# Week-4 Cybersecurity Architecture

In this notebook, we explore the development of various cybersecurity architectures and threat models critical for securing modern web platforms. These architectures include MVC, Defense in Depth, Zero Trust, TOGAF, SABSA, and SSDLC, implemented across AWS and Azure. Each section includes diagrams and tables to visualize concepts, enriched with educational content and references to industry standards.

**Learning Objectives:**
- Understand key cybersecurity architecture frameworks.
- Learn how to implement these architectures using cloud services.
- Explore the scientific and practical basis for securing web applications.

## Install Requirements

Before running the code, ensure the `diagrams` library is installed to generate architecture diagrams. This library allows us to visualize complex systems programmatically, aiding in educational understanding. Additionally, install `tabulate` for creating formatted tables.

In [None]:
# Install required libraries using pip
!pip install diagrams tabulate

## Build a Web Platform using MVC Architecture

The **Model-View-Controller (MVC)** architecture is a foundational design pattern in software engineering, particularly for web applications. It separates an application into three interconnected components:
- **Model**: Manages data and business logic (e.g., database interactions).
- **View**: Handles the user interface and data presentation (e.g., web pages).
- **Controller**: Processes user inputs and coordinates between the model and view (e.g., application logic).

This separation enhances security by isolating concerns, reducing the attack surface, and enabling modular security controls.

**Reference**: Gamma, E., Helm, R., Johnson, R., & Vlissides, J. (1994). *Design Patterns: Elements of Reusable Object-Oriented Software*. Addison-Wesley.

In [None]:
from diagrams import Diagram, Cluster
from diagrams.onprem.client import Users, Client
from diagrams.onprem.network import Internet, Haproxy
from diagrams.programming.framework import Flask
from diagrams.onprem.database import PostgreSQL
from diagrams.aws.network import ELB
from IPython.display import Image

# Create a diagram to illustrate MVC architecture for a Flask-based web platform
with Diagram("Flask Web Platform with MVC Architecture", show=False, outformat="png", filename="flask_mvc_arch"):

    # External entities interacting with the system
    user = Users("User")  # Represents the end-user accessing the platform
    browser = Client("Browser")  # User's interface to the web application
    internet = Internet("Internet")  # Network layer connecting user to services
    lb = ELB("Load Balancer")  # Distributes incoming traffic for scalability and reliability

    # Define the MVC components within a clustered boundary
    with Cluster("Web Platform (MVC)"):
        view = browser  # Browser acts as the view, displaying data to the user
        nginx = Haproxy("Nginx (Web Server)")  # Serves static content and forwards requests
        controller = Flask("Flask App (Controller)")  # Handles business logic and user inputs
        model = PostgreSQL("PostgreSQL (Model)")  # Stores and manages application data

        # Data flow within MVC: View -> Controller -> Model
        view >> nginx >> controller >> model

    # External connections: User interacts with the system via the internet and load balancer
    user >> view  # User accesses the browser
    view >> internet >> lb >> nginx  # Browser connects through the internet to the load balancer and web server

# Display the generated diagram for visualization
Image(filename="flask_mvc_arch.png")

## Building Web Platform on AWS

Deploying the MVC-based Flask web platform on **Amazon Web Services (AWS)** leverages cloud services for scalability and security. Key components include:
- **Public Subnet**: Hosts the view (Nginx on EC2), accessible via the internet.
- **NAT Subnet**: Hosts the controller (Flask on EC2), shielded from direct internet access.
- **Private Subnet**: Hosts the model (PostgreSQL on RDS), fully isolated for data protection.

This multi-tier architecture enhances security by segregating components and limiting exposure.

**Reference**: Amazon Web Services. (2021). *AWS Well-Architected Framework*. https://aws.amazon.com/architecture/well-architected/

In [None]:
from diagrams import Diagram, Cluster
from diagrams.aws.network import ELB, CloudFront, VPC, InternetGateway, Route53
from diagrams.aws.compute import EC2, Lambda
from diagrams.aws.database import RDS
from diagrams.aws.general import User
from diagrams.aws.security import WAF
from diagrams.aws.management import Cloudwatch
from diagrams.onprem.client import Client
from IPython.display import Image

