got legacy protocols, okay there might be encryption, encrypted communication. You've got somehow authentication authorization and some more security enhancements. I would call this dominant security model and enhanced perimeter. It's the example is very easy because you've got it in your data center, it's yesterday's state of the art data center.

And a high risk class would be you got legacy applications, you got little network segmentations, legacy protocols only, mainly encrypted communication, which means you got unencrypted communication. That's the classical perimeter model. It's an old fashioned data center grown over the time and you got the very high risk class, which means legacy, no network segmentation, legacy protocols, unencrypted communication. And there's also a lack of authentication and authorization. And here we'll apply a security model, what we would call isolation.

We won't connect it to another IT segment could be legacy OT for example. So if you've got, if you want to go somehow deeper into those security models, go for my last year's presentation. We don't have time to go into there on a deep dive session. But in case of risk assumption, the hazard to the company's cyber environment must always be considered.

So if the responsible business person is telling you for my cyber system risk assumption is okay, still there can be a responsible IT manager who tells you, but from my perspective, for my cyber en environment, it's not okay because I'm responsible for the data center or maybe for the cloud environment. And I don't care if you're taking care of the risk but there's something backfiring and there's a lateral movement risk.

So part two, unwanted environment conditions based on the repercussion risk class and the need for protection of the individual cyber system derive the needed quality for the client environment. Again, we'll do a client environment classification. Could be something like this low, any client medium or high you even can put two together, could be a compliant client and very high could be somehow a definition of a extra secure clients. And all requirements of course are minimum requirements. So you can derive needed quality for your client.

Identify dominant criteria like a high environments repercussion risk should always override individual decisions. A high need for protection of a cyber system should always demand a very protected client. Instead of doing all possible in combinations, a discussion of the security situation is recommended, at least in the beginning. And then you will get some standard cases. So we'll put it all together. Define the service system.

Define business need for protection, derive quality, needed quality for actors impact, analyze the impact on the cyber environment, derive quality for clients, put it all together so it can be easily used in your policy enforcement points, whatever you are using. And now you've got a rule set which you can use in your policy enforcement and policy decision points and grant automated access to service system based on a very granular risk analysis. So that's quite hard. A lot of work which has to be done.

So we have all those classifications that means five classifications but we have to do them only one time to get those definitions of those classes. But we have to do each time if we add a new cyber system or if you put a new cyber system into the model, you have to run the individual need for protection part and you have to determine in which cyber environment it'll be placed. But everything else can be based on those classifications. So at the end the operating staff is hopefully telling you that makes administration of those perhaps peeps and PDPs much easier.

Summary and conclusion, security technologies and cool tools keep getting better. They can make security decisions on a very fine grain base. That means corresponding rule sets and policy are getting more and more integrated detail and complex. And introducing of modern security models like trust or micro perimeter enforces that effect. And the introducing of this model gives you might give you an idea of how to reduce complexity and you will, since they're based on fictional examples, they will need some attach on your company's base situation. And that's it.

Are there any questions we should go for the micro? Yes, Thanks El for the, for the nice presentation. I really like it. Thinking about talking to business persons, if I think of my business persons, I mean most of them would not be able to answer those specific questions like judging about the risk that is his or her application and stuff facing. So how are you dealing with this issue? How are you supporting the business people to be to, to make them aware and to and and to help them answer those, those questions? Yes. Okay. Very good question.

We are not using an form or something that, and we are not applying a PDF paper. You should read or you check some things.

We, it's a kind of a consulting situation and we are talking to the people. So we got consultants, they have the drop to go around to talk to the business people to make them situation clear. If it's someone who has a kind of an idea about risk and what his business is doing, it's getting through there quite fast. If we've got someone who's very far away from technologies and from business risks, it takes longer. And that's okay if we don't have an bond standard fits all. If it takes longer, it takes longer.

And if we've got to start in the very beginning, we'll start at the beginning and the controlled consulting process could take some time. Any other questions? Question. Thanks for the presentation. I have a question regarding of your security boundaries, do you make threat models for them to reduce the risk or something like that for your boundaries, for your security boundaries? Well the, that's in this model, it's the security boundary is the place where you, where you will put the controls which secure the boundary. It could be only for one system.

So, but if you are looking at the system and if you want to determine the risks of the system, you've got to make a third model or something like that. Comparing it's also with the business person together.

Okay, thanks. Okay. Yeah.

