This part is at the recommendation level only and is not required for BRSE compliance, because this are applicable to IT functions and the way the design their solutions. Most of the time cybersecurity gets to work with already production system.
In some cases, the technology and platforms used do not support these recommendations.
This principles are for the rare case, when cybersecurity is at the designing table for the IT solution to be implemented.
There are tremendous security benefits in applying any of these concepts, most (if not all) are available for general pubic for quite a while. Theoretically, there is no excuse to avoid adoption of these technologies and approaches.
Blue|Green deployment with two hot environments one active one passive.
If having two environments (green/blue) is out of price range, then infrastructure-as-code (IaC) with ability to deploy into another public cloud.
In case of massive breach on the primary one, switching to the other one after extra hardening.
Breach [Threat] modeling should be done with expected outcome being what some called attack trees - possible breach steps. Information about potential TTPs used should drive the selection of security controls. This approach suggested in the Lockheed Martin Research article [1]: "A Threat-Driven Approach to Cyber Security. Methodologies, Practices and Tools to Enable a Functionally Integrated Cyber Security Organization." by Michael Muckin, Scott C. Fitch in 2019
Here is a quote from the article: "The threat actor(s) gain access to the assets via attack vectors and vulnerabilities present in the technology components that house or provide direct access to the targeted assets. Security controls are applied to the technology components with the intent to counter or mitigate the vulnerabilities and/or attack vectors used by the threat actors, thereby protecting the assets.".
Adversarial techniques are used in the context of each other in some sort of sequence like Lockheed Martin Cyber Kill Chain (LM CKC) [2] or other breach [attack] chains | paths | trees and if we are using information about adversarial TTPs while selecting security controls (aka countermeasures) it is also makes sense to tune up Defense-in-Depth model by making it's layers according to the selected breach type steps.
This concept is directly advised in OSFI B-13.
Quote: "“3.2.4 Cyber security controls are layered. FRFIs should implement and maintain multiple layers of cyber security controls and defend against cyber security threats at every stage of the attack life cycle”
I wrote a review article about OSFI B-13 which contains links to the guidelines themselves [3].
Code should be run in HA environment: breached node is taken out of the pool with new automatically added.
Data and Code split in order to take done an app node and re-span a new one in case of detection of malicious activity.
Microservices| Containerization
Conditional access enabled at the identity provider level.
Using Virtual desktops allows to run malware scans out of the VDE OS level, but at the hypervisor level by scanning virtual disks of the VDE instances.
Corporate data does not truly come to the endpoint OS environment. How can this be achieved?
Every corporate application all together or individually (even email, chat, videoconference) should only be visually represented through a terminal like RDP, in other way endpoints should be virtual desktops. No comms between the endpoint and the terminal, not even copy paste, no file exchange.
But even within the virtual desktop environment, if Internet and email access are allowed, there is a risk. Thus applications should run within their own containers| sandboxes - that technology is available even in Windows 11 Enterprise.
If the endpoint compromised at the OS level, it can be restored to factory image without any damage to the user environment and corporate data.
Only web apps even at the corporate intranet using centralized Web App proxy service, no offline apps, no file exchanges, only links.
Microsoft Word - Threat-Driven Approach whitepaper v3.03a.docx (lockheedmartin.com) "A Threat-Driven Approach to Cyber Security. Methodologies, Practices and Tools to Enable a Functionally Integrated Cyber Security Organization." by Michael Muckin, Scott C. Fitch in 2019
https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html
Review of OSFI B-13. CISO level overview of the Cyber… | by Ivan Fedorets | Medium