This is a work in progress and not a release. We're looking for volunteers. See Issues and Contribution to know how to collaborate.

Security Fundamentals

Security Specialist Operations & Strategy
Written by:
matta - The Red Guild | SEAL

🔑 Key Takeaway: Effective security operations are built on five practical fundamentals: layered protective measures, minimized access scopes, controlled information flows, system isolation, and continuous visibility — working together to secure critical assets in dynamic environments.

Relationship to Implementation Process

This document outlines the foundational security approaches that should be embedded throughout your organization's operations. They complement the practical Operational Implementation Process, which defines specific action steps:

  • These fundamentals establish enduring approaches that shape your security architecture
  • The implementation process provides a sequential workflow for security teams to follow

While these fundamentals provide the security principles that should be consistently applied across your environment, the implementation process offers a structured methodology for putting security into practice. Both elements must work in concert - these fundamentals guide your overall approach, while the implementation process provides the tactical roadmap.

For organizations just beginning their security journey, start with the Operational Implementation Process for concrete steps.

The ultimate goal is to prevent unauthorized access to systems and information that could cause operational, financial, or reputational harm if compromised.

Practical Example: Web3 Organization

Consider a Web3 project managing a DeFi protocol with a treasury of $10M in assets. Practical security fundamentals in action include:

  • Layered protection: Hardware security modules for key storage, multi-signature requirements (3-of-5) for transactions, automated monitoring for unusual patterns, and regular third-party security audits
  • Minimal access scopes: Deployment keys accessible only to specific DevOps team members, with different permission levels strictly enforced between development, staging, and production environments
  • Information flow control: Private keys for multi-signature wallets distributed among trusted team members based on role, with sensitive incident response procedures restricted to the security team
  • System isolation: Clear separation between development environments and production systems, with treasury management isolated from day-to-day operations
  • Continuous visibility: Real-time monitoring systems tracking transaction patterns, weekly security reviews, and quarterly penetration tests with findings addressed in prioritized sprints

1. Layered Protection

Implement multiple overlapping security controls so that if one mechanism fails, others will continue to protect your assets.

🔗 Related Framework: This approach is reinforced in frameworks like Infrastructure with Zero-Trust Principles and Network Security.

Practical Application

  1. Implement multiple defensive mechanisms that protect against the same risks using different methods
    • Example: Protect admin interfaces using network ACLs, MFA, time-limited access windows, and anomaly detection
  2. Deploy protection at each layer of your technology stack
    • Network layer: Firewalls, network segmentation, DDoS protection
    • Host layer: Endpoint protection, host-based IDS, secure configuration
    • Application layer: Input validation, output encoding, API security
    • Data layer: Encryption, access controls, data loss prevention
  3. Identify and eliminate single points of failure in your security architecture
    • Map defense coverage to ensure overlapping protections
    • Document security dependencies and create contingency plans
  4. Test defensive layers regularly through realistic scenarios
    • Conduct tabletop exercises focused on specific defensive failures
    • Use red team exercises to validate defense-in-depth effectiveness
  5. Maintain a continuous improvement cycle for each defensive layer
    • Review and update security controls after incidents or near-misses
    • Track industry developments to identify emerging defensive tactics

2. Minimal Access Scopes

Grant users, systems, and processes only the specific permissions they need to perform their required functions and nothing more.

🔗 Related Framework: For detailed implementation, see Identity and Access Management and Role-Based Access Control.

Practical Application

  1. Implement a structured permission model that starts with zero access
    • Default deny: Require explicit permission grants for all access
    • Document justification for each permission granted
    • Create standardized role templates for common job functions
  2. Establish automated processes for access lifecycle management
    • Onboarding: Provision minimal initial access based on role
    • Role changes: Adjust permissions when responsibilities change
    • Offboarding: Remove all access immediately upon departure
  3. Apply time-based restrictions to elevated privileges
    • Use just-in-time access for administrative functions
    • Implement automatic session termination after periods of inactivity
    • Require re-authentication for sensitive operations
  4. Conduct regular access reviews with verification
    • Quarterly: Review all privileged accounts and service accounts
    • Semi-annually: Audit all standard user accounts and group memberships
    • Use automated tools to identify inactive or excessive permissions
  5. Implement technical controls to enforce minimal access
    • Application permissions: API scopes, feature flags, entitlement checks
    • Infrastructure permissions: IAM policies, network ACLs, resource policies
    • Database permissions: Row-level security, column-level controls

3. Information Flow Control

Ensure sensitive information is only accessible to those with a legitimate need to know, with restrictions on how that information can be shared and used.

🔗 Related Framework: This approach is supported by practices in Data Protection and aspects of Privacy.

Practical Application

  1. Implement a practical data classification system with clear handling requirements
    • Public: Information approved for general distribution
    • Internal: Business information for employee use only
    • Confidential: Sensitive information requiring specific protections
    • Restricted: Critical information with strictly controlled access
  2. Define and enforce data handling procedures for each classification level
    • Storage requirements: Where information can be stored
    • Transmission rules: How information can be sent/shared
    • Processing restrictions: How information can be used
    • Retention limits: How long information should be kept
  3. Deploy technical controls to enforce information flow policies
    • Data loss prevention tools to monitor and block unauthorized sharing
    • Encryption for data at rest and in transit based on sensitivity
    • Information rights management for persistent protection
  4. Establish secure channels for different types of communication
    • High-sensitivity: End-to-end encrypted messaging with disappearing messages
    • Medium-sensitivity: Encrypted collaboration platforms with access controls
    • Low-sensitivity: Standard business communication tools
  5. Train users on practical information handling procedures
    • Provide clear guidelines with concrete examples
    • Use realistic scenarios in training materials
    • Conduct periodic verification checks

4. System Isolation

Segment systems and networks into isolated zones to contain security breaches and limit lateral movement.

Practical Application

  1. Implement network segmentation based on security requirements
    • Create security zones with consistent trust levels
    • Implement strict traffic control between zones
    • Document and regularly review allowed communication paths
  2. Establish environment separation with controlled boundaries
    • Maintain distinct development, testing, staging, and production environments
    • Implement one-way data flows from higher to lower environments
    • Control code promotion processes between environments
  3. Isolate high-value systems with enhanced protection
    • Place critical infrastructure on dedicated hardware
    • Example: Run blockchain nodes on dedicated hardware isolated from general workstations
    • Implement jump servers or privileged access workstations for administrative access
  4. Apply micro-segmentation where appropriate
    • Container isolation: Enforce pod security policies and network policies
    • Application segmentation: Implement service meshes with mutual TLS
    • Process isolation: Use containerization, virtualization, or sandboxing
  5. Monitor and enforce boundary controls
    • Implement egress filtering to control outbound connections
    • Deploy internal firewalls between segments
    • Use network monitoring to detect unauthorized communication attempts

5. Continuous Visibility

Maintain ongoing awareness of your security posture through active monitoring, testing, and continuous improvement.

🔗 Related Framework: For implementation details, see the Monitoring framework, including Guidelines and Thresholds. Also relevant is Incident Management for response to detected issues.

Practical Application

  1. Implement a multi-layered monitoring strategy
    • System monitoring: Performance, availability, and system integrity
    • Security monitoring: Threat detection, anomaly identification, and correlation
    • Compliance monitoring: Policy enforcement and regulatory requirements
    • Establish clear ownership for each monitoring domain
  2. Define actionable metrics tied to security objectives
    • Leading indicators: Metrics that help predict future issues
    • Example: Percentage of systems with current patches
    • Lagging indicators: Metrics that measure past performance
    • Example: Mean time to detect and respond to incidents
  3. Establish a regular testing cadence to validate security controls
    • Vulnerability scanning: Weekly automated scans
    • Penetration testing: Quarterly focused tests on critical systems
    • Red team exercises: Annual comprehensive assessments
  4. Implement a structured incident management process
    • Define clear incident response procedures with specific roles
    • Conduct regular tabletop exercises to practice response
    • Perform thorough post-incident reviews focused on improvement
    • Create feedback loops to security controls based on incidents
  5. Maintain an active threat intelligence program
    • Collect intelligence relevant to your specific environment
    • Analyze and contextualize threats for your organization
    • Disseminate actionable intelligence to appropriate teams
    • Use threat intelligence to drive security improvements