Great, great presentation. But question, you said it's a model, all examples were fictional. Have you tried and test it? And what were the experiences that you had in the field? What were surprises and what, what went well and what did take longer? Oh well part, some parts of the model are already implemented. We already implemented is especially the, the part where we are talking with the business people about the risks because we needed in other parts and well it's, it's possible, yeah, it's, the examples are fiction, but we are doing something like that and it works.

You've got to maybe you've got to invest some software development for the rule set processing. That's the main complex problem. Okay. We have a couple questions in line. Okay. One of them is what experience do you have with this model? For example, have you received any feedback on application in other companies Received any feedback on application in other companies?

Well, I can only talk about my company and well it's working. We are doing something like that. We've got a previous version of the model was a little bit reduced. We started with that one 10 years ago and it worked pretty fine.

So I'm, this is quite, it is kind of an update of it. So I'm pretty sure that we will make it to roll it over the whole company. And the next question says, you mentioned you only need to access many of these security aspects once, but how do you deal with change management? The characteristics of a system can change over time dramatically. Okay.

I mean when I said you don't, you have to do it only once, but if you've got some brand new authentication method, which applies something really new, you will go over your classification or for course a second time, but you don't have it to do it once per week or something like that. But applying a new application in your environment, especially if you've got the idea for smaller parameters, smaller security boundary and securing the system itself, that happens quite often. One more question online.

It says, how do you handle the dynamic changes in infrastructure? Does it work better than expected Dynamic changes in infrastructure?

Yeah, I'm not sure what is meant about this question. Well, in the policy enforcement points and policy decision points, you should place the rule set in there and the infrastructure should just use that rule set.

So if you, if you're building up new infrastructure, of course it should be adopted to the policy enforcement point and policy decision point. Cause otherwise if it's, if it's just standing at the side, it won't work of course. So you've got to put it in there. But usually new infrastructure is coming up with a new application or a new cyber system from a business perspective. And if you start at this point, you won't lose them. I Think we've got Another one. One more question. Which public documentation on the model exists Exactly this one?

Well, and you, you can use my last year's presentation to go a little bit more deeper into the different security models. Okay. No more online questions. Any questions from the audience?

Yeah, Thank you. In step two, you said you, the business owners defining the risk for the cyber system. Yeah. I just assume that you take it to account the information itself and the, the business requirement. It's not only the cyber aspect, it's also the, Of course, of course business, the cyber system usually does, should have a business aspect in it.

I mean it, it's the reason why there is this cyber system. Cause it's doing something which has worth for your business. So it's including the whole part. Yes. That's somehow the typical definition of saf. Yeah. Yeah.

It's, it's called in Germany we call its, and of course, and then the, the risk of backfiring or something like that is, but there's not, there's not so much you can't really translate those words into, into English. So the need for protection is something which should always come from business. There is some aspect of backfiring and the cyber environment where you are running in there. And that's, that part is especially not so much business related, that's very much driven from the it and you shouldn't leave it out if only business is telling you, oh, it's a low risk business case.

We don't have problems with it. I mean, assume you've got a restaurant and it's just the, the meals of the week they're publishing it's low risk, no chron jewels.

It's not, not worth nothing. But if it's got hacked and it's spreading some, some kind of virus or ransomware or whatever, you can do a lot of damage or you can use it just to hack into that system and then go on with some lateral movement. So there is quite a high risk even if this special application does not have a business value at all.

So we, that's also the problem with the chron jewels. If you are always focusing on the chron jewels, you believe all you will get the, the, the risk on the environment will get lost. I sorry for coming late to the presentation, probably I missed the considerable amount of slides in conversation, but this is more like a generic question. Almost on a quarterly or a yearly basis, you get a new framework about how to identify risk, how to classify, how to quantify it, and at the end of the day you end up with dozens with dozens of documents on your table on what and how you should do it. Yep.

What would you recommend for someone that is actually into risk that is looking to quantify it, how to pick the best formula for it? Because Yeah, this one is a pure practical model. It's just made for putting up rule sets in your policy definition and policy policy diff policy decision and policy enforcement points and nothing else. It's not a formal model. Maybe you can derive some ideas to feed also some formal needs, but it's mainly based for how you get your security configuration in your system and to make the right decisions there with or without a formal declared risk.

Well I think that's a one more question. No, No. Okay. Well run of applause. Thanks so much for.