tci reference architecture v2.0
DESCRIPTION
cloud computing reference architectureTRANSCRIPT
-
Business Operation
Support Services
(BOSS)
Data Governance
Operational Risk
Management
Compliance
Security and Risk
Management
Presentation Services
Information Services
Infrastructure Services
Facility Security
Asset
Handling
Controlled Physical
Access
Information Technology
Operation & Support
(ITOS)
Application Services
Service Support
Configuration Management
Problem ManagementIncident Management
Change Management Release
Management
Service Delivery
Policies and Standards
Data Protection
Audit Planning
Reference Architecture Version 2.0
Guiding Principlesq Define protections that enable trust in the cloud.
q Develop cross-platform capabilities and patterns for proprietary and open-source providers.
q Will facilitate trusted and efficient access, administration and resiliency to the customer/consumer.
q Provide direction to secure information that is protected by regulations.
q The Architecture must facilitate proper and efficient identification, authentication, authorization, administration and auditability.
q Centralize security policy, maintenance operation and oversight functions.
q Access to information must be secure yet still easy to obtain.
q Delegate or Federate access control where appropriate.
q Must be easy to adopt and consume, supporting the design of security patterns
q The Architecture must be elastic, flexible and resilient supporting multi-tenant, multi-landlord platforms
q The architecture must address and support multiple levels of protection, including network, operating system, and application security needs.
High Level Use Cases
Co-Chairs: Jairo Orea, Yaron Levi, Dan Logan.
Team: Richard Austin, Frank Simorjay, Yaron Levi, Jon-Michael Brook,
Jarrod Stenberg, Ken Trant, Earle Humphreys, Vern Williams
Date: 02/25/2013
SABSA
ITIL v3
JERICHO
Independent
Audits
Third-Party
Audits
Internal
Audits
Contact/Authority
Maintenance
Information System Regulatory
MappingIntellectual Property Protection
Data Ownership /
Stewardship
Data
Classification
Handling / Labeling /
Security Policy
Secure Disposal of
Data
Data Governance
Risk
Assessments
Non-
Production
Data
Rules for Information
Leakage Prevention
Information
Leakage
Metadata
Technical Security
StandardsData/Asset Classification
BarriersElectronic
Surveillance
Physical
AuthenticationSecurity Patrols
Business
Impact Analysis
TOGAF
Data
SoftwareHardware
Information Technology
Resiliency
Capacity PlanningSoftware
ManagementPhysical Inventory
Automated Asset
Discovery
Configuration
Management
Emergency
Changes
Planned Changes
Project
Changes
Scheduling
Operational
Chages
Service
Provisioning
Approval
Workflow
Change
Review
Board
Security Incident
Response
Automated
Ticketing
Self-Service Ticketing
Event
Classifiation
Root Cause
Analysis
Source Code
Management
Trend
Analysis
Problem
Resolution
Testing
Build
Version
Control
Availability
Management
Resiliency
Analysis
Capacity Planning
Service Level
Management
Objectives Internal SLAs
External SLAs
Vendor Management
OLAs
Service Dashboard
Asset Management
Service
Costing
Operational
Bugdeting
Investment
Budgeting
Charge
Back
Connectivity & Delivery
Abstraction
Integration MiddlewareProgramming Interfaces
Knowledge Management
Presentation Modality
Presentation Platform
Service Support
Configuration
Rules
(Metadata)
Service
Events
Service DeliveryService
CatalogSLAs OLAs
ContractsRecovery
Plans
Business Continuity
DomainContainer
Process or
SolutionData
Human Resources
Security
Crisis
Management
Background
Screening
Employment
Agreements
Employee
Termination
Governance Risk &
CompliancePolicy Management
IT Risk
Management
Compliance
Management
Technical Awareness and Training
InfoSec
ManagementCapability
Mapping
Risk Portfolio
Management
Risk
Dashboard
Vendor
Management
Audit
Management
Residual Risk Management
Best
practices
Trend
AnalysisBenchmarking
