Jesse Trucks is the Minister of Magic at Splunk, where he consults on security and compliance program designs and develops Splunk architectures for security use cases, among other things. He brings more than 20 years of experience in tech to this role, having previously worked as director of security and compliance at Peak Hosting, a staff member at freenode, a cybersecurity engineer at Oak Ridge National Laboratory, and a systems engineer at D.E. Shaw Research, among several other positions. Of course, Jesse is also the host of Meanwhile in Security, the podcast about better cloud security you’re about to listen to.

Jesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.

Announcer: If you have several PostgreSQL databases running behind NAT, check out Teleport, an open-source identity-aware access proxy. Teleport provides secure access to anything running behind NAT, such as SSH servers or Kubernetes clusters and—new in this release—PostgreSQL instances, including AWS RDS. Teleport gives users superpowers like authenticating via SSO with multi-factor, listing and seeing all database instances, getting instant access to them using popular CLI tools or web UIs. Teleport ensures best security practices like role-based access, preventing data exfiltration, providing visibility, and ensuring compliance. Download Teleport at goteleport.com. That’s goteleport.com.

Jesse: This is the t of a trilogy of threes that covers this core foundations of good security practices and good security programs. In the first issue of Meanwhile in Security, I explained how security is a mindset, not a tool, and the importance of understanding the why or the purpose for building a security program. This drives everything you do in your organization for securing your critical assets. The why is the core reason for having a security program.

Next, I laid the foundation for the how or the principles that guide the work of your security program by exploring the people, process, and technology paradigm upon which all successful security programs are based. Using PPT, you will build a longer-lasting, more dynamic, and highly successful security program.

Following Simon Sinek’s Golden Circle model, the outer ring is the what or services offered by an organization group or individual. In implementing and maintaining a security program, the how focuses on the confidentiality, integrity, and availability of all data and services offered within the scope of your security program. This is often called the holy trinity of security, or the CIA Triad. All actions performed and tools implemented in support of the security program stem from one of these fundamental precepts of security. Let’s dig into the parts of the Triad.

Confidentiality. The first part of the Triad is confidentiality, which is about controlling data in services’ access. In their article titled “EI-ISAC Cybersecurity Spotlight–CIA Triad,” the Center for Internet Security, or CIS, defines confidentiality as quote, “Data should not be accessed or read without authorization. It ensures that only authorized parties have access.” End quote. 

I expand on this definition to include services not just data. Every organization and person has data to protect. The traditional approach to confidentiality assumes that any service that touches the data falls within the scope of confidentiality, as a means to protect against disclosure of the data that services accesses. This can lead to a focus on robust and complete data access controls without similar attention paid to services that don’t directly touch data with those controls in place. However, I consider access to and use of services within the scope of confidentiality because protecting use of resources is often as important or in some cases more important than the data access. 

This is often the case with cloud-native applications using microservices. Many modern services can take action without accessing specific data sources, especially when the data source is defined as part of the microservices invocation. For example, consider an attacker who has pilfered a file or files from your services or systems or from some other source and wants to perform analysis or some type of processing of the file or files. If you run services useful to the attacker in this scenario, the attacker may not touch your data, but they may attempt to use your services without authorization. To apply confidentiality to your security program, determine and document what data in services are sensitive and require access protection. To do this you may need to track down data and service owners. This process is closely related to the why of your security program which ultimately exists to protect your data or services.

Announcer: If your mean time to WTF for a security alert is more than a minute, it’s time to look at Lacework. Lacework will help you get your security act together for everything from compliance service configurations to container app relationships, all without the need for PhDs in AWS to write the rules. If you’re building a secure business on AWS with compliance requirements, you don’t really have time to choose between antivirus or firewall companies to help you secure your stack. That’s why Lacework is built from the ground up for the Cloud: low effort, high visibility, and detection. To learn more, visit lacework.com. That’s lacework.com.

Integrity. The second part of the Holy Trinity is integrity, which refers to keeping data intact and services functioning as expected. Anyone accessing data or a service should only have the ability to alter or remove any data or alter or repurpose a service when they are authorized for such actions. In Debbie Walkowski’s post for the F5 Labs site on July 9, 2019, “What is the CIA Triad?” she defines that integrity is about ensuring data quote, “Is correct, authentic and reliable.” End quote. 

Any authorized changes or removal of data or to services violates integrity, and are generally classified as alteration or modification attacks. Changes to some of your data can immediately call into question other data protected by the same security program and security monitoring or control tools. A type of integrity attack on software is a supply chain attack. This is an attack on any part of the process of creating, testing, and distributing software. This attack could be an alteration of the source code or have compiled binaries and their related checksums prior to distribution to end-user customers. 

A recent high-profile example is the changes to the supply chain of some SolarWind software that was then installed in thousands of their customers’ systems. You can implement integrity protections for your data by putting in place monitoring tools to detect changes to or removal of any data. You can monitor services integrity with tools and logging that indicate any unauthorized changes in running processes, and testing to ensure expected services functionality. Be sure to incorporate integrity definitions, monitoring, and controls into your security program.

Availability. The third part of the Holy Trinity is availability, which is maintaining the ability to access and use data or services. If your data is protected from unauthorized access and verified intact, it is useless if it cannot be accessed by authorized users and services. In his feature article titled “The CIA Triad Definition Components and Examples” in CSO on February 2020, Josh Fruhlinger writes that availability means quote, “Authorized users should be able to access data whenever they need to do so.” End quote. 

This applies to services as well because a service should be available to authorized users when those users need to use the service. Clearly, your services are useless if authorized users cannot access your services. There are many ways to prevent access to services, as well. For example, most of us have heard of Denial of Service or DoS, or Distributed Denial of Service, or DDoS attacks. A DoS on any service can be accomplished in numerous ways from flooding the network or system with too much traffic, stopping the service from running by crashing it or turning it off, or blocking access to the service by altering the network in some way. 

A DDoS is a method of flooding a network with traffic from multiple sources rather than from a single system. Ensure your security program incorporates availability of your data and services by documenting the means which provide access to your data and services and then implement a combination of monitoring and control systems to detect and respond to attacks on availability.

The Golden Triangle defines which organizational personnel policies and procedures and technical tools implement monitoring and controls for the Holy Trinity. These two triads are the how and the what of your security program and work together to support your security program’s why. Create or refine your security program by documenting which aspects of your program directly address all the elements of both PPT and the CIA Triad. Taking this approach will ensure your security program is both comprehensive and comprehensible to management IT staff and users, not only the security professionals and auditors. Tune in next week when I discuss applying the trilogy of threes in the cloud.

Jesse: Thanks for listening. Please subscribe and rate us on Apple and Google Podcast, Spotify, or wherever you listen to podcasts.

Announcer: This has been a HumblePod production. Stay humble.