developing the corporate security architecture
TRANSCRIPT
Developing the Corporate Security Architecture
www.avient.caAlex WodaJuly 22, 2009
Avient Solutions Group
7/22/2009 Page 2
Avient Solutions Group is based in Markham and is a professional services firm specializing in infrastructure, architecture, applications security and project management.
WIP… “AMS” Avient Managed Solutions!
Key Points
Why do we need a Corporate security architecture?Enterprise Architecture FrameworksExamples of security architectureDesigning and Implementing a Security ArchitectureHow to assess the security architecture
Information Security Challenge
Change inInfra-structure
Changes the Nature of Risk
Change in the Nature of Work
Change inInfo-structure
Trust and Truth
Key Performance Indicators:
Revenue, Profitability, Cash flow, Value creation
Value Based Management
Privacy & Security
Business Drivers
Government Regulations and AuditsSarbanes OxleyBill C-198PIPEDA Bill C-6
Industry Security RegulationsPayment Card Industry Data Security StandardsOpen Web Application Security Project (OWASP)ISO 17799, ISO 27002
Business RelationshipsOutsourced servicesSupply chain integrationRemote access to internal systems
Technology Drivers
New Technologies and InfrastructurePurchased applicationsIntegration of systems
New information collection and storageSensitive data and encryptionData leakage
Cloud ComputingWeb based access to applicationsThird party control
Malicious code Trojans, virusesVulnerabilities in software
External attack methodsCross site scriptingBuffer overflowsMemory parsers
Information Security Stakeholders
InformationSecurity Management
Customers
Suppliers
Management Regulators
Shareholders Employees
•Network connections•Service Agreements•Continuity Planning
•Laws and Statutes•Security and Privacy•Compliance management
•Information Integrity•Confidentiality•Intellectual Propertyprotection
•Cost management
•Health and Safety•Privacy protection•Trust
•Risk Management•Trust and Safety•Investment Protection
•Privacy Protection•Trust and Safety•Safeguards
Enterprise Architecture Frameworks
TOGAF Enterprise Architecture FrameworkIntegration of security into different domainsArchitecture development method available
Zachman Enterprise Architecture Framework Set of models to represent WHAT, HOW and WHERE
Complete the design with WHO, WHEN and WHYSystematic description of business models, processes, data requirementsSet of standard artifacts to foster communication and collaborationSecurity Architecture called SABSA
Vendor Defined ArchitectureIBM Architecture Methods
Security Architecture Frameworks
TOGAF Version 9SABSA - SherwoodISO 17799 security frameworkAgile Security Strategies ISO 13335 - security practicesISO 7498-2NSA standards - Gold for Win2KCisco SAFE
TOGAF and Security
Security domain is pervasive across the other domainsAreas of focus:
AuthenticationAuthorizationAuditAssuranceAvailabilityAsset ProtectionAdministrationRisk Management
Security as part of Enterprise Architecture
Integrated with Enterprise ArchitectureBusiness architectureInformation architectureApplication architectureTechnology architectureSecurity architecture
Security participation in project teamsCreation of security analysis and design plans for each significant project
Conceptual Security Framework
1. Based on British Standard 7799: “Code of Practice for Information Security Management” and NIST
Security
Policy
Security
Organization
Physical and
Environmental
Security
Computer and
NetworkManagement
BusinessContinuityPlanning
PersonnelSecurity Asset
Classification
and Control
SystemDevelopment
andMaintenance
AccessControl
Compliance
Security
TEN KEY CONTROLS
Example of a Security Architecture ModelIBM has a model for Security Architecture. This is illustrated in the following diagram. The Security Services correspond to the logical Components within the IT Architecture. As such there is a natural linkage between the two Architectures.
Management
Objects
Mechanisms
Services
ServicesManagement
POLICY
MANAGEMENT
AUDIT
&
ALERT
MANAGEMENT
Confidentiality DataIntegrity
NonRepudiation
AccessControl
Identification&
Authentication
Management
ObjectManagement
EntityAuthentication
Access Control Lists
SecurityLabels
EncipherDecipher
MessageAuthentication
ModificationDetection
DigitalSignature
UsersGroups
PrivilegesAuditLogs
ProgramsEncryption
Keys
Passwords
SYSTEM
INTEGRITY
Based on ISO Standard 7498-2
e.g. DATA
ENTERPRISE ARCHITECTURE - A FRAMEWORK
Builder
SCOPE(CONTEXTUAL)
MODEL(CONCEPTUAL)
ENTERPRISE
Designer
SYSTEMMODEL(LOGICAL)
TECHNOLOGYMODEL(PHYSICAL)
DETAILEDREPRESEN- TATIONS(OUT-OF- CONTEXT)
Sub-Contractor
FUNCTIONINGENTERPRISE
DATA FUNCTION NETWORK
e.g. Data Definition
Ent = FieldReln = Address
e.g. Physical Data Model
Ent = Segment/Table/etc.Reln = Pointer/Key/etc.
