Cyber Security Architectures in a Hybrid World

So welcome to my talk, and I'm very glad to be here and thank you for cooking a call inviting me, and I'll do a lot short talk about cybersecurity architectures in a hybrid world. I will give you some overviews, so you can cope with all those building blocks, which you can visit the boots upstairs and order sort them all somehow and put them together. First of all, who am I am? My name is Elaine Richard. I am got an engineering degree of university of UR and I'm around than more than 20 years as security consultant, security manager, it consultant.

And so on project manager and architect at, in BW, which is one of the larger energy providers in Germany and further on. I'm also doing some lecture in identity and access management at university of applied arts and science.

Well, we will do a kind of a practical approach to cybersecurity architectures. I won't stick with identity and access management only. I would do the whole thing. So you get an overview, but we will position identity and access management. We'll see that it has a central portion somewhere in there, and we'll not stick only around with it, which means office it, but also for OT and production environments and cloud services and all the other things which are adding extra complexity to the things we've got to solve.

And well, we take a short look at security basics, compare some outdated, updated, and up to date security models and find a suitable model for different needs. Finally, we put it all together in a hybrid environment and my presentation will focus on practical security. You won't find much on the follow side. That's another talk. Okay. We'll start, I'll introduce a basic cybersecurity model. It's the thing we are using to go through the talk.

So you've got something to match with and we'll start with, we've got a person as an actor or a service as an act actor, and they have an interaction with any cyber device, which can mean an it system. It can be in service, a machine, an application, a resource, a software, whatever. And we regard the interaction. Okay.

We, second, we define a boundary of a cyber system. A cyber system can be a one piece cyber system, let's say one server, one database or whatever it con consists out of multiple parts, like an S P system, which has contains sort of a database and the application services. And so on. It could be a cloud service. It could be a multi-cloud service system. It could be also a complex hybrid mixed scenario, which is put together of, of all of them. And we go there and find a technically and organization, definable system border. Then we go put the system in the middle.

I'll take the easy one for the next pictures here, but we can also put one of the combines in here. We go for the, put the system in the middle and we distinguish good and bad actors and good and bad interaction, which is very easy because the good ones are the black ones and the bad ones are the red ones. So it's very easy to distinguish that. And we also look at the including wanted and unwanted conditions of environment. What is that? That means maybe you've forgot to be in a safe network to access something, or maybe you have to use a safe client to access something.

We'll all sum this up until have a safe environment, but it can, or a condition of an environment. So my basic cybersecurity model, which we use for do some research on, take a closer look on some other security methods we have is, is just regarding a cyber system. Allow only good actors doing good actions under wanted environmental conditions. I'll just call it basic cybersecurity model or BCS model.

So we, which only have to tag it down to the green ones and then we are fine. Everything else is, is not good. Maybe we've got a bad condition of the environment. Everything else is good. But if the condition of the environment is unwanted, we don't want it. Or maybe someone here, it's an unwanted person doing an wanted action, but we don't want it in our cyber system. Or let's say here, we got a complete bad cyber system which wants to do bad interaction. We don't want that. So now we got to need to analyze, define, and control several things.

Now we do a short history of cybersecurity in the very, very distant past. We had a SI there was no cybersecurity at all, or there was something I would call it security by OB security. The main idea, we already had some very early cyber systems, some early computing. And the main idea was nobody knows about my system. So it's safe. Very few experts. First step with interconnections. Often things are completely isolated. They are just placed in some lab and we don't have any problems. Cause the door is effectively the cybersecurity system.

I mean the physical door and the boundaries are based on expert, only knowledge or on complete isolation. Okay. But already then some, some occurrences of bad. We had some occurrences of bad interaction. So if somebody has seen the film war game, something like that, it's very historical, but okay. We already had that at this time. And if you look at the, the basic cybersecurity model, we don't have a good definition of a cyber system. It's just there. We don't have a definition of good actions. We don't have good actors, a definition of good actors.

And we even did not define what is a good condition of the environment we are in. So this is really, really security by OB security was a poor approach. It still is a poor approach, but it has been also already in this time, a bad approach.

So, so they, we had some reaction on that. So the first thing we put in was control access via network parameter security. That was the first idea what we could do.

So, and the second thing is reaction B control, access via authentication or authorization. So we are already in the very past and we already have the, these basic security ideas and reaction number CS can do some controls on the system itself. So like hardening the system on, get it better security on the system. So we got two reactions on this situation and this leads us into the period of parameter security, which we enter now. So we are now in the past, not in the very distant past, but in the past. And we'll take a look at the reactions control access via network.

