Designing Security Architecture Solutions

In this book, Ramachandran has developed a very "practical handbook on security architecture," targeted at project managers, software engineers, and system architects. By guiding the reader through the steps of systems engineering, he builds an effective framework. ... The book is arranged into five parts: architecture and security, low-level architecture, mid-level architecture, high-level architecture, and business cases and security.

In the first section, the author prepares a tutorial to refresh the reader on various software methodologies ... [and on] ... the contents of a security assessment, including preparation, assessment and reporting. Through this discussion, he introduces the reader to the business realities of planning for security-both cost and time-and how to evaluate the tradeoffs. Ramachandran also gives a focused tutorial on the concepts and basic tools available.

In Part 2, Ramachandran provides practical, concrete reasons for the application of sound system development principles, without sounding preachy. His analysis of code reviews would be useful for any team leaders who want to improve their groups' deliverables. ... He continues to use the approach of theory, example, methods, challenges, and evaluation in the following chapters on cryptography, trusted code, and secure communications.

Part 3 examines mid-level architecture, including middleware, Web security, application and OS security, and database security. The key message in this section is the complexity of issues that must be handled here ... Once again, the author has provided neat descriptions of the functions and problems of the elements at this level. The author keeps the pace and language consistent throughout.

Part 4 reviews the high-level architecture ... [and] ... compares the "building" to the original security and architectural goals ... by encouraging the architect to look at security as a process, not just as a single event. Taking it a step further, he compares enterprise security architecture to a data management problem, which although a manual process, provides good payback. The book could have ended here. Instead, the author realized that payback has another dimension.

In Part 5, the author provides very graphic examples of real situations in which the absence of adequate security resulted in catastrophic outcomes. ...

In this book, Ramachandran has compiled a great deal of useful information. In a single volume, he has provided an overview of the many elements to be considered in the development and operations of systems to ensure they are secure, and the reasons he selected those elements. ...

Overall, this work provides an excellent single volume reference for the system architect, project manager, or software engineer who needs to understand where security fits into the deliverables being produced. I found it to be well written, well organized, and a good addition to my technical library.

Rating:
Summary: Best Security Architecture I Have Seen
Review: Although there are a number of books claiming to talk about security architecture, this one really does! This book is really helpful in describing the high level concepts that security engineers should know when developing a security architecture. It is a little weak on cost-benefit analyses, but provides a good foundation for security architects. Clearly, the author has given some thought to the content and does more than tell anecdotes and describe various security technologies. I highly recommend this book to anyone designing a security architecture.

Rating:
Summary: The Most Practical Security Design Book I've Read
Review: I am primarily a systems engineer with an emphasis on system and network security. This book provides an excellent framework and methodology for developing a security architecture from the ground up. It's avoids a purely academic approach by including methods that can be applied in the real world. The book reads well and is indexed in a manner that allows it to be used as a desk reference. This is currently the best security book on my shelf. Buy this book!!!

Rating:
Summary: The Most Practical Security Design Book I've Read
Review: I am primarily a systems engineer with an emphasis on system and network security. This book provides an excellent framework and methodology for developing a security architecture from the ground up. It's avoids a purely academic approach by including methods that can be applied in the real world. The book reads well and is indexed in a manner that allows it to be used as a desk reference. This is currently the best security book on my shelf. Buy this book!!!

Rating:
Summary: not a good reference manual..or book on computer security
Review: In a course, this book was used as teaching material in a class for computer security. The read, reminded me of speaking software to a hardware engineer. Since the hardware engineer is coming from another level, the experience was like talking DOWN to the reader. The author seemed to want to "impress" us with his "knowledge". Luckily, we were fortunate to have an instructor that could translate for the class. Had to use other manuals to replace what the author, may have tried to relay.

Rating:
Summary: IEEE Cipher review by Robert Bruen, May 2002
Review: There are still not enough books that cover writing secure code and designing secure systems. Fortunately, the few that are out there are generally good quality books. The range of topics for this set of books is still limited, leaving the door wide open for new, useful titles. Ramchandran has made a real contribution with this title.

