May 31, 2020
If there was a popularity contest among all artifacts you might happen to unearth if you went digging for some glimpses of the architecture in your organization, the data flow diagram (DFD) would probably be the star of the High School football team, driving the red-orange Camaro with the T-tops, and dating the captain of the cheerleading squad. Because, like High School football stars, cheerleaders and Camaros in America, the DFDs are everywhere it seems.
And especially if you start talking about cybersecurity in the context of the modern, agile CI/CD delivery teams, you’re probably going to find at least traces of them rubbed out on the whiteboards of offices everywhere—even hanging around longer than the germs of COVID-19 after the place has been covered in industrial-grade disinfectant.
I get it. It seems like a really great idea to build up a layered diagram that helps people focus on the communications and connections in an ecosystem, because that’s how things really happen. Information is exchanged along those connections, each node plays its part – even the ones with the pom-poms – and, naturally, if you want to try and corrupt the nodes, a good strategy is to try and unduly influence their view of the world or drive a 40’ big-rig through the doggie door and just take over the place, leaving all the subtleties to the wanna-be script kiddies.
However, the titillating temptation of building the “one diagram to rule them all” generally fails to deliver in the long run. Sure, there are true stories how a DFD put on ice between the Mesozoic Era and today informed the security control decisions of a re-implementation of said system with more modern technologies…
…and Microsoft even has a tool to automatically build them for you, so, if Microsoft does it – not to mention makes it easy to automate – you can bet development teams out there are going to use it, whether they really know why or how, just because it’s there.
I’m not saying they can’t be useful. And I’m certainly not saying that I can’t read them…or use them…
…or even run them through the View-O-Matic to slice and dice them into something that I feel is far, far more useful in the long run from a security perspective, not to mention ending up with a better, overall architecture artifact to boot.
Meaning…the ol’ DFD racehorse has run his races, brought home the trophies, and can now spend his days chasing fillies and frolicking with the butterflies in the lush, grassy pastures of retirement.
I actually wasn’t going to go there with the June issue of the print, delivered-to-your-door Security Sanity™ newsletter when I’d started to map out how to say what I wanted to say…
…but then a couple of conversations with some of my coaching clients in the security leadership program made me think that maybe it was time to tackle this beast, because it highlights how we’re often abducted in our architecture sleep by the space aliens of complexity…
…before being returned slightly brainwashed about the most effective, efficient and easy-to-integrate tasks into a DevSec-sec-sec-secOp-op-opzzzzss delivery model.
You might not agree with me, and that’s totally fine. But you also probably won’t understand exactly what I’m talking about if you don’t manage to be subscribed in time to get the June issue. Because the time to do that is approaching more rapidly than even I would like, since I’m having to re-jig the content and structure of the issue at the last minute to cover what I want to cover.
If you haven’t already done it, and you’ve been sitting on the fence waiting for a butterfly to tickle your nose and give you the sign from the universe as to whether or not it’s worth it…
…well, it probably isn’t. Because if it’s taken you this long to figure it out, it’ll probably take you even longer to read it and try to put it into practice—which pretty-much defeats the whole point of me going to the trouble to write the things the first place.
But if you’re late to the party, and you’re only now digging this email out of your spam folder…AND you’re ready to get serious about putting the “architecture” into your security architecture practice, then you’ve still just about 8 hours or so before the deadline to subscribe in time to get the June issue.
But don’t dilly-dally around if you want in, because who knows what kinds of gremlin hiccups might happen between now and then with the interwebs, shopping carts and payment processors.
If you want in, and you haven’t yet done it, then this is the link that will lead your DFDs to a quiet and retiring – yet long and still rewarding – life on the greener, grassier side of the fence:
Andrew S. Townley
Archistry Chief Executive