Systems

A system is a functioning set of inter-related parts that work together to produce results. The “parts” include people, hardware, software, networks, programs, and data. To understand how a system functions and how to protect it, requires knowing the structure, the parts, the interconnections, policies, resources, constraints, and rules of interaction. Rozanski and Woods, in their book Software Systems Architecture, cover multiple viewpoints and perspectives useful to describe a system (2012, sec. 25). For project 6 in this course, building a security perspective may be done by collecting security requirements.

Use the following list of topics to build a security perspective of a system (adapted from Rozanski et al., 2012).

• the sensitive resources, that is, the subsystems and data that need protection
• the people and subsystems that need access to the sensitive resources
• any information integrity guarantees, including HIPAA or other legal requirements
• any systems availability requirements
• the security policy (ideally as simple as possible)
• the system/network architecture
• a formal threat model identifying the security risks from insider and outsider threats
• the system’s deployment environment
• feedback from stakeholders

For your analysis, use only the areas that most impact your situation.

As you look at solutions, apply the following design elements, also adapted from Rozanski et al. (2012):

• address each threat in the threat model at an acceptable risk level
• apply vetted third-party security solutions in preference to home-grown solutions
• integrate your solution within the overall design
• make changes to simplify the security infrastructure to enhance system reliability
• specify how to identify security breaches and ways to recover
• obtain an expert review of your security solution

You do not need to address each of these approaches in your writing; they are given as good practices that can help you think through a security solution.

Networks

When you consider all the devices, hardware, software, and other elements, networks are complicated and require an organizing model that lets you apply different perspectives to understanding network functions. Maintaining network security requires knowledge of protocols, services, communication mechanisms, topologies, cabling, endpoints, and networking devices (Chapple et al., 2018).

The most used model, the Open Systems Interconnect model, or OSI, defines 7 layers of a network used to send and receive information from users and systems. These layers isolate specific responsibilities in the network layers so you can simplify your analysis by focusing on one layer at a time. Surprisingly, OSI exists as a conceptual model used for analysis and design. Implementing a network requires detailed protocols, such as TCP/IP.

TCP/IP, transport control protocol/internet protocol, is the most widely implemented networking protocol. It uses four layers that roughly map into the OSI model. TCP/IP networks use numerous subprotocols, services, and security mechanisms at each layer.

Protocols and software require networking equipment such as routers, hubs, switches, repeaters, gateways, proxies, and firewalls. The equipment finds its use in the lower layers of the OSI and TCP/IP models.

Read about the OSI Model, TCP/IP, and network devices in the linked articles. As you read, consider how knowing these elements helps you understand how networks operate and how they may become compromised.

References

Chapple, M., Stewart, J. M., & Gibson, D. (2018). (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide. Wiley.

Rozanski, N., & Woods, E. (2012). Software Systems Architecture: Working with Stakeholders Using Viewpoints and Perspectives. Addison-Wesley.