Main idea on this is check secure network location. So we are doing network based boundary definition and everything inside is good and everything outside is bad. And we are placing some firewalls and something like that as a border control and network addresses and protocol types are to, we use them to distinguish actor and actions. It's not really that we know those people, but we know if, if some interaction is taking place inside or some person is doing interaction inside, we regard it as good action.

So if we, what happens now is we got some bad guy hiding behind good Luther king traffic, and now, well, that's not so good. It what's the reaction on the bad side. And next reaction is we are doing some enhancements, more intelligent and specific cybersecurity tools go for deeper and better inspections. So we can see that this is an unwanted traffic in reality and not advantage traffic. And this will shift them up in the protocol levels. That means we got email gateway with content control. We got web proxies with content control and so on.

We got more intelligent firewalls, which are not only doing network address and protocol types, but also doing some content expect inspection. Okay. So if you look at the parameter security model at, in this situation, and we all go back to our basic cybersecurity model, we've got a good definition of cyber system. It's really technically you can use it to define some rules.

Well, we've got somehow a definition of good actions and good actions, actors, and wanted conditions. Well, as long as you can be sure that everything stays at its proper network location, you have some up to date enhancement in place. Pyramid security can be quite good. The problem is that the things are moving and that the people are moving and we are getting also, but it's not the best thing you can have. Okay.

We, we go on, we got a reaction B, we said we also put in some control access via authentication authorization. The main idea is we'll take a focus on who is allowed to access. What that's the well is the main subject of the conference here, identity and access management. So we place in some identity and access management system in here. Maybe we place it directly into one application, maybe be a separate identity provider, place it in there. And we do identification authentication authorization of actors, mainly people. The focus is first line on people. And first steps were decentralized.

We build it directly into the applications and later centralized. So we got identity and access management, which can be found under those acronyms through letter acronyms. And so the bat guys has to stay out because he can't get a log on to what happening. Of course something is happening. The bad guy is hiding behind stolen identities. And so we put an at all enhancements on the system, the enhancements mean we do multifactor authentications. We go for single sign on better identity and access management. We're looking that passports can't get lost.

And so and so on and reaction BS, we do combination with other security approaches and like conditional access or whatever. And if we now look at the BCS model, we got still, we got a definition of our cyber system. We got a very good definition and hands on, on the good actors to distinguish them from the bad actors as long they are people or human beings.

Well, we are not so good in distinguishing good actions from bad actions. And we are not so good in doing the distinguishing, wanted conditions from unwanted conditions, but it's, it's getting better. So this is the AA security model. I would say, AC authentication and access via authentication and authorization, which is usually combined with parameter security. And they're both at the same age on the time scale.

Well, main focus in this security model is person as an actor. It's an important, but it's not a complete approach for cybersecurity and has to be combined with other measures. So if we go Contra number, reaction, number CVO controls, and measures on the system itself, it mean we are placing. The main idea is reduce the attack surface on the system itself. So we go further server, we build a micro parameter around, maybe we put some extra control software, like an intrusion detection system on the system itself.

Or we place something in front of the system to control who is accessing, what, what traffic is going on that, but it also means the, the basics like patching the system. So closing non vulnerabilities, keep every part up to date, reduce the system to the bare necessities. It's the minimal principle, hardening the system, including some more secured, smart security tools and applying application level controls on the system itself just to keep the bad guy out and to keep the bad interaction out. So we got these three parts which are enhancements.

And if we look at the basic security model, well, this is good for doing a system boundary, which is now very tight distinguishing good and bad actions. Well it's depending on what you are applying in here, I mean, closing non window abilities and keeping every part up to date, doesn't do much on distinguishing good actions from bad actions. But if you place on here, some intrusion detection kind or some application level firewall in front of that or something, you will probably can do more in this part.

Well, it doesn't do anything about good actors and it doesn't do anything about good or wanted conditions. Quality of cybersecurity in this model is depending on the implementation of security on the system itself, since all the authority and information to process a request is in the system. This is the most powerful point of control, but it's also the weakest because everything can be executed. There not all system are able to do the necessary control workload cot, but will meet further. Okay. So the next one will step further.

Now we are reaching today and one of the models we are going for today is the idea of an enlarged parameter security. We have been around with parameter security for about 20 years, 30 years, something like that.

