New Model for the risk pattern of Deployment
Old Deployment Model:
Before release 2.1, we were including the threats, weaknesses and countermeasures (risk patterns) related to deployment with the risk patterns related to development. The Old procedure was as follows:
- To include a deployment element from any Public Cloud (for example, Amazon EC2) in a component, we followed the steps below:
- We traversed to the architecture tab and added a new component, for example a "Web Service" component.
- A new window appeared and we selected the tab "Trust zones" and the answer "Public Cloud".
- In order to add the risk pattern related to deployment from a public cloud, we selected the "Deployment" tab, and the answer "Amazon Web Services", consequently a new question with the corresponding answer selections appeared.
- After this, we selected "Elastic Compute Cloud - EC2" to include the risk pattern related to Amazon EC2 in the component "Web Service".
- We clicked "Done" to create the component.
- To include a deployment element from the Internal Server, we followed these steps:
- We traversed to the architecture tab and added a new component, for example "Adobe Flash".
- A new window appeared and we selected the "Trust Zones" tab and the trust zone in which Adobe Flash resided. In the example below we have selected "Internet"
- Next we selected the Deployment tab and "Internal Server" to include the risk pattern related to the deployment of the internal server in the component "Adobe Flash".
- We clicked "Done" to create the component.
After concluding this process, we had the following architecture:
New Deployment Model:
After the release 2.1, we separated the inclusion of the risk pattern related to deployment from the risk pattern related to development. Consequently, we may add more components and answer fewer questions. Follow the steps below for the new method:
- To include risk patterns from any Public Cloud (for example, Amazon EC2), we do the following:
- Go to the architecture tab and add a new component, for example a "Web Service" component.
- A new window appears and we traverse to the "Trust zones" tab and select "Public Cloud".
- Click on the "Done" button.
- Select a new component, in our case we select "EC2 - Elastic Compute Cloud" from the category "Amazon Web Services".
- Click on the "Done" button.
- To include the risk pattern from the Internal Servers:
- Go to the architecture tab and add a new component, for example an "Adobe Flash" component.
- A new window appears and we traverse to the "Trust Zones" tab and select the trust zone in which the Adobe Flash component will reside. We have selected the trust zone "Internet" in the below example.
- Click on the "Done" button to include the new component.
- Select a new component "Internal Server" in the category "On Premises Architecture".
- A new window appears, select the Trust Zones tab and the same trust zone as we selected in the previous component (in our case, "Internet").
- Click on the "Done" button to include the new component.
At the end of the process, we have the following architecture (with more components):
Benefits of the change
There are significant advantages with this new model and method which can be summarised as:
- Different risk patterns can be managed - and countermeasures can be implemented - by different teams, because we can configure alternative Issue trackers per component. If we right click on the component and select "configure", we can change the default Issue tracker configuration for that individual component.
- The countermeasure are often qualitatively different for deployment and development, for example, most countermeasures for deployment are around setting the correct configuration of the environment, whereas countermeasures for development often take more time to implement as they involve code changes.
- It's easier and faster to add Cloud Services related to the same trust zone. If we want to add more services, we simply select the Cloud component, select the corresponding trust zone and click"Done".
Comments
0 comments
Article is closed for comments.