6.3 KiB
| tags | |
|---|---|
|
8.27 Secure system architecture and engineering principles
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
|---|---|---|---|---|
| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #Application_security #System_and_network_security | #Protection |
Control
Principles for engineering secure systems should be established, documented, maintained and applied to any information system development activities.
Purpose
To ensure information systems are securely designed, implemented and operated within the development life cycle.
Guidance
Security engineering principles should be established, documented and applied to information system engineering activities. Security should be designed into all architecture layers (business, data, applications and technology). New technology should be analysed for security risks and the design should be reviewed against known attack patterns.
Secure engineering principles provide guidance on user authentication techniques, secure session control and data validation and sanitisation.
Secure system engineering principles should include analysis of:
a) the full range of security controls required to protect information and systems against identified threats;
b) the capabilities of security controls to prevent, detect or respond to security events;
c) specific security controls required by particular business processes (e.g. encryption of sensitive information, integrity checking and digitally signing information);
d) where and how security controls are to be applied (e.g. by integrating with a security architecture and the technical infrastructure);
e) how individual security controls (manual and automated) work together to produce an integrated set of controls.
Security engineering principles should take account of:
a) the need to integrate with a security architecture;
b) tec hnical security infrastructure [e.g. public key infrastructure (PKI), identity and access management (IAM), data leakage prevention and dynamic access management];
c) capability of the organization to develop and support the chosen technology;
d) cost, time and complexity of meeting security requirements;
e) current good practices.
Secure system engineering should involve:
a) the use of security architecture principles, such as “security by design”, “defence in depth”, “security by default”, “default deny”, “fail securely”, “distrust input from external applications”, “security in deployment”, “assume breach”, "least privilege", “usability and manageability” and “least functionality”;
b) a security-oriented design review to help identify information security vulnerabilities, ensure security controls are specified and meet security requirements;
c) documentation and formal acknowledgement of security controls that do not fully meet requirements (e.g. due to overriding safety requirements);
d) hardening of systems.
The organization should consider "zero trust" principles such as:
a) assuming the organization’s information systems are already breached and thus not be reliant on network perimeter security alone;
b) employing a “never trust and always verify” approach for access to information systems;
c) ensuring that requests to information systems are encrypted end-to-end;
d) verifying each request to an information system as if it originated from an open, external network, even if these requests originated internal to the organization (i.e. not automatically trusting anything inside or outside its perimeters);
e) using "least privilege" and dynamic access control techniques (see >5.15>, >5.18and >8.2>). This includes authenticating and authorizing requests for information or to systems based on contextual information such as authentication information (see >5.17>), user identities (see >5.16>), data about the user endpoint device, and data classification (see >5.12>);
f) always authenticating requesters and always validating authorization requests to information systems based on information including authentication information (see >5.17>) and user identities (>5.16>), data about the user endpoint device, and data classification (see >5.12>), for example enforcing strong authentication (e.g. multi-factor, see >8.5>).
The established security engineering principles should be applied, where applicable, to outsourced development of information systems through the contracts and other binding agreements between the organization and the supplier to whom the organization outsources. The organization should ensure that suppliers’ security engineering practices align with the organization’s needs.
The security engineering principles and the established engineering procedures should be regularly reviewed to ensure that they are effectively contributing to enhanced standards of security within the engineering process. They should also be regularly reviewed to ensure that they remain up-to- date in terms of combatting any new potential threats and in remaining applicable to advances in the technologies and solutions being applied.
Other information
Secure engineering principles can be applied to the design or configuration of a range of techniques, such as:
- fault tolerance and other resilience techniques;
- segregation (e.g. through virtualization or containerization);
- tamper resistance.
Secure virtualization techniques can be used to prevent interference between applications running on the same physical device. If a virtual instance of an application is compromised by an attacker, only that instance is affected. The attack has no effect on any other application or data.
Tamper resistance techniques can be used to detect tampering of information containers, whether physical (e.g. a burglar alarm) or logical (e.g. a data file). A characteristic of such techniques is that there is a record of the attempt to tamper with the container. In addition, the control can prevent the successful extraction of data through its destruction (e.g. device memory can be deleted).