Designing Security Architecture Solutions By Jay Ramachandran 2002 Wiley Computer Publishing John Wiley & Sons, Inc. Summary The post-9/11/02 world has brought concerns about security to all levels, not the least of which are systems managers. As in protecting a physical building, system security happens at many levels: external, internal, support, maintenance and new construction. The scope and level of efforts are most often bounded by finances and imagination. In this volume, Jay Ramachandran has developed a very "practical handbook on security architecture,"1 targeted at project managers, software engineers and system architects. By guiding the reader through the steps of system engineering, he builds an effective framework for the reader. In the Preface, he carefully outlines the targeted audience for various chapters, to prepare the reader to use his valuable time most effectively, without talking down to him. The book is arranged into 5 parts: Architecture and Security, Low-Level Architecture, Mid-Level Architecture, High-Level Architecture, and Business Cases and Security. The glossary is a very complete listing of the alphabet soup most technical people accept but which need explanation for management. The bibliography is extensive and quite current, while still providing the foundation references where appropriate. Overall, this work provides an excellent single volume reference for the system architect, project manager or software engineer who needs to understand where security fits in the deliverables being produced. It is not a sufficient reference to prepare for the CISSP certification examination, but can compliment the study documents. It will not replace feature-specific publications, such as Internet Firewalls2 which focuses on one topic or Hackers Beware 3 which deals with specific security events and how to find and act on them. I found it well-written, well-organized and a good edition to my technical library. Elements of the Book 1 Ramachandran, Jay. Designing Security Architecture Solutions. Wiley Computer Publishing John Wiley & Sons, Inc. 2002, xvii. 2 Siyan, K., and Hare, C., Internet Firewalls and Network Security, Indianapolis, IA: New Riders Publishing, 1994. 3 Cole, Eric, Hackers Beware, Indianapolis, IA: New Riders Publishing, 2002. In the first section, the author prepares a tutorial to refresh the reader on various software methodologies, including Krutchen's 4+1 View Model, Reference Model for Open Distributed Processing and Rational's Unified Processing. He then moves onto the contents of a security assessment, including preparation, assessment and reporting. After comparing the assessment and action plan to the "Knapsack Problem," he reconsiders the analogy and explains why they are unlike. Through this discussion, he introduces the reader to the business realities of planning for security, both cost and time, and how to evaluate the tradeoffs. Under "Security Architecture Basics," Ramachandran gives a focused tutorial on the concepts and basic tools available. This chapter is a good introduction to common concepts to be read before meeting with the security solution providers. In Chapter 4, the author introduces patterns for security. To the software engineer, the pattern terminology4 may be very familiar, although perhaps not in this context. In Part Two, Ramachandran focuses on what he calls the "low-level architecture" that provides for security. By building the security goals into the component level, the overall quality of the deliverables should be enhanced. He cites security expert Steve Bellovin's observation that "buggy software [is the cause] for most of our security problems." 5 The author continues to reinforce that principle through multiple examples of opportunities to exploit these vulnerabilities. This approach provides practical, concrete reasons for the application of sound system development principles, without sounding preachy. His analysis of code reviews would be useful for any team leader who wishes to improve his group's deliverables. The message of the architect building on a sound foundation is reinforced throughout this chapter and in the rest of the section. He continues to use the approach of theory, example, methods, challenges and evaluation in the following chapters on Cryptography, Trusted Code, Secure Communications. Part Three examines Mid-Level Architecture, including Middleware, Web Security, Application and OS Security and Database Security. The key message in this section is the complexity of issues that must be handled here. In the mid-level, the assignment is to support the application above, while working with various versions of foundation. He comments that databases are the most complicated single entity in the enterprise architecture.6 Once again, the author has provided neat descriptions of the functions and problems of the elements at this level. The rule could probably be restated as the cliché "trust but verify." The author keeps the pace and language consistent throughout - neither talking up to or down to the reader. If someone needed more details in a particular area, he could refer to the lengthy bibliography which includes many of the industry standards. 4 Design patterns have been applied to the architecture of buildings (Alexander, C., et al, The Timeless Way of Building, New York: Oxford University Press, 1979), software development (Gamma, E., et al, Design Patterns: Elements of Reusable Object-Oriented Software, Reading, Mass.: Addison-Welsey, 1995) and other aspects of development (Shalloway, A., and Trott, J., Design Patterns Explained: A New Perspective on Object-Oriented Design, Boston, Mass.: Addison-Welsey, 2002). It is interesting that the author has chosen to introduce them in this publication. 5 Ramachandran, p. 107. 6 Ibid., p. 291. Part Four reviews the High-Level Architecture, similar to looking at a building from the outside. He examines specific security tools wrapping the system, including: sign-ons, public key infrastructure, firewalls, LDAP and X.500 Directories and the distributed computing environment. He then takes another step back and compares the "building" to the original security and architectural goals. This is a tops-down view of the risk assessment done in the early chapters. In Chapter 15, he pulls the evaluations together by encouraging the architect to look at security as a process, not just a single event. He shows how techniques like XML and Repositories can be built into the support processes - enhanced routine maintenance, if you will. Taking it a step further, he compares enterprise security architecture to a data management problem, which although a manual process, provides good payback. The book could have ended here. Instead, the author realized that payback has another dimension. In Part Five, the author provides very graphic examples of real situations in which the absence of adequate security resulted in catastrophic outcomes. The insurance algorithms provided in Chapter 16 provide a neat way to evaluate the potential impact of a threat and present it coherently and simply to senior management. In Chapter 17, he provides random bits of practical advice, brief but pointed techniques to put into action. Conclusion In Designing Security Architecture Solutions, Mr. Ramachandran has compiled a great deal of useful information. In a single volume, he has provided an overview of the many elements to be considered in the development and operations of systems to ensure they are secure - and why he selected those elements. The author does not claim this is the ultimate book for any problem labeled "Security." Instead, he has provided a good handbook with an excellent bibliography so the reader can begin to ask the important questions of the developers, contractors, consultants and managers and to architect secure systems.