Jesper's Blog

Obligatory file photo: I am a Senior Security Strategist in the Security Technology Unit at Microsoft. My job is to explain to our customers how to run Microsoft products securely, and to the extent that it is needed, help the product groups figu

Blogs

Required Attributes of Security Solutions

  • Comments 5
  • Likes

I've been trying to come up with a list of attributes that a security solution needs to have to be complete and sufficient. The idea is to develop a set of attributes that can be used when analyzing security to see if it fulfills the needs of the situation. Obviously, risk management is the most important aspect of security analysis, but if we can distil a complex design into a small set of attributes that appropriate solutions generally would have then we could use that to analyze how good our solution is. This would be helpful when analyzing security solutions, be they security features in an operating system, an architectural design of a network, a physical security infrastructure, or any other type of security solution. The attributes also need to be a parsimonious set. Attributes of a solution need to be less complicated than the solution itself to be useful for analysis, otherwise why abstract the solution into its attributes?

I wrote these down a while ago and have been hoping I could refine them by doing what I always do - mull them over mentally for a while. However, I can't seem to come up with anything better, so I thought I would open up the thinking to the community and see if anyone else has any better ideas.

  1. Comprehensive - The solution needs to cover the security issues it purports to resolve. It does not need to cover all security problems, but in conjunction with all the other solutions it should contribute to solving the problem. If the solution leaves holes uncovered something else must be available to address those holes.
  2. Comprehensible - The person intended to use the feature or implement the solution should be able to understand how it works, how to implement it, and how to address common problems.
  3. Adaptable - The solution should be flexible enough to work in several environments with differing risk management strategies. A solution that is not appropriate for all environments should not be mandated for all environments. It should be adaptable for each environment.
  4. Centrally manageable - A solution should be manageable centrally. Essentially, all configuration, enforcement, and reporting, should be centralizable.
  5. Enforceable - A solution must be enforceable. A solution that can be turned off or disabled by those who should be protected by or against is unacceptable. If a solution is accidentally disabled in violation of a policy it needs to be turned back on automatically.
  6. Reportable - It should be possible to generate compliance reports about all aspects of a solution. At a minimum reports should contain the status of the solution in all places where it should be applied. Variance reports, showing out of compliance areas, are also important.
Comments
  • How about affordable? If small organizations with extremely limited budgets cannot afford the solution, then it is of no use to them. And they need it the most precisely because they have fewer resources and any downtime might bring the end of the organization.

    There are only 500 companies in the Fortune 500, but hundreds of thousands of organizations at the other end of the spectrum who are desperate for inexpensive and robust solutions!

  • Not sure where this fits.. but a solution needs to be 'delegat-able'.. such that parts can be delegated to members of the team in a manner that only those parts/rights/modules, etc that are deemed needed for that person/team member to perform the task are given to them.  

    But is that part of adaptable?

  • I like Lazy and Robust for security. Typically, security systems are delivering a policy, and if a policy is going to work, it has to be Lazy and Robust.

    Lazy -- it's easier to obey than to ignore or bypass

    Robust -- whatever the current compliance status is, application of the solution will tend to improve it over time

    Is that too pessimistic?

  • This is great, sounds just like the requirements of an accounting system. Although one of the requirements is missing, Relevancy. It isn’t surprising though that the same requirements would exist; you are effectively doing the same thing. In accounting you have a system that is required to know everything about business transactions and effectively report to management and external sources the information that is relevant to them. This is the same basic requirement for a security system. I had never really thought about the two this way (until I saw this list). Additionally an accounting and a security system can have other requirements, like enable faster responses to changing… security threats or economic environments. Hmm, way more similarities then I have room for in a comment… I’ll post a better write up later joshmaher.wordpress.com

  • PingBack from http://www.secure-software-engineering.com/2008/03/02/required-attributes-of-security-solutions/

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment