Opal Cyber Resiliency Framework
merging Authority Management and Systems Security Engineering to achieve a strong Cyber Resiliency posture
Cyber resiliency is commonly thought of as the organizational resilience against cyber threats by effective implementation of security principles and practices, along with the continuity of operations.
The Opal Cyber Resiliency Framework - OCRF - provides a common language for understanding, managing and expressing high level system requirements and transforming them into low level, machine tangible objects that are highly resistant to cyber threats.
Authority Management is the practice of modeling abstract concepts such as authority and permissions into machine tangible and enforceable object - Authority Tokens, that can be manipulated like any other object in an information system.
These provide a lightweight, unforgeable, tamper-evident and fine-grained resource access control mechanism that allows for contextually sensitive policies where the focus is directly on the permissions with regards to that resource and the Authority that granted them.
At its heart, Authority Management heavily relies on one of the most fundamental principles in security, the Principle of Least Authority, or POLA — which is the anagram for OPAL.
It requires that only the minimum subset of permissions needed for any given action and context be provided to satisfy the requirements. This significantly reduces the risk for any given object or action.
Secure networking is about enabling cooperative computing between mutually distrusting components. Manage how they interconnect, prevent unauthorized endpoints, and protect confidentiality.
Mechanisms used for protecting, controlling and managing resources — where a resource is a consumable within any managed process that needs to be protected, tracked or measured and its access and usage is tightly controlled by formally modeled access/quota policy objects.
The inevitability of a security breach laid the foundation for risk based cybersecurity approaches where systems are designed to meet the minimal viable standards deemed adequate for organizational goals.
The OCRF engages basic security principles early on in system design to form a secure foundation from the get-go…far exceeding the adequate security standards used today.