e.g. Logical Data Model
Ent = Data EntityReln = Data Relationship
e.g. Semantic Model
Ent = Business EntityReln = Business Relationship
List of Things Importantto the Business
ENTITY = Class ofBusiness Thing
List of Processes theBusiness Performs
Function = Class ofBusiness Process
e.g. Application Architecture
I/O = User ViewsProc .= Application Function
e.g. System Design
I/O = Data Elements/SetsProc.= Computer Function
e.g. Program
I/O = Control BlockProc.= Language Stmt
e.g. FUNCTION
e.g. Business Process Model
Proc. = Business ProcessI/O = Business Resources
List of Locations in which the Business Operates
Node = Major BusinessLocation
e.g. Business Logistics System
Node = Business LocationLink = Business Linkage
e.g. Distributed System
Node = I/S Function(Processor, Storage, etc)Link = Line Characteristics
e.g. Technology Architecture
Node = Hardware/SystemSoftware
Link = Line Specifications
e.g. Network Architecture
Node = AddressesLink = Protocols
e.g. NETWORK
Architecture
Planner
Owner
Builder
ENTERPRISEMODEL
(CONCEPTUAL)
Designer
SYSTEMMODEL
(LOGICAL)
TECHNOLOGYMODEL
(PHYSICAL)
DETAILEDREPRESEN-
TATIONS (OUT-OF
CONTEXT)
Sub-Contractor
FUNCTIONING
MOTIVATIONTIMEPEOPLE
e.g. Rule Specification
End = Sub-conditionMeans = Step
e.g. Rule Design
End = ConditionMeans = Action
e.g., Business Rule Model
End = Structural AssertionMeans =Action Assertion
End = Business ObjectiveMeans = Business Strategy
List of Business Goals/Strat
Ends/Means=Major Bus. Goal/Critical Success Factor
List of Events Significant
Time = Major Business Event
e.g. Processing Structure
Cycle = Processing CycleTime = System Event
e.g. Control Structure
Cycle = Component CycleTime = Execute
e.g. Timing Definition
Cycle = Machine CycleTime = Interrupt
e.g. SCHEDULE
e.g. Master Schedule
Time = Business EventCycle = Business Cycle
List of Organizations
People = Major Organizations
e.g. Work Flow Model
People = Organization UnitWork = Work Product
e.g. Human Interface
People = RoleWork = Deliverable
e.g. Presentation Architecture
People = UserWork = Screen Formate.g. Security Architecture
People = IdentityWork = Job
e.g. ORGANIZATION
Planner
Owner
to the BusinessImportant to the Business
What How Where Who When Why
John A. Zachman, Zachman International (810) 231-0531
SCOPE(CONTEXTUAL)
Architecture
e.g. STRATEGYENTERPRISE
e.g. Business Plan
TM
Security test strategy and test plans
Integration of security components and mechanisms
Security logging, access control, security reportsBackup plans
Security interface for users and administratorsAuthentication mechanism
Network communication security mechanisms
Security components, objects and mechanisms
Database security mechanismsFile securityAudit trails and log security
Physical
Chart 4 & 5 of TRAComplete PIASelect security products
Determine level of protection required for assets, functions and data(accepted risk)
Business and system impact analysisWhen is security enforced?
Access to functions and transactionsSecurity Administration requirements
Middleware security and data transfer security requirements
Security requirements for sensitive processes (logging, access control)
Security requirements for Personal and Critical data fields(Isolation, edits, encryption)
Logical
Identification of security mechanisms and components (PKI, encryption)
Identify specific assets and functions at riskVulnerability analysis
Availability and recovery requirements Service Levels
User authentication and authorization requirementsPrivacy impact
Location and network protection requirements(firewalls, encryption)
Identify sensitive and critical Processes and resourcesRisk identification
Business Continuity ManagementIdentify data of sensitive or personal nature (Privacy, Integrity)
Conceptual
Charts 1, 2 and 3 of TRAHigh level PIA
Why are threats present? Consequences and impactCorporate Policies
Business CalendarProbability of threats occurringImportance of service (Critical?)
Stakeholders, users, external parties (Privacy, Sensitivity)
Business field operations management Interfaces to trading partners – Data collection and usage(Sensitivity)
Business driven information security management program
Identify general nature of data(personal, confidential, financial, critical)Collection Methods
Contextual
DeliverablesMotivation (why)Time (when)People (Who)Network (Where)Function (How)Data (What)Level
Zachman Based Security Architecture (SABSA)
15
Security Building Blocks
Security
Standards
Standards• Security standards make
specific mention of technologies, methodologies, implementation procedures and other details.
