Applied Cryptography & Secure Systems

Applied Cryptography & Secure systems Architecture

Course Summary

The Applied Cryptography (CSOL510) and Secure Systems Architecture (CSOL520) walk us through a dense technical content that provided tremendous value to all attendees.

Firstly in the Applied Cryptography course, we have applied many concepts through solutions delivered to scenarios related to cryptography such as:

The context of Cryptography
Block Ciphers;
Hahs Functions;
Public Key Infrastructure;
Security Controls through cryptography;
Pretty Good Privacy (PGP);
Message Authentication Codes;
Imlpementation Issues.

Secondly, the Security Architecture course was terrific content based on the SABSA Framework. SABSA is a unique cybersecurity framework that helps organizations worldwide establish clear key performance metrics and measure performance against the cybersecurity strategy plan across the six layers of the SABSA framework.

The methodology behind the SABSA Framework was applied in a practical exercise where the attendees used the hat of a security architect and exercise all the layers and present a complete project based on the business needs.

Course Artifacts

CSOL 510

This assessment will help the executives of ACME organization to review all cryptography improvements for a large organization and its partners, which must comply with technical requirements from the Health Insurance Portability and Accountability Act (HIPAA).

CSOL 520

Cybersecurity is all about protecting business goals and assets. It means providing a set of business controls that are matched to business needs, which in turn are derived from an assessment and analysis of business risks, for this assignment the main deliverables will be based on the SABSA Framework.

Reflections

There are many insights out of both courses, let me start with Cryptography. Historically, people have always needed a way to exchange information and prevent others from intercepting that information secretly. Before the presence of computers, people used codes to encrypt and decrypt data. With the power of computers today, sophisticated algorithms are used not only to perform encryption to provide privacy but also to verify the authenticity of a message and whether that message has tampered.

Cryptography, all the concepts, and technologies behind are applicable in my current daily job as I am accountable and responsible for offensive security operations from one of the Microsoft Red Teams. I am finding cryptographic code or implementations flaws at large scale infrastructure. Cryptography is extremely important in daily basis to our operations and customers.

As part of the cryptographic project, we analyze a real customer scenario related to the health sector.
There are many incomplete competing standards on how privacy issues are to be addressed within the healthcare setting. There are some references within the Health Information Portability and Accountability Act (HIPAA) that provide a starting point. Industry workgroups such as the Healthcare Information and Management Systems Society (HIMSS) provide a Privacy and Security toolkit that attempts to translate HIPAA legal statements into IT application guidelines. More interesting are the various Regional Health Information Organizations (RHIOs) that are being developed throughout the country. Therefore, in addition to the opportunities for any technology company to build platforms where healthcare information can be shared are the prospects to promote the common standards on how to share this information.

Cryptography becomes vitally important that we help create both the technology and the standards for privacy so that we can help increase the security posture of any sector.

The relevance of encryption in cybersecurity is not questionable from the professional and also illegal activities. In the same way, organizations apply cryptography, also criminal will leverage the same practices. However, in the last couple of years, we have been experiencing tension in cryptography between the security of the data being protected and the security of our society. Law enforcement agencies and governments argue that strong cryptography makes their job more difficult. In contrast, security and privacy advocates say that freedom depends on the ability to keep our own data safe from intrusive eyes

In regards to Secure Systems Architecture, the acronym that comes to my mind is SABSA.

SABSA is a robust framework that can assist engineers and program managers in connecting their solutions to the business needs and applies them to any tech company in the world.

The objectives of this SABSA are to help secure digital transformations, and through this framework, you can:

Modernize cybersecurity strategy to align with the organization's objectives, goals, strategies, and risk tolerance.
Create a cybersecurity transformation plan to support the implementation of the cybersecurity strategy.
Modernize cybersecurity architecture to align with the cybersecurity strategy.
Perform cybersecurity transformation governance and architectural oversight.
Perform cybersecurity guidance and insights based on the experience, knowledge, and recommended practices.
Establish a relationship between the project or initiatives cybersecurity leadership as a cybersecurity advisor to assist with strategic cybersecurity direction.

Resources

Book References

Schneier, B. (1996). Applied cryptography. Estados Unidos: John Wiley.

Aumasson, J. (2108). Serious cryptography: A practical introduction to modern encryption. San Francisco (CA): No Starch Press.

Kohno, T., Ferguson, N., & Schneier, B. (2010). Cryptography Engineering: Design principles and practical applications. Indianapolis, IN: Wiley Pub.

Sherwood, J., Clark, A., & Lynas, D. (2005). Enterprise security architecture: A business-driven approach. San Francisco: Cmp Books.

Larson, W. (2019). An elegant puzzle: Systems of engineering management. San Francisco, CA: Stripe Press / Stripe Matter.