資安架構師決策錄 (00)：別急著解決問題

# 資安架構師決策錄 A Journey of Decision Making :::success 別急著解決問題 *Don’t rush to fix the problem.* ::: 如果你對第一句感到訝異，那這系列文，可能正是寫給你的。 *` If that opening statement surprised you, then this series is written exactly for you. `* 我自己過去是個專精防火牆的工程師，大部分的時間幾乎面臨第一線的緊急需求，急著處理，急著修好，急著改善，週而復始，反反覆覆 *` I used to be a firewall-focused engineer. Most of my time was spent on the front line — handling urgent requests, fixing issues quickly, improving systems repeatedly, over and over again. `* 如果這也是現在或者曾經的你，也許你有著與我相似的經歷 *` If this sounds like you — now or in the past — then we probably share similar experiences. `* 時間久了我有時候在想，這就是我要的嗎? *` Over time, I started asking myself a simple question: Is this really what I want? `* 救火再好，火災還是會發生如果能從源頭解決，是不是比較容易減少火災的問題 *` No matter how good you are at firefighting, fires will keep happening. Wouldn’t addressing the root cause reduce them more effectively? `* 我想這就是所謂資安架構師，從根本解決問題，是這個角色該去思考的事情 *`This, to me, is what a security architect should be thinking about.`* 我們這些人常常在講，從設計階段就要考慮資安，但到底怎麼做往往是個問題 *` We often say “security should be considered at the design stage,” but the real challenge is: how do we make it practical? `* 現階段我覺得不缺乏照本宣科的人，但理論如何落地本身是個問題 *` There is no shortage of people who follow frameworks. What’s rare are those who can make decisions under real constraints. `* 這系列文的目的不是要宣揚什麼理念只是藉由寫文的過程，釐清自己的思緒，也讓自己用這種方式繼續進步 *` This series is not about promoting grand ideas. It’s about clarifying my own thinking through writing, and forcing myself to keep improving. `* 目前也只有擬定大綱，究竟會寫出什麼目前還不確定 *` For now, there’s only an outline. I don’t yet know exactly what it will become. `* 當然，所有的文字都出於我的主觀，不一定正確，也歡迎糾正我思考不周的地方 *` Everything here is subjective. It may not be correct — and I welcome challenges and corrections. `* ## 先問自己問題為什麼發生 First question: Why did the problem happen? 找Root Cause始終是個頭痛的問題，很難查，很複雜 *` Finding the root cause is always painful — complex, time-consuming, and often neglected. `* 如果在技術上有進行過這塊的人想必不陌生，無論你是哪種角色 *`If you’ve ever deep-dived into technical issues—regardless of your role—you know this pain well`* 但如果不找到問題的根源，未來我們怎麼知道會不會再發生 *` But if we don’t, how can we be sure it won’t happen again? `* 你是乙方的話，可能覺得客戶在刁難你是甲方的話，可能覺得下次再出事你就要捲鋪蓋了 *` Vendors may feel clients are being unreasonable. Internal teams may fear losing their jobs if it happens again. `* 這其實是一個雙方的落差，面臨問題的壓力不一樣 *` It’s not about right or wrong — it’s about different pressures. `* 也許我們會常常發現為了某些新的需求調整環境之後，就會發現內部面臨其他很多問題或者不能改動的壓力 *` We often tweak the environment for new demands, only to hit a wall of hidden problems and unmovable internal constraints `* 我自己認為這是因為在企業端，疊床架屋的問題是很難避免的 *` In enterprise environments, layered complexity is almost unavoidable. `* 所有資安的產品通常擺在可用性之後，這很合理，你的東西還沒有價值的時候，為什麼要浪費錢去保護呢企業的所有東西，通常不是一次就做好，你的前人、前輩們因為當時某些原因做出的設計，不一定很好，但至少堪用 *` Systems are rarely built perfectly from day one. Past decisions may not be ideal, but they were workable. `* 有的時候覺得這跟寫Code的笑話很像，能動就好，不用管他怎麼動的 *` If it works, don’t touch it. How it works is often a mystery no one wants to open. `* ![image](https://hackmd.io/_uploads/rkX_vLq7Wl.png) 我相信絕大部分的現況都是如此，甚至更慘 *` I believe this is the norm, if not a best-case scenario. `* 過去的技術債加上新舊人員交接的落差，這也許是很多很多技術人的痛點 *` The compounding weight of technical debt mixed with knowledge gaps from turnover—this is a shared pain for engineers everywhere. `* 當然，這文章並不是打算在這邊抱怨，不然就太low了 *` This isn’t a complaint. Complaints are cheap. `* 真正的問題或者我們該去做的事情是，去理解目前狀況，然後想辦法一步一步的把這些問題改善 *` The real challenge is: Can we grasp the current chaos and improve it, step by step? `* 沒錯一步一步，如果有人告訴你一次做好，那我相信一是難度很高，二是做不出來，三是要叫你買東西 *` Yes, step by step. Because "instant fixes" are usually just silver bullets wrapped in a sales pitch. `* ![image](https://hackmd.io/_uploads/r1LXAD5XWx.png) 在開始接觸到雲端安全後，有個 Shift Left 的詞，想必大家都不陌生若是陌生的話，那我簡單說一次(? *`In Cloud Security, "Shift Left" is a term you’ve likely heard. If not, here’s the short version:`* 簡單地說就是在開發的初期，就考慮到資安問題，進而去避免開發完成後才回頭處理資安問題，造成整個開發成本的大幅提升 *` Shift Left means addressing security early in the dev cycle. Fixing a bug in design costs $1; fixing it in production costs $100. `* 若把這樣的思維也套到工作上，也許我們都應該要從設計面的角度出發，要去思考的，不是解決問題，而是發現問題不是救火，而是防患於未然而這是作為架構師真正的價值所在 *`We need to shift our mindset: From Problem Solving to Problem Finding. From Firefighting to Fire Prevention.`* ## 再問自己應該要會什麼 Second question: What should I actually know? 先說我自己我個人的背景，從網路安全開始 (Network Security) 逐步走向雲端 (Cloud Security) 然後也跟著時代的洪流不得不開始學習AI (AI Security) *` My background started in network security, moved into cloud security, and now inevitably touches AI security. `* 我也誇張的說，永遠都學不完，永遠 *`Honestly, it never ends.`* 也許幾年之後，這幾個現在很流行的雲端*AI*資安會逐漸式微，但我還是藉著自己學習的過程，或者又在未來有機會與曾經想接觸這方面的你交流到，那就很值得了 *` Years from now, the hype around Cloud, AI, and Security might fade. But if documenting my learning process allows me to cross paths with you—someone exploring this field—then every word was worth writing. `* 至於要會什麼，你可以以為我會列出一長串的技能清單，但其實架構師需要橫跨技術、風險與溝通， *` What architects really need isn’t a checklist of tools. `* :::info 重點從來不是會多少工具，而是知道什麼時候該用、什麼時候不該用。 *It’s not about how many tools you know, but when to use them — and when not to.* ::: ## Let’s create a fictional project: Project A 如果只是紙上談兵，那就太無聊了。 *`Pure theory is boring.`* 為了讓討論有具體落點，後續文章會引用一個虛擬專案 **Project A** 作為延伸，但它絕對不是標準答案，只是一個對話的起點。 *` Future articles will reference a fictional project, Project A. It’s not a best practice — just a starting point for discussion. `* 你可以想像我們要一起進行一個專案，你是我的主管，我想跟您報告我的想法跟建議，若可以，也請你看看思慮不周的地方 *` Imagine you’re my manager, and I’m presenting my decisions to you. `* ## 系列文開始 The series begins 我想接下來我們可以從最底層，也是我覺得當踏入雲端之後最麻煩的身份開始 *` We’ll start from the lowest layer — and one of the hardest problems in cloud: identity. `* 所有人都告訴你要做最小權限，但身份都處理不好怎麼做最小權限，更別談更遠的零信任的目標 *` Everyone says you must do Least Privilege. But here’s a question most of us never stop to ask: If Identity itself is flawed, how can Least Privilege ever work? And if it can’t—then what hope is there for Zero Trust? `* 我想我們都不知道能不能做出最佳解但我們會知道在那個當下，會為了這個思考與判斷負起責任 *` We may not find the perfect answer. But we take responsibility for our decisions. `* 整份系列文包含這篇預計13篇，每三篇會是一個章節，用這種方式讓我們一起做一次思考 *` This series will include 13 articles, grouped into chapters of three. `* 在進步的路上，寫文的路上，還有很多未知 *`There are many unknowns ahead.`* 但我知道你我不會再滿足於繼續救下一場火 *` But one thing is certain: We are no longer satisfied with just putting out the next fire. `*