• It is used by the enterprise to implement the security policy.
SERVICESMECHANISMS
OBJECTS
APPLICATIONCOMMONSERVICES
NETWORK
SYSTEM Windows NTUNIX
NetworkInfrastructure
DB2
Secu
rity
Sta
ndar
d
Security
Policy
Policy• A security policy outlines an organization's
position on security issues. It must be endorsed and supported by Management.
• A good security policy can be simply stated, easily understood and in a form that can be widely communicated.
Security
Processes
Processes• Processes are created and
implemented with respect to polices and standards.
• Part of the process is an assessment of existing process to ensure business needs are still met.
ImplementationRisk Assessment
Policy
AdministrationAudit
THE SECURITY LIFECYCLE
Security Architecture Foundation Deliverables
Risk Management Templates and GuidelinesThreat risk assessment process
Privacy Management guide and formsEnterprise security architecture visionSecurity Architecture Design Document templatesTechnical security standards - BaselineProject team training programEnterprise security architecture migration plan
Security Vision
Mail, FTPInternet
Web HostingHighly Secure Zone
LDAPSecurity Service Restricted
Data
RestrictedZone SecurityCredentials
InternalUsers
FirewallVLAN
Role BasedAuthorization
Application
Internal Data
ConfidentialData
System EventLogging
ApplicationLogging
Application Application
SharedDMZ Internal
Zone
PartnerDMZ
Third PartyDMZ
PartnerDMZ
Third PartyConnections
IntegrationServices
Application
PartnerZone
ApplicationPublicData
BankingServices
Business Intelligence
OLAP
LDAPSecurity Service File
Directories
RemoteAccessDMZ
Remote AccessUsers
Risk Assessment Methods
Spans across all domains and is applied in contextFormal methods and deliverables must be usedShould be facilitated or reviewed by security expertsIndustry Standards (samples)
Operationally critical threat asset vulnerability evaluation (OCTAVE)NIST SP 800 Threat risk assessment guideNew Zealand / Australia AZ/NZS 4360 methodIRM, ALARM
Threat Risk Assessment Process
PlanningTRA
Preparation Analysis Action Plans•Scope•Boundary•Responsibility•System and dataAsset inventory•Acceptable risks•General Threats
•Identify Assets•Tangible•Intangible
•Statement of Sensitivity
•Threat AnalysisIdentify ThreatsProbability of OccurrenceConsequence
•Risk AnalysisVulnerabilitiesControlsAssessment
•Accept Risk•Improve Controls•New Controls•Manage Risk•(Avoid)•(Transfer)
Threat Risk Assessment Deliverables
Security Plan for the systemDescription of the risks and environmentComponent placement, server functions, diagramsData classification
Description of risks and key controls to be usedList of baseline security componentsIdentify new security methods or componentsSecurity testing methodsLogging and Monitoring requirements
Privacy Risks
Unauthorized disclosure of data to external partiesConstruction of data profiles
Data matching and user monitoringUnauthorized use of private dataInadequate protection and safeguardsIncorrect data used for decision purposes
Privacy Impact Assessment
Assessment of privacy risks during systems under developmentPrivacy risk assessment document to be completedIdentify and classify personal private data
Where and how is it collected?Where is it processed?Where is it stored and with what other data?Is the data disclosed to other users or systems?