And it, it did a good job. It's not the worst thing you can do. The worst thing you can do is no security at all. Keep that in mind.

I mean, a good parameter security is somehow security and well in the present we are facing distributed and hybrid environments. The situation is we have, we started with remote access. Then we have everything. It thing goes back. It was in the.com hype somewhere services, cloud services, process of digitalization. So cyber assisting us spreading out more traffic, more business need for distributed environments. And we can't just tell them, Hey, stay in our legacy on premises data center and everything will be fine. Don't move. That doesn't work anymore. Okay.

So what we get is an insight and outside get completely mixed up and good and bad interaction become more and more similar. I mean, the basic idea was with the, those ports in T C P P was to distinguish if it's it's a printing job or whether it's a web browser job or what, or it's a file sharing job, you can't use it anymore. Everything is HTTPS on one port. We can't distinguish on this basic anymore. So parameter by secure becomes complex up to undefinable reaction.

Number one, expansion of the insight, the first idea, or a reaction of the idea as well, we've got this parameter security with our well-defined insight. And if you really need to do this cloud thing, well, then do a private cloud thing at least please. And then we'll put up some extra VPN in here and we do an expansion of our inside and we are trying to apply mostly the same rule sets we've got for parameter insight. We're trying to apply here outside. So it started with the ideas of remote access, several data centers spread out clients.

This was the classical VPN scenarios, and it continues with those private cloud with decentralized data centers and cloud services. Okay. Somehow we can stay in control. We think network gets some virtual overlays and advance, but it's still playing an important role in defining the boundaries from self-defined VPNs up to redirecting all traffic using virtual macro pyramids to cloud provider, which is called secure access service edge SA model. But it's still somehow a perimeter idea of an enlarged perimeter. It's a micro perimeter.

If we regarded the BCS model, the cyber system, the boundary definition is somehow a little bopped out, but it's okay. We got a boundary, but we are poor. We are not very good in dis distinguishing good actors, good actions and wanted conditions.

So the, the main idea here is parameter is reconstituted at a wide scale. What I would call macro Perter, but it's difficult to find suitable smart security tools, at least on premises and well, in reality, take a look at that. It's kind of a deadlock and a private network.

I mean, public services are not participating and the people want those public services, even office 365 in some parts of public service. And that's not what people wanted. And when they bought the business wanted, when they said, I want to go clout, this is more like, well, I rented a data center somewhere, another part of the city. Okay.

So the, so if you have microper Sid, we also have the, the other direction, which I would call micro perimeter security. And we got, we still have in the present, this distributed and very hybrid environment and the reaction number two is arrangement with the outside. So we got this enlarged parameter security here. And what is now happening up to some degree, we accept that the outside is not so bad at all. So it first started sometimes ago when we, when we said our internet is not so bad. Can someone remember that?

That now, nowadays everyone has an email account and can access internet to look up things in internet. But there was a term when only a few employees were allowed to use internet access. But at some point we said, no, everyone, we accept internet as useful. And there are more advantages than disadvantages. And we'll accept this part of the outside. We find somehow a way to control it, but we go there. So we try to control the content via proxy or something like that, but we go for internet. Then we do, we do for go for, we have up to some degree, acceptance of bring your own device somehow.

And by enforcing stronger authentication, add some extra controls and security techniques on end user devices, combine them with an IM for example, like in conditional access or something like that. Next step in acceptance of the outside is prepare some of the legacy systems for contact with outside. Maybe put some extra security layer in, or just do it and be pray that nothing will happen. And then last part is acceptance of public cloud services.

And that's the part where you've got to go for more modern security concepts, like micro parameters, zero trust or zero trust, security models or something like that. Okay. If you go for the BCS security model, well, definition of the cyber system is okay, but it somehow gets complex. We still have the problem in determining good actions from bad actions since we got in good IM we got, we can know who, and we know how who's our good actors and we know are wanted conditions. Okay.

Now the difficult spots for cybersecurity operational it, this is in very short something which is controlling industrial system and operational systems. Cyber systems is the cyber system interconnected through network for controlling production systems. Okay. Techn technology is still at the age of early Peral security, or even before, that's the reality. It's not your, it's not about because you neglected it. It's because the technology is still there.