Job
Descriptions
Roles and
Responsibilities
Employee Code of Conduct
IT Operation
Resource
Management
Segregation
of Duties
PMO Portfolio
Management
Maturity
Model
Roadmap
IT Governance
Architectrure
Governance
Standards and
Guidelines
Project
Mgmnt
Clear Desk Policy
Strategy Alignment
Data Loss Prevention
Network (Data in Transit)
End-Point(Data in Use)
Server(Data at Rest)
Intellectual Property
Protection
Intellectual
Property
Digital Rights
Management
Cryptographic Services
Threat and Vulnerability Management
Patch
Management
Compliance Testing
Databases
Signature
ServicesPKI
Data-in-Transit
Encryption (Transitory, Fixed)
Privilege Management Infrastructure
Identity ManagementDomain Unique
IdentifierFederated IDM
Identity
Provisioning
Attribute
Provisioning
Authentication ServicesSAML
Token
Risk Based
Auth
OTPSmart
Card
Multifactor
Password
Management
Authorization Services
Policy
EnforcementPolicy Definition
Policy
Mangement
Principal Data
Management
Resource Data
ManagementXACML
Network
Authentication
Biometrics
Single Sign OnMiddleware
AuthenticationWS-Security
Privilege Usage Management
Servers Network
Vulnerability Management
Application Infrastructure DB
Penetration Testing
Internal External
Threat ManagementSource Code Scanning Risk Taxonomy
Infrastructure Protection Services Server
Anti-
Virus
HIPS /
HIDS
Host
Firewall
End-PointAnti-Virus, Anti-Spam,
Anti-MalwareHIPS /HIDS
Host
Firewall
Data-at-Rest Encryption(DB, File, SAN, Desktop,
Mobile)
Media
Lockdown
Hardware Based
Trusted Assets
Forensic ToolsInventory Control
Content
Filtering
ApplicationXML Applicance Application Firewall
Secure Messaging Secure Collaboration
Network
Firewall Content
Filtering
NIPS /
NIDS
Link Layer Network Security
Wireless
Protection
User Directory Services
Active
Directory
Services
LDAP
Repositories
X.500
Repositories
DBMS
Repositories
Registry
Services
Location
Services
Federated
Services
Reporting Services
Dashboard Reporting ToolsData Mining Business Intelligence
Virtual
Directory
Services
Security Monitoring
Risk Management
GRC RA BIA
DR & BC
PlansVRA TVM
Availability
ServicesNetwork
Services
Storage
Services
Development Process
Configuration
Management
Database
(CMDB)
Knowledge
Repository
Change
Logs
Meta
Directory
Services
Internal Infrastructure
Servers
End-Points
Virtual Infrastructure
BOSS
SaaS,
PaaS, IaaS
Identity Verification
DPI
Session
Events
Authorization
Events
Authentication
EventsApplication
Events
Network
EventsComputer
Events
Risk
Assessments
Audit
Findings
Data
ClassificationProcess
Ownership
HR Data
(Employees &
Contractors)
Business
Strategy
HIPS
Database
Events
ACLs CRLs Compliance
Monitoring
NIPS
Events
DLP
EVents
Transformation Services
NIPS
Events
Privilege
Usage Events
eDiscovery
Events
ITOSPMO Strategy
Problem Management
Incident Management
CMDBKnowledge Management
ServiceManagement
ChangeManagement
Roadmap
Security Monitoring ServicesSIEM
Platform
Event
Mining
Database
Monitoring
Application
Monitoring
End-Point
Monitoring
Event
Correlation
SOC Portal
Market Threat
Intelligence Counter
Threat
Management
Cloud
Monitoring
Honey
Pot
E-Mail
Journaling
Managed Security
Services
Knowledge
Base
Branding
ProtectionAnti-Phishing
Legal ServicesContracts E-Discovery
Internal Investigations
Forensic
Analysis
Data lifecycle managementData
De-Identification
Life cycle
managementData Seeding
Data TaggingMeta Data
Control
e-Mail
Journaling
Data Obscuring
Data Masking
eSignature(Unstructured data)
Key ManagementSymmetric
Keys
Asymmetric
Keys
Role
Management
Keystroke/Session
Logging
Privilege Usage
Gateway
Password
Vaulting
Resource
Protection
DRP
Plan
Management
Test
Management
Contractors
Network
Virtualizaton
External
(VLAN)
Internal
(VNIC)
Application Virtualization
Desktop Client Virtualization
Local
Remote
Session-
Based
VM-Based
(VDI)
Server Virtualization
Virtual Machines (Hosted Based)
Hardware-AssistedParavirtualizationFull
Storage Virtualization