# Diagram illustrating MVC deployment on AWS
with Diagram("Flask Web Platform (MVC) on AWS", show=False, outformat="png", filename="flask_mvc_aws_arch"):

    user = User("User")  # End-user accessing the platform
    browser = Client("Browser")  # User's interface

    with Cluster("AWS Cloud"):
        dns = Route53("DNS")  # Manages domain name resolution
        cdn = CloudFront("CloudFront")  # CDN for performance and DDoS protection
        lb = ELB("Application Load Balancer")  # Distributes traffic to EC2 instances

        with Cluster("VPC"):  # Virtual Private Cloud for network isolation
            with Cluster("Public Subnet"):  # Accessible from the internet
                nginx = EC2("Nginx (View)")  # Web server hosting the view layer

            with Cluster("NAT Subnet"):  # Network Address Translation subnet for controlled access
                ec2 = EC2("Flask App (Controller)")  # Application logic layer

            with Cluster("Private Subnet"):  # Isolated from direct internet access
                db = RDS("PostgreSQL (Model)")  # Database for data storage

            # Data flow: View -> Controller -> Model
            nginx >> ec2 >> db

        # External traffic flow: DNS -> CDN -> Load Balancer -> Nginx
        dns >> cdn >> lb >> nginx

    # User interaction path
    user >> browser >> dns

# Display the diagram
Image(filename="flask_mvc_aws_arch.png")

## Building Web Platform on Azure

Similarly, the MVC-based Flask web platform can be deployed on **Microsoft Azure**, utilizing its cloud services for security and scalability. Key components include:
- **Public Subnet**: Hosts the view (Nginx on VM).
- **NAT Subnet**: Hosts the controller (Flask on VM).
- **Private Subnet**: Hosts the model (PostgreSQL on Azure Database).

This setup ensures a secure, layered architecture similar to AWS.

**Reference**: Microsoft Azure. (2021). *Azure Architecture Center*. https://docs.microsoft.com/en-us/azure/architecture/

In [None]:
from diagrams import Diagram, Cluster
from diagrams.azure.network import ApplicationGateway, VirtualNetworks
from diagrams.azure.compute import VM
from diagrams.azure.database import DatabaseForPostgresqlServers
from diagrams.azure.general import Usericon
from diagrams.onprem.client import Client
from diagrams.onprem.network import Bind9
from IPython.display import Image

# Diagram illustrating MVC deployment on Azure
with Diagram("Flask Web Platform (MVC) on Azure", show=False, outformat="png", filename="flask_mvc_azure_arch"):

    user = Usericon("User")  # End-user
    browser = Client("Browser")  # User's interface

    with Cluster("Azure Cloud"):
        dns = Bind9("Azure DNS")  # DNS service (using Bind9 as a fallback representation)
        lb = ApplicationGateway("Application Gateway")  # Load balancer with WAF

        with Cluster("VNet"):  # Virtual Network for isolation
            with Cluster("Public Subnet"):
                nginx = VM("Nginx (View)")  # Web server

            with Cluster("NAT Subnet"):
                app = VM("Flask App (Controller)")  # Application logic

            with Cluster("Private Subnet"):
                db = DatabaseForPostgresqlServers("PostgreSQL (Model)")  # Database

            # Data flow
            nginx >> app >> db

        # Traffic flow
        dns >> lb >> nginx

    user >> browser >> dns

# Display the diagram
Image(filename="flask_mvc_azure_arch.png")

## Defense in Depth

**Defense in Depth** is a cybersecurity strategy that employs multiple layers of security controls to protect assets. By implementing redundant defenses, it ensures that if one layer fails, others remain effective, enhancing overall resilience.

**Reference**: National Institute of Standards and Technology (NIST). (2018). *Framework for Improving Critical Infrastructure Cybersecurity*. https://www.nist.gov/cyberframework

In [None]:
from tabulate import tabulate

# Table comparing Defense in Depth layers across AWS and Azure
data = [
    ["User Access", "IAM policies, MFA", "Azure AD policies, MFA", "Verify user identity, enforce least privilege access"],
    ["Client Device", "Browser security, TLS", "Browser security, TLS", "Prevent client-side exploits and ensure secure transport"],
    ["Edge Protection", "WAF, CloudFront", "Application Gateway WAF", "Mitigate DDoS and external threats at the boundary"],
    ["Network", "VPC, Security Groups", "VNet, Network Security Groups", "Control traffic flow and segment network"],
    ["Application", "CodeDeploy, Inspector", "Azure DevOps, Security Center", "Secure app deployment and runtime"],
    ["Data", "RDS encryption, KMS", "Azure DB encryption, Key Vault", "Protect data at rest and in transit"]
]

headers = ["Layer", "AWS Controls", "Azure Controls", "Reason & Functionality"]

# Display the table
print(tabulate(data, headers=headers, tablefmt="fancy_grid"))

# Inline explanations:
# - User Access: Controls authentication and authorization to limit access.
# - Client Device: Secures the endpoint accessing the system.
# - Edge Protection: Mitigates external threats at the network boundary.
# - Network: Enforces segmentation and traffic rules.
# - Application: Ensures secure code and runtime environment.
# - Data: Protects sensitive information with encryption.