I know that Siemens is doing a very visionary approach to update this, but you still have this in place and you won't change a production environment from one day to other, if you think a think a release update in an S a P system is something complex, try and update in an OT environment. Well, and isolation gets penetrated through business demands for interconnectivity there, interconnectivity with it. And there's inter wanted interconnectivity with cloud services. Of course. So cyber security is really difficult in this area.

We got a lack of hardware performance in these systems and compliance with regulations on production, environments, safety reasons, and no retroactivity even makes it more difficult. So sometimes we are not allowed to change the system because for safety reasons, legacy, it is also a problem. Typically on premises it system for running the business and technology is still in the age of parameter security network. Security is overgrown by interactions over the years. So if you usually the older, the parameters is the more holes.

It has legacy systems sensitive and extensive attack surface notice, and they are not decide for interconnectivity with public environments. So, and then we have cloud services. I would call them cloud service as it is not because it has, they have been designed for serving a right range of customer. This customer wants something to run like, like Fort Knox. He has really high security and this customer is a starter customer and he doesn't care and they're both renting the same platform. So that means technology comes as it is. And usually there is a public backdoor.

Every cloud service has somehow a public backdoor like an admin Porwal or a public only service, because you have to access this for the first time and place your order. And you've got to manage this before you rented it.

And this, this part is somehow a public part. So on this, this kind of public services, they are not compatible with. You. Can't put them in a parameter security. They just don't work there.

And well, we've got face it security, fun, security functionality is not the primary selling feature for whatever. Okay. Still five minutes. So we are putting it all together. That's my favorite slide. So back to the basic security model regarding a cyber system allow only good actors doing good actions, and I wanted environmental conditions. So we got it on premises, private cloud services, public cloud services, and several OT systems. And first of all, we'll do the definition of the boundaries, the cyber system.

We are adding some structures that means defined system boundaries, zones, any kind of segmentation, which you can do combined pyramid micro perimeter, as far far as you can go create small risk based sections. It can also mean that you've got to cut something logically into half like this one. So next step get for the good actors. There's nothing else, but getting good identity and access management system. So get a high quality IM system capable to service, all demands, legacy and modern protocols, grant access on risk based.

Yeah, maybe you want to go for zero trust model or something, or conditional access, jump posts, proxies, or similars for those who can't participate, which means if you've got an OT system, which is just too slow and just too busy, running all this OT stuff, which can't do any authentication, you've got to place it into a small pyramid network security, and you've got place a jump post in before, and you make the jump post really Bulletproof. And this one is the one to be placed in your identity access management system.

Because usually you can't change all this up here, but it can also happens in the it environment. If you've got a very old legacy system, it's a lot of work to be do done, and we've got to face it something in a private cloud and ICO, it can happen again. Maybe even in cloud environments, you will need jump posts or something like that. It mean if you're a cloud, it doesn't not always mean that you're completely on a modern environment. So now we got good action. Now we've got good actions and environments. So we place in here.

Some smart security tools apply smart security tools to helping to enforce sections and boundaries. Check for suitable technology. One size does not fit all. If you've got a legacy environment, you will find some have to find something that fits in here. Cloud environments have completely different smart security tools and combined with IM for enhanced access management. So sketch number 10, tops and flops in service security architectures. One of the flops is too much focus on end user device. You should go for an complete approach.

One middle one model fits all approach does not work for on-premises it. Legacy systems, OT infrastructure level, private cloud, and public cloud is all mixed up. And so we got a combination of several models, which we need.

We, one of the flops is if you not go for machines, they also have to be authenticated. They have to be put into the security model you're getting for. And also very bad idea is cybersecurity is a letter external add on that will always leave up some hose. You should regard it as an integral part of your system.

And ah, one of my favorites, well, formal security, only service system. Can't be secured by doing paperwork only. And attacker won't bother regarding a formal security concept. He will simply attack your real system and you should keep that in mind because this formal part consume a lot of your budget and consume costs a lot of money, and that you will lack this money. On the other side, on the applied security and hackers bond bother with formal security.

So, and you also need some experts who know how to operate the system, how to run the systems of your lack of experts in the ops environment, you be run into problems. So here we go. I introduced your basic cybersecurity, which may help to design and review cybersecurity architectures in a practical manner. And reality needs some kind of a mix of cyber security architectures. And as much we can't have one architectural approach for all kinds of buildings.

We can't have one for cyber security, all cyber security needs something matching and cloud services, especially public one needs more modern cyber security approaches and good service security architectures in chief by clever combinations. So that's it.