New CS proposal: Secure Architecture (cloud) Cheat Sheet

[Josh-Beck]

What is the proposed Cheat Sheet about?

I propose a cheat sheet that outlines how to create and/or review a software architecture with a security mindset. This may draw from or reference the Threat Modeling, Attack Surface, and Microservices Arch Doc cheat sheets, but I believe it is distinct. This cheat sheet would discuss frequently used technologies and common pitfalls that occur with cloud architectures.

(This would be a cloud focused cheat sheet, as that is where my experience lies.)

What security issues are commonly encountered related to this area?

• Automated scanning against environment
• Publicly exposed data
• Unfounded trust of external parties
• Stale versioning on un-managed cloud services
• Insecure access to un-managed cloud services (direct ssh vs bastion)

What is the objective of the Cheat Sheet?

The cheatsheet would likely outline the following elements (open to subtractions and additions):

1. Attack surface/threat modeling - Briefly mention understanding the threats against the exterior of architecture, likely link to other attack surface and threat modeling resources.
2. Public vs private elements - Defining what should be publicly exposed, and how it should be exposed.
3. Trust boundaries - Not zero trust. Explain how should architectures handle trust and how much trust should be given.
4. Business risk - Likely there could be a whole separate cheat sheet on risk. Specifically for this cheat sheet, discussing how business risk plays into the rigor with which an architecture is secured.
5. Managed vs un-managed products - Outline types of considerations when an architecture uses managed vs unmanaged cloud products (versions updates, secure access)
6. Built in vs self built security - Suggesting or providing awareness for products like "AWS Shield", Web Application Firewalls and similar security features which could be plug and play or could be extended for additional security.

What other resources exist in this area?

• Security Arch Doc Cheat Sheet - This cheat sheet lightly covers some of the aspects above, but is more focused on microservice interactions, rather than general cloud architecture.
• ASVS Architecture V1 - I would likely reference this document, either with detailed links to specific subsections, or generally as additional reading.
• Attack surface cheat sheet - This would be referenced during the external threat section.
• Threat modeling cheat sheet - This would be referenced during the external threat section.
• Gitlab Security Architecture Principles - Some elements will overlap here.
• NotSoSecure "Security Architecture Review Of A Cloud Native Environment" - Some elements will overlap here.
• CISA Cloud Security Technical Reference Architecture - Likely only reference as additional/government standard

[szh]

I think this is a good idea. @mackowski @jmanico @kwwall what do you think?

@Josh-Beck I'm curious about this line:

Trust boundaries - Not zero trust. Explain how should architectures handle trust and how much trust should be given.

Why did you choose that?

[Josh-Beck]

@Josh-Beck I'm curious about this line:

Trust boundaries - Not zero trust. Explain how should architectures handle trust and how much trust should be given.

Why did you choose that?

Two reasons behind this statement:

First, I'd like to avoid too much mention or elaboration on Zero Trust in this cheat sheet, due to its complexity and divergence from the topic.

Second, often architectures have implicit trust of certain resources within certain boundaries. As an example, downstream elements may not validate the integrity and authenticity of a JWT token if an API Gateway layer does. Depending on risk this can be acceptable, but trust boundaries should be made explicit to outline this trust.

Does this answer your question?