Agile for Cybersecurity! To Be or Not To Be?

Agile_ToBeOrNotToBe

The traditional concepts of continuous monitoring and continuous audit cover the concerns of security automation decorated with agile terminologies.

Oftentimes people think of implementing tools with Agile brands or getting faster as agile, while others consider it’s about business agility. I do think the original idea of Agile is about how people work together (as a self-organizing and cross-functional team) to cope with changes and to deliver values (iteratively and incrementally).

Before we start our Agile journey, we’d better define our problem statement and define what the values are behind the Agile umbrella.

If I’d like to incorporate agile things, I would prepare or mimic an agile manifesto first. The following is an example of Agile Manifesto for Cybersecurity from my perspective:
– People and culture over processes and tools
– Business value over comprehensive documentation
– Opportunities over Threats
– Proactive prevention over reactive response

How do we deal with the InfoSec governance, risk management, compliance and security operations based on the proposed Agile Manifesto for Cybersecurity? That’s a good question to start with.

Finally, incorporating agile elements into the cybersecurity setting is a great idea! but the idea of agile should be defined or at least clarified before we go.

Practice Question – RMF

ScopingAndTailoringSecurityControls

You are developing the Transportation Management System (TMS) that handles the information types of Ground Transportation and Air Transportation.

  1. Determine the security category of the TMS per FIPS 199 and NIST SP 800-60 in the following format:
    e.g., SC TMS = {(confidentiality, impact), (integrity, impact), (availability, impact)}.
  2. Select baseline security controls according to FISP 200 and NIST SP 800-53 R4. (Scoping)
  3. Tailor the baseline security controls and justify your decisions. (Tailoring)

Jargons: V&V and C&A

 

What do verification and validation (V&V) and certification and accreditation (C&A) mean? They are indeed jargons, aren’t they?

Take software development project as an example; the software must be verified against solution requirements to confirm if they are implemented correctly, while validated against stakeholder and business requirements to ensure the effectiveness.

Once the software solution is developed, tested, and delivered, it becomes part of the information system as a whole. The information system must be verified to ensure it meets the security requirements. The verification report is the objective evidence for the management to accept the residual risks and authorize it into operation.

The traditional Certification and Accreditation (C&A) process is transformed into the six-step Risk Management Framework (RMF). Please refer to the latest revision of NIST SP 800-37 for details.

Attribute-based access control (ABAC)

TCBAccessControl

Which of the following provides the most flexible access control?

A. A subject asserting unmarried
B. A subject with the Top Secret clearance
C. A subject with need-to-know
D. A subject assigned to the Admin role


Kindly be reminded that the recommended answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications. 

The recommended answer is A, A subject asserting unmarried.

This question is designed to help you understand the characteristics of the common access control mechanisms as follows:

  • A subject asserting unmarried ⇒ Attribute-based access control (ABAC)
  • A subject with the Top Secret clearance ⇒ Mandatory access control (MAC)
  • A subject with need-to-know ⇒ Discretionary access control (DAC)
  • A subject assigned to the Admin role ⇒ Role-based access control (RBAC)

Access control mechanism comprises 3 parts: authentication, authorization, and accounting. A subject implies a user or principal completes the identification process and its identity has been authenticated.

A subject’s access to objects must be authorized. ABAC, MAC, DAC, and RBAC can enforce the authorization process.

Attribute-based access control (ABAC)

An entity comes with attributes. For example, a user is an entity with attributes, such as Full Name, Marriage Status, Gender, and Aage, to name a few.

Privileges can be granted by attributes. e.g. Access to the Corporate Bonus Mileage Program, a web page, is granted to those members who are female (gender), married (marriage) and come from Taiwan (nationality).

A subject’s attributes, shaping claims or assertions, are dynamic in nature. It’s the most flexible way among the four mechanisms to implement authorization.

Mandatory access control (MAC)

MAC is based on the subject’s security clearance and the object’s classification level, or label. A security clearance is determined through a formal process. Both security clearance and object label are hard to change.

Discretionary access control (DAC)

DAC is based on the Access Control Matrix, a two-dimension matrix of subjects on the row by objects on the column. A row is a subject’s capability; a column is an object’s access control list.

The granularity of DAC is at the entity level (subject or object). ABAC is at the attribute level.

Role-based access control (RBAC)

As the name suggests, RBAS is based on roles. A role is a named collection of predefined permissions and rights; it usually maps to the organizational structure.

A user assigned a role is automatically granted the predefined permissions and rights. It reduces the administrative burden, unlike that of DAC. As the permissions and rights are predefined, or sometimes hard-coded, it’s not convenient to change them.

Notes

The concept of flexibility is not rigidly defined in the question, as the question is designed to help you understand the characteristics of the common access control mechanisms. You can evaluate flexibility in terms of granularity of criteria, convenience to change, and administrative or implementation burden.

References