Developing the Corporate Security Architecturewww.avient.caAlex WodaJuly 22, 2009

Avient Solutions GroupAvient Solutions Group is based in Markham and is a professional servicesfirm specializing in infrastructure, architecture, applications security andproject management.WIP “AMS” Avient Managed Solutions!7/22/2009Page 2

Key PointsWhy do we need a Corporate security architecture?Enterprise Architecture FrameworksExamples of security architectureDesigning and Implementing a Security ArchitectureHow to assess the security architecture

Information Security ChallengeValue BasedManagementPrivacy & SecurityChange inInfra-structureChange in theNature of WorkTrust and TruthChange inInfo-structureKey PerformanceIndicators:Revenue, Profitability,Cash flow, Value creationChanges theNature of Risk

Business DriversGovernment Regulations and AuditsSarbanes OxleyBill C-198PIPEDA Bill C-6Industry Security RegulationsPayment Card Industry Data Security StandardsOpen Web Application Security Project (OWASP)ISO 17799, ISO 27002Business RelationshipsOutsourced servicesSupply chain integrationRemote access to internal systems

Technology DriversNew Technologies and InfrastructurePurchased applicationsIntegration of systemsNew information collection and storageSensitive data and encryptionData leakageCloud ComputingWeb based access to applicationsThird party controlMalicious codeTrojans, virusesVulnerabilities in softwareExternal attack methodsCross site scriptingBuffer overflowsMemory parsers

Information Security Stakeholders Risk Management Trust and Safety Investment Protection Privacy Protection Trust and Safety SafeguardsShareholdersCustomersManagement Information Integrity Confidentiality Intellectual Propertyprotection Cost managementInformationSecurity Management Health and Safety Privacy protection TrustEmployeesRegulators Laws and Statutes Security and Privacy Compliance managementSuppliers Network connections Service Agreements Continuity Planning

Enterprise Architecture FrameworksTOGAF Enterprise Architecture FrameworkIntegration of security into different domainsArchitecture development method availableZachman Enterprise Architecture FrameworkSet of models to represent WHAT, HOW and WHEREComplete the design with WHO, WHEN and WHYSystematic description of business models, processes, data requirementsSet of standard artifacts to foster communication and collaborationSecurity Architecture called SABSAVendor Defined ArchitectureIBM Architecture Methods

Security Architecture FrameworksTOGAF Version 9SABSA - SherwoodISO 17799 security frameworkAgile Security StrategiesISO 13335 - security practicesISO 7498-2NSA standards - Gold for Win2KCisco SAFE

TOGAF and SecuritySecurity domain is pervasive across the other domainsAreas of ilabilityAsset ProtectionAdministrationRisk Management

Security as part of Enterprise ArchitectureIntegrated with Enterprise ArchitectureBusiness architectureInformation architectureApplication architectureTechnology architectureSecurity architectureSecurity participation in project teamsCreation of security analysis and design plans foreach significant project

Conceptual Security FrameworkTEN KEY onPolicyand usinessContinuityPlanningSecurityPhysical andComplianceEnvironmentalSecurity1. Based on British Standard 7799: “Code of Practice for Information Security Management” and NIST

Example of a Security Architecture ModelIBM has a model for Security Architecture. This is illustrated in the following diagram. The Security Servicescorrespond to the logical Components within the IT Architecture. As such there is a natural linkage between the twoArchitectures.Based on ISO Standard 7498-2ManagementAUDServicesPIManagementO uthenticationAccessControl LogsPasswordsEncryptionKeysSYSTEMINTEGRITY

