In line with the theme of field based technologies, the need to interact with field-data hosted beyond domain networks is reviewed here. Traditional networks that housed core data structures are likely to have implemented security segments similar to figure 1. With the advancement of users ability to access and interact with data outside the traditional network, the need for defence in depth as a method to review security posture becomes appealing as it allows you to take multi-layered approach to security, similar to figure 2.
Below are some steps your Security Operations Center can use to review application/technology deployment projects:
Below are some steps your Security Operations Center can use to review application/technology deployment projects:
1.Identify the bare essential critical core components required for a transaction to occur within your application.
2.How would services dependant on Non-Functional Requirements (NFRs) for these components be affected? Examples are;
(i) RunTime NFRs : Performance, Capacity, Availability, Response, Security
(ii) Non-Run Time NFRs : Scalability, Systems Management, Maintainability
3. Identify the organic mitigation methods that can be implemented either by the product itself or within your department security tool box for each service.
4. Identify inorganic mitigation i.e. CIA triage controls in relation to people, process or technology for each component.
5. Review external standards like PCI DSS to complement what your business needs to achieve for a successful business transaction to occur; the standards should not drive your layered analysis. Defence in depth is not a standard or framework- just a concept.
On next print, read about the Application of Defence in Depth and Technology Diversity @ IET’s Digital Library by clicking here .