Monday, May 11, 2020

Architectural Diagramming

The series started with a taste of what infosec is - particularly the technical aspects. In this post, I write about architectural diagramming.

In keeping with the old english adage " A Picture Is Worth A Thousand Words", diagramming is the process of explaining the technical details of an architecture using diagrams or pictures. Often, one finds that it is easier to explain with a labelled diagram than getting tied up in the imperfections of the human languages.

In order to be effective with diagramming techniques. one has to value clarity and consistency in the diagrams. What does that mean?

  • Symbols and graphical elements must be standardized.
  • The reading flow must be standardized as much as possible. For example, all diagrams must be read left to right and top to bottom is one example.
  • Diagrams must have numbered labels that helps the reader step through the diagram in numbered sequence. Note that labels must be consistent with the standard flow directions that the team has chosen for themselves.
With these simple techniques, I guarantee that your teams will be operating at efficiencies that are a notch above what one see with teams where diagramming is optional and even if they exist, they are grossly unpredictable and confusing.

In a recent stint with a large NY based financial services company, I has the privilege to participate in strategy discussions on how we orchestrate the move the cloud. Every presentation came with diagrams but there was simply no standard. Almost none of the pictures had labels. The audience had to follow the tiny mouse icon all over the screen to see exactly what the presenter was trying to say. The symbols and graphics followed no standard. Every presentation introduced cognitive load on the audience in terms of non-standard and sub-standard diagrams. 

While I was happy that there were diagrams, I think effective teams can do better by embracing a simple standard way of describing through diagrams.

One word on industry standards like ArchiMate, UML etc. These tend to get "heavy" and don't scale very well across roles and skill levels in enterprises.  Be judicious in their use. It is ok to come up with a light weight diagramming approach that is standardized within your team, organization, division. In fact, I would recommend that the diagramming be included  as part of documentation standards and teams are put though mandatory training to gain familiarity with them.

Simple Web Site Diagram

Here is a diagram of a simple web site

With numbering , it is easy to tell the story

  1. The customer or user wants to access a web site and uses a browser.
  2. The request from the browser hits a web server in the DMZ which allows HTTPS traffic.
  3. The web server invokes the appropriate logic in the application server.
  4. In order to service the customer's request, the app server calls a database server which contains data pertinent to the user's request.

Popular Authentication Architecture Diagram


working on it...


Posted by at No comments:

Sunday, May 10, 2020

GH Security and Architecture - The Start

This is  the first post of this blog - GH Security and Architecture. My maiden voyage into the blogosphere as a writer. Wish me luck, send me your e-blessings!

The general topic of this blog will center around architecture, strategy and security. Now, you may be scratching your head and wondering why we need yet another blog on these topics that have been beaten threadbare by the gazillion pundits out there on the blogosphere. And you are right in thinking that way. But, my hope is that I may add some value by writing about these areas differently enough that some readers may find it refreshing, organized and help connect the dots in some areas that they previously simply could not digest.

The motivation for the blog is a long story which we wont get into right now. We will get to it at some point - who knows, my experiences from Summer, 2017 to now - Spring 2020 -  might be of use to someone.

So how am i qualified to say anything meaningful on these rich topics? We'll - for about 16 years or so, I've been working in exactly these areas for a large financial company or shall we call it enterprise - many business units or "small companies" rolled into one - and had the great privilege and opportunity to take on various projects in this space. I worked as individual contributor, manager, solution architect, enterprise architect and finally was managing architecture teams before I left the firm. In  these roles, I covered a lot of turf with my team of course, blazed new trails, had a wicked good time and learnt a few things along the way. In this blog, I'll try to impart some of that knowledge to you - the reader - ( big assumption is that you are interested in these areas) and lets see how that goes.

So - on with the topics!
Posted by at No comments:

Encryption, Identity, AuthN, AuthZ ...

The field of information security ( infosec ) has gotten fairly complex of late. There are many sub-disciplines that make up this area that can be studied in their own right as lifelong pursuits and careers.

For example, I spent about 15 years of my career specializing in a field known as IAM - short for Identity and Access Management. IAM is all about access control and determines who can access data ( information) and do various "things" to it/with it i.e. read, write, delete and create.  Even within IAM , of late,  there has been further specialization. CIAM is the area of practice that deals with customer oriented IAM. E-IAM , on the other hand, focuses on Enterprise IAM which deals with employees, vendors , partners and contractors of organizations and enterprises i.e. regular companies.

So, back to infosec - what is it anyway? It is the field focusing on how information is secured. For our purposes, we could also liken information to data. You have probably heard about the "CIA" triad in relation to infosec. This is an acronym that captures the essence of what infosec tries to accomplish. C stands for confidentiality , I for integrity and A for availability. Given that humans produce and consume a lot of information/data  in our day to day existence and consider it valuable enough to warrant protection, C provides confidentiality for that data, I provides integrity and A ensures availability.

Confidentiality ensures that data is only available to those authorized to read and consume it. Integrity ensures that data is not inappropriately modified and Availability ensures that data is there when one needs access to it. Each component of the CIA triad could be dissected and explained in excruciating detail but we will leave that for a future session. 

How is CIA accomplished? In the biz, people would say - through the use of "controls". For example , there can be physical controls which would be locked rooms, safes, cages for computers, fences, guards, dogs...you get the idea. All these have some effect on access. On the other hand, there can be technical controls. In good old days prior to widespread use of computers, these would things like ciphers, keys. Today, these would be very much related to computers and the technologies running on them. 

For example, encryption is used for scrambling data when on the move over a network or statically stored in a database. 

The concept of digital identity has evolved so that a human in the physical world with a unique identity can operate similarly in the digital world and this digital identity is then used to determine what actions are permissible on what data. 

Ok - so how does digital identity get established? When a person e.g. customer or employee gets established in the system, digital identity comes about from aspects of physical identity - so attributes like name, address, contact info become the seeds of digital identity. In addition, an identifier which could be a unique number or string is attached to the set of attributes we just talked about , resulting in a digital identity. Of course, this is an ultra simplified version of digital identity that we've discussed. There is a lot more we will talk about in subsequent posts.

The process of discovering the customer or employee's digital identity is called Authentication or AuthN. We will discuss this in great detail in the future. The process of deciding what a customer can and cannot do with the data is called Authorization or AuthZ. 

So, in this blog we have lightly covered 
  • what information security is
  • what are the objectives of infosec ( remember CIA )
  • what are controls and more importantly , what are technical controls
  • what are concepts like encryption, identity, authN and authZ.
Posted by at No comments:
Subscribe to: Comments (Atom)