@@ -13,8 +13,8 @@ In order to take a systematic approach to security it helps to have a
1313clear view of our requirements. Once we have defined those we can consider the
1414principles that can be applied to help us meet them.
1515
16- 2.1 Requirements
17- --------------------
16+ 2.1 Security Requirements
17+ ----------------------------
1818
1919The first requirement that comes to mind when thinking about sending
2020data across a shared network is likely to be *confidentiality *. As
@@ -79,7 +79,45 @@ by which data can be amplified by replication, allowing large volumes
7979of traffic to be sent to the target of a DoS attack; thus it has
8080become necessary to develop means to mitigate such attacks.
8181
82- 2.2 Principles for Secure Systems
82+ 2.2 Broader System Requirements
83+ -------------------------------------
84+
85+ Understanding the requirements of a secure system is important, but
86+ security is just one of many requirements placed on any system. It's
87+ also important for systems to be reliable, available, scalable, performant,
88+ usable, manageable, evolvable, observable, and so on.
89+
90+ These system requirements are sometimes indistiguishable from
91+ security. For example, a retail system brought down by a security
92+ breach is just as unavailable as one brought down by a hardware
93+ failure or a software bug. Similarly, a video delivery system designed
94+ to scale up to handle a flash crowd may also able to scale to fend off
95+ a DoS attack. In practice, it can be difficult to pinpoint the root
96+ cause of a failure (was it malicious or benign) and the root source of
97+ workload (was it malicious or legitimate). The main difference is that
98+ it is generally possible to provision for legitmate workload and
99+ benign failures, which can be measured and predicted (although not
100+ always accurately), whereas malicious attacks are often less
101+ predictable (although they should be expected).
102+
103+ Where the broader set of requirements become interesting is when they
104+ are in conflict with each other, and tradeoffs become necessary. For
105+ example, making a system secure can add latency to every transaction.
106+ Similarly, keeping a system secure puts additional burden on users
107+ (making it less usable), with the flip side being that those users are
108+ often the weakest link in the security strategy. These tradeoffs do
109+ not need to force an either-or scenario—clearly, designing for both
110+ security and usability is desirable—but no requirement is absolute,
111+ or we'd simply secure a system by denying access to all users.
112+
113+ For our purposes, the main takeaway is that security is unique in that
114+ it is not just a requirement *for * a system, but it is often best
115+ viewed as a system in an of itself, one that must be usable,
116+ scalable, manageable, evolvable, observable, available, reliable, and
117+ so on.
118+
119+
120+ 2.3 Principles for Secure Systems
83121---------------------------------
84122
85123Given how long people have been trying to build secure computing
@@ -89,7 +127,7 @@ system remains secure. We will outline some of the most well-known
89127principles here and the following chapters contain examples of how
90128those principles have been applied in practice.
91129
92- 2.2 .1 Defense in Depth
130+ 2.3 .1 Defense in Depth
93131~~~~~~~~~~~~~~~~~~~~~~
94132As we have noted, one of the central challenges in security is that we
95133never know if we have done enough. Much as we try to defend against
@@ -129,7 +167,7 @@ frequently it turns out that a well-publicized attack has succeeded
129167because some relatively common defensive measure, such as multi-factor
130168authentication, was not put in place correctly.
131169
132- 2.2 .2 Principle of Least Privilege
170+ 2.3 .2 Principle of Least Privilege
133171~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
134172The principle of least privilege has a long history in computer
135173science, having been proposed by Saltzer and Schroeder in 1975. The
@@ -159,7 +197,7 @@ is not actually required for the machines to do their jobs. Addressing
159197this shortcoming required some innovations in the design of firewalls
160198that arrived only in the last decade or so.
161199
162- 2.2 .3 Open Design
200+ 2.3 .3 Open Design
163201~~~~~~~~~~~~~~~~~
164202
165203Another principle codified by Saltzer and Schroeder is that of open
@@ -197,7 +235,7 @@ keep secret the key that is used to decrypt with the algorithm. It is
197235much easier to replace a key that has been compromised than to replace
198236an entire algorithm.
199237
200- 2.2 .4 Fail-safe defaults
238+ 2.3 .4 Fail-Safe Defaults
201239~~~~~~~~~~~~~~~~~~~~~~~~
202240
203241The idea behind this principle is the default settings of a system are
@@ -216,7 +254,7 @@ such old ideas as network firewalls and virtual private networks,
216254along with more modern approaches such as microsegmentation and
217255zero-trust architectures. We will discuss these developments in a later chapter.
218256
219- 2.2 .5 Least Common Mechanism
257+ 2.3 .5 Least Common Mechanism
220258~~~~~~~~~~~~~~~~~~~~~~~~~~~~
221259
222260This principle states that the amount of mechanism that is common to
@@ -229,7 +267,7 @@ as encryption into the network when the user is likely to need
229267end-to-end encryption anyway.
230268
231269
232- 2.2 .6 Design for Iteration
270+ 2.3 .6 Design for Iteration
233271~~~~~~~~~~~~~~~~~~~~~~~~~~
234272
235273Given what we have said about the difficulty of knowing that a system
@@ -252,19 +290,19 @@ replaced. While the timeframe in which such a change will be needed
252290remains a subject of debate, the safe choice is to accept that
253291cryptographic algorithms will periodically need to be replaced.
254292
255- 2.2 .7 Audit Trails
293+ 2.3 .7 Audit Trails
256294~~~~~~~~~~~~~~~~~~
257295
258296Part of dealing with the impossibility of covering all possible
259297security threats is to accept that sometimes we need to analyze what
260298has gone wrong. This leads to the idea that security needs to be
261- auditable. For example, it will be easier to conduct a post-mortem of
262- a breach involving compromised login credentials if every login
263- attempt is logged, along with information such as whether the login
264- came over a VPN, what IP address was used, and so on. Similarly it is
265- very hard to prevent insider attacks, but suitable logging might both
266- make it easier to detect such attacks quickly and to deter those who
267- might undertake them.
299+ auditable (observable) . For example, it will be easier to conduct a
300+ post-mortem of a breach involving compromised login credentials if
301+ every login attempt is logged, along with information such as whether
302+ the login came over a VPN, what IP address was used, and so
303+ on. Similarly it is very hard to prevent insider attacks, but suitable
304+ logging might both make it easier to detect such attacks quickly and
305+ to deter those who might undertake them.
268306
269307In a different vein, consider the design of secure protocols. The
270308specification for TLS (transport layer security) describes a large
@@ -283,12 +321,9 @@ so logging for audit purposes cannot just be an afterthought; it has
283321to be part of the design of a secure system.
284322
285323
286-
287-
288- 2.3 Summary
324+ 2.4 Summary
289325-----------
290326
291-
292327Just as we can never be quite sure that we have covered all possible
293328vectors of attack against a system, there is no hard limit to the set of
294329principles that can be applied to developing secure systems. The
0 commit comments