Anyone who reads Bugtraq regularly is painfully aware of the almost daily barrage of security issues with software. Many of the issues have been caused by poor coding practices. Naturally, some of the holes are obscure and the discovery has been clever, but more often that not, someone was just not paying attention. If you have read Building Secure Software by Viega and McGraw and Anderson's Security Engineering, this book would be a good addition to help round out the overall approach. Code writers need to make sure that they use good practices for the code, but just as important is the architecture of whatever it is being built. It is well established that security needs to be built in from the beginning, because retrofitting usually is hard and not very successful.

One is never sure whether a poor product of any kind turned out that way as a result of simply doing a lousy job or because they did not know how to do a good job. Ramchandran has significantly reduced the excuse pool for the latter. This is not a cookbook by any means, but it is thorough in its approach to security architecture. He has included the required chapter on cryptography, but fortunately, does not dwell on it. He shows how cryptography fits into the security architecture without restating the obvious, as many other books have done.

The author covers both Windows and Unix issues. The scope includes databases, web applications, CORBA and IPSEC, among other things, always with a clear introduction to each topic. Unlike many security books, he has an in-depth business case with analysis. He also has a sense of humor.

While the book is not intended to be a security book, there are plenty of security concepts presented. The concepts contain enough detail that, in spite of the intention, the reader will learn something about security. The author's approach is one of the book's strengths. Each section is well organized, with appropriate definitions, along with the relationship to the planning and design of a secure application. One generally thinks of architecture as a high level endeavor, but in order to do it right, one must scrutinize the details. Ramchandran has done it right.

Rating:
Summary: Layered approach to multi-level security
Review: This is one of the most pragmatic, thorough books on security architectures I've read. The approach the author takes represents best practices in a number of disciplines, including architecture, software engineering, and infrastructure management. This holistic view of security architecture is not provided in total in any of the hundreds of security books I've read.

Among the reasons I like and recommend this book are: the approach starts with architectural principles and a survey of approaches based on well known models, as well as development life cycles in the real world. The chapter on security assessments shows how to determine a security posture, establish a baseline and deal with gaps. In addition, the chapters on Security Architecture Basics and Architecture Patterns will provide the foundation of a viable approach to designing a strong security architecture.

I also like the way each architectural building block is systematically covered in subsequent chapters, beginning in Part II with low-level architecture components and technical details that span code review techniques, cryptography fundamentals and related topics. Part III covers the mid-level components in detail, including middleware, web, database, application and OS security. Part IV tackles high-level security, culminating in an enterprise security architecture based on low- and mid-level components, and the process-oriented approach provided in the previous parts of the book. This book goes deep into technical details of every facet of the components, showing how they work, interrelationships, standards, and advice for how to deal with challenges and vulnerabilities.

Making the business case for security, the topic of Part V, is as thorough and detailed as the preceding technical chapters. Case studies, issues and factors, costs and underlying financial formulae are tied together to help you to craft a viable and realistic business case for proceeding with the design and implementation of a security architecture.

This book is focused, covers the entire landscape of security architecture, design and implementation, and leaves no gaps. I strongly recommend it as the workgroup reference in the standards & architecture, software engineering, project, and infrastructure domains.

Rating:
Summary: La la la la
Review: Unless you are already an expert at security and are looking for a strictly abstract approach, save your money!! Ramachandran's ramblings go on forever, with little imparted to the reader. The best comparison I can come up with for the experience of reading this book is that it's the same as trying to learn a foreign language from a mime. If Ramachandran spent less time trying to impress us with a bibliography that goes on for pages [I don't really CARE if he has read every security book in the world, if he can't distill this information down and pass it on the text is worthless] and more time on organizing his book [for heaven's sake, is a decent index at the back too much to ask?] then it may be usable, as it is, the only thing to do with it is level a table.