## Zero Trust Architecture

**Zero Trust** assumes no entity (inside or outside the network) is trusted by default. It requires continuous verification of identity, device posture, and access rights, minimizing the attack surface.

**Reference**: NIST Special Publication 800-207. (2020). *Zero Trust Architecture*. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf

In [None]:
from tabulate import tabulate

# Table outlining Zero Trust pillars
zta_data = [
    ["Identity Verification", "IAM Identity Center", "Azure AD", "Ensure user authentication and least privilege access"],
    ["Device Trust", "Inspector", "Azure Security Center", "Verify and assess compute instance security posture"],
    ["Network Segmentation", "VPC, Security Groups", "VNet, NSGs", "Limit lateral movement with micro-segmentation"],
    ["Application Access", "App Gateway, WAF", "Application Gateway", "Restrict access to authorized apps only"],
    ["Data Protection", "KMS, S3 encryption", "Key Vault, Blob encryption", "Encrypt and control access to data"]
]

headers = ["ZTA Pillar", "AWS Controls", "Azure Controls", "Purpose"]

# Display the table
print(tabulate(zta_data, headers=headers, tablefmt="fancy_grid"))

## TOGAF Security Architecture

**TOGAF** (The Open Group Architecture Framework) provides a structured approach to enterprise architecture, including security. It defines domains like Business, Application, Data, and Technology Architecture, each with security considerations.

**Reference**: The Open Group. (2018). *TOGAF Version 9.2*. https://www.opengroup.org/togaf

In [None]:
from tabulate import tabulate

# Table for TOGAF domains and controls
togaf_data = [
    ["Business Architecture", "IAM Identity Center", "Azure AD", "Define roles, responsibilities, and access governance"],
    ["Application Architecture", "CodeDeploy, Inspector", "Azure DevOps, App Services", "Secure application lifecycle and runtime"],
    ["Data Architecture", "RDS, KMS", "Azure DB, Key Vault", "Ensure data integrity and confidentiality"],
    ["Technology Architecture", "VPC, Security Groups", "VNet, NSGs", "Provide secure infrastructure and network controls"]
]

headers = ["TOGAF Domain", "AWS Controls", "Azure Controls", "Purpose"]

# Display the table
print(tabulate(togaf_data, headers=headers, tablefmt="fancy_grid"))

## SABSA Security Architecture

**SABSA** (Sherwood Applied Business Security Architecture) is a framework for developing risk-driven enterprise security architectures. It aligns security with business objectives across multiple layers: Contextual, Conceptual, Logical, Physical, and Component.

**Reference**: Sherwood, J., Clark, A., & Lynas, D. (2005). *Enterprise Security Architecture: A Business-Driven Approach*. CMP Books.

In [None]:
from tabulate import tabulate

# Table for SABSA layers
sabsa_data = [
    ["Contextual Layer", "Business requirements", "Business requirements", "Align security with business goals"],
    ["Conceptual Layer", "IAM policies", "Azure AD policies", "Define security policies and principles"],
    ["Logical Layer", "VPC design, WAF", "VNet design, App Gateway", "Design logical security controls"],
    ["Physical Layer", "EC2, RDS", "VMs, Azure DB", "Implement physical infrastructure security"],
    ["Component Layer", "KMS, Security Groups", "Key Vault, NSGs", "Deploy specific security tools and configurations"]
]

headers = ["SABSA Layer", "AWS Controls", "Azure Controls", "Purpose"]

# Display the table
print(tabulate(sabsa_data, headers=headers, tablefmt="fancy_grid"))

## SSDLC / Design by Security

The **Secure Software Development Life Cycle (SSDLC)** integrates security practices into each phase of software development, from design to deployment. This proactive approach ensures security is built-in, not bolted on.

**Reference**: OWASP. (2021). *Secure Software Development Lifecycle*. https://owasp.org/www-project-secure-software-development-life-cycle/

In [None]:
from tabulate import tabulate

# Table for SSDLC phases
ssdlc_data = [
    ["Requirements", "Threat modeling", "Threat modeling", "Identify security needs and risks"],
    ["Design", "Architecture review", "Architecture review", "Plan secure design principles"],
    ["Development", "CodeCommit, Inspector", "Azure DevOps, SAST", "Write and scan secure code"],
    ["Testing", "Dynamic testing", "DAST, Security Center", "Validate security controls"],
    ["Deployment", "CodeDeploy, WAF", "App Gateway, Monitoring", "Deploy securely with runtime protection"]
]

headers = ["SSDLC Phase", "AWS Controls", "Azure Controls", "Purpose"]

# Display the table
print(tabulate(ssdlc_data, headers=headers, tablefmt="fancy_grid"))