Document data flow and user actionsSelect controls and establish processes
Security Architecture Benefits
Business AlignmentRisk driven selection and management of controlsParticipation during system developmentBusiness support and business enablement
Cost ManagementReusability of components and processesEfficient administration and maintenance
Ease of IntegrationScalability of solutionsTrusted solutions
Life Cycle Risk Management
Money/Risk
Time
t0t-..1/5t--1Governance
Bus. Req. Design Development OperationsImplementation
The objective is to lower the risk
Practices and technology
Design reviews
Audit
Tests and certification
Technology insertion
Information Security Operation
Information Protection Center and Information Security Operations
Security at the Systems Layer
Logical Security ArchitectureCompliance to Policies and Standards Identity managementAuthorizaton servicesMessaging securityData encryptionAudit and logging facilitiesMalicious code protectionApplication IntegrationDeliverables:
Logical Threat Risk assessmentPrivacy impact assessment
Security at the Technology Layer
Infrastructure ProtectionNetwork Perimeter security protectionNetwork SegmentationNetwork identity managementAuthorization Intrusion detectionRemote System AccessVPN and EncryptionLogging and monitoringDeliverables:
Physical Threat Risk assessmentTesting MethodsLogging and monitoring tests
Security Strategy
TechnologyNetwork protection methodsIntrusion detectionLogging and monitoringChannel level encryptionSecurity StandardsSecurity AdministrationCode protection
Security Analysis and ManagementEnterprise Architecture MethodsRisk Management MethodsPrivacy assessment methodsIdentity, authentication and authorizationMulti-layered Security architectureIncident managementGovernance, Risk and Compliance processes
Process IISecurity
Abstraction
Fragmented Integrated
Human centric
Technologycentric
Process I
Security
Diffusion
Formalization
Process IIISecurity
Security EnabledOrganizations
•Governance and Risk Management•Enterprise security models and tools•Integrated Security Management system
Isolated GroupsFragmented SecurityLack of standards
Security PoliciesOperations centricsecurity testing
Individualsartisansprofessionalsmanagers
Security Management Maturity model
Developing the Corporate Security Architecture
Define Security Principles and StandardsSecurity Policies, Principles and StandardsSecurity VisionBaseline security methods and controlsDefine Security Artefacts and templatesIntegrate with Technology and application domains
Define and document Core security tools and servicesIdentity managementLogging and MonitoringNetwork protection (firewalls and IDS)Malicious code protection
Define IT Security Governance processesParticipation in Systems development and technology procurement projectsIntegration with Project management methodsPhased approach for development of security artefacts (Risk Management Plan and securitydiagrams)Define Security testing requirementsAssess if the security methods / tools will be sustainableDefine a refresh process for the security architecture
Security Architecture Development
What architecture development methods are right for you?Can the security architecture be developed as a stand alone domain?Formal ADM (Strategic)
Formal templates and processesArchitecture Vision and DefinitionArchitecture Core Teams and Review BoardsArchitecture Foundation and reference library
Guidelines (Tactical)Just in time architectureArchitecture LITESecurity Vision and templates
Security Architecture Development Methodology
Conceptual Risk Assessment Identify Security business requirements
Description of current environment and processesHigh level Risk Assessment of business practices, data and technologyAssess applicability of government or industry regulationsRefine risk assessment and include future plansCreate conceptual risk report
Business risksTechnology risksOperational / financial risks
Decide level of project involvement
40
Security Architecture Development Methodology
Logical Risk AssessmentLogical Security Model Development
Review with project team and create logical security architecture using core componentsIdentify new security components or methodsCreate logical threat risk assessment document
Risk assessment of each component in systemSecurity methods and controls to be implemented
Assess data protection methods and privacy impactReview with Enterprise Architecture
Security Architecture Development Methodology
Physical Security Assessment Information Security Deployment and Testing
Review physical deployment diagramsValidate that security requirements are implemented
Review security methods and activitiesSystem logging and monitoringUser management Source Code validation
Define / Execute Security test strategy and planSecurity ScansVulnerability assessmentsPenetration testsDisaster Recovery Test
Update Enterprise Architecture documents Update governance risk and compliance processes
Assessing the Security Architecture
Control Objectives for IT (COBiT)Developed by ISACA as a governance framework
Plan and OrganizeAcquire and ImplementDeliver and SupportMonitor and Evaluate
Includes a guide for measuring maturityCapability Maturity Model
Must be tailored for the organizationApplied to security functions and services
Corporate Security Architecture Assessment
Review the scope of the security architectureReview target security architectureReview security policies and standardsReview security principles and visionAssess security organization and staffingIdentify Regulatory Compliance requirementsEvaluate the Risk Assessment methods in use for projects and systemsIdentify and map out the Architecture governance process for securityReview Risk issue management processAssess Security Design Plan templates and completed formsReview security management proceduresAssess Business Continuity Plan and maintenance
Step 1 - Preliminary Review of Security Architecture
Corporate Security Architecture Assessment
Validate security plans to actual implementationAssessment of security methods, technologySecurity awareness and risk management trainingAssess how security is integrated with other architecture domainsAssess Security Components
Identity managementLogging and Monitoring systems Network protectionEncryption key management processesMalicious code protection
Step 2 - Evaluate Security foundation and components
Corporate Security Architecture Assessment
Security implemented for the Technology and Application layersVulnerability Assessment methods in use Security Scan test methodsSecurity Reviews completed by third partiesSource code reviews and testingPhysical securityTechnical support accessBackup and Recovery processesNetwork security
Step 3 - Assess the Technical Security Architecture
Summary and Conclusions
New risks created by new technologies and business processesRegulatory compliance, including privacy is driving enhanced security requirementsIncrease risk of attacks from external sourcesEnterprise Architecture is growing in popularityChallenge to implement and maintainSecurity architecture is pervasive across the other domains of architecture -Business, data, technology and applicationsSecurity architecture is completed in layers
Conceptual, Logical, Technical Requires a framework of risk management methods, baseline standards and governance processComprehensive risk management plan for security, privacy and business continuity