ENTERPRISE ARCHITECTURE - A IMEWhenTMMOTIVATIONWhySCOPE(CONTEXTUAL)List of Things Importantto the BusinessList of Processes theBusiness PerformsList of Locations in whichthe Business OperatesPlannerENTITY Class ofBusiness ThingFunction Class ofBusiness ProcessNode Major BusinessLocatione.g. Semantic Modele.g. Business Process Modele.g. Business LogisticsSystemEnt Business EntityReln Business RelationshipProc. Business ProcessI/O Business ResourcesNode Business LocationLink Business Linkagee.g. Logical Data Modele.g. Application Architecturee.g. Distributed SystemArchitecturee.g. Human InterfaceArchitecturee.g. Processing StructureEnt Data EntityReln Data RelationshipProc . Application FunctionI/O User ViewsNode I/S Function(Processor, Storage, etc)Link Line CharacteristicsPeople RoleWork DeliverableTime System EventCycle Processing CycleEnd Structural AssertionMeans Action AssertionTECHNOLOGYMODEL(PHYSICAL)e.g. Physical Data Modele.g. System Designe.g. Technology Architecturee.g. Presentation Architecturee.g. Control Structuree.g. Rule DesignTECHNOLOGYMODEL(PHYSICAL)BuilderEnt Segment/Table/etc.Reln Pointer/Key/etc.Proc. Computer FunctionI/O Data Elements/SetsNode Hardware/SystemSoftwareLink Line SpecificationsTime ExecuteCycle Component CycleEnd ConditionMeans ActionBuildere.g. Data Definitione.g. Programe.g. Network ArchitectureEnt FieldReln AddressProc. Language StmtI/O Control BlockNode AddressesLink ProtocolsPeople IdentityWork Jobe.g. DATAe.g. FUNCTIONe.g. NETWORKe.g. OFCONTEXT)SubContractorFUNCTIONINGENTERPRISEJohn A. Zachman, Zachman International (810) 231-0531List of OrganizationsImportant to the BusinessList of Events Significantto the BusinessList of Business Goals/StratPeople Major OrganizationsTime Major Business EventEnds/Means Major Bus. Goal/Critical Success Factore.g. Work Flow Modele.g. Master Schedulee.g. Business PlanTime Business EventCycle Business CycleEnd Business ObjectiveMeans Business StrategyPeople Organization UnitWork Work ProductPeople UserWork Screen Formate.g. Security Architecturee.g. Timing DefinitionTime InterruptCycle Machine Cyclee.g. SCHEDULEe.g., Business Rule Modele.g. Rule SpecificationEnd Sub-conditionMeans Stepe.g. NINGENTERPRISE

Zachman Based Security Architecture (SABSA)LevelData (What)Function (How)Network (Where)People (Who)ContextualIdentify general natureof data(personal, confidential,financial, critical)Collection MethodsBusiness driveninformation securitymanagementprogramBusiness fieldoperationsmanagementInterfaces to tradingpartners – Datacollection and usage(Sensitivity)Stakeholders, users,external parties(Privacy, Sensitivity)ConceptualBusiness ContinuityManagementIdentify data ofsensitive or personalnature (Privacy,Integrity)Identify sensitive andcritical Processesand resourcesRisk identificationLocation and networkprotectionrequirements(firewalls, encryption)User authenticationand authorizationrequirementsPrivacy impactLogicalSecurity requirementsfor Personal andCritical data fields(Isolation, edits,encryption)Securityrequirements forsensitive processes(logging, accesscontrol)Middleware securityand data transfersecurityrequirementsPhysicalDatabase securitymechanismsFile securityAudit trails and logsecuritySecuritycomponents, objectsand mechanismsNetworkcommunicationsecurity mechanisms15Time (when)Motivation (why)DeliverablesWhy are threatspresent?Consequences andimpactCorporate PoliciesCharts 1, 2 and 3 ofTRAHigh level PIAAvailability andrecoveryrequirements ServiceLevelsIdentify specificassets and functionsat riskVulnerability analysisIdentification ofsecurity mechanismsand components(PKI, encryption)Access to functionsand ness and systemimpact analysisWhen is securityenforced?Determine level ofprotection requiredfor assets, functionsand data(accepted risk)Chart 4 & 5 of TRAComplete PIASelect securityproductsSecurity interface forusers andadministratorsAuthenticationmechanismSecurity logging,access control,security reportsBackup plansIntegration ofsecurity componentsand mechanismsSecurity test strategyand test plansBusiness CalendarProbability of threatsoccurringImportance of service(Critical?)

Security Building licySecurity StandardSERVICESMECHANISMSOBJECTSPolicy A security policy outlines an organization'sposition on security issues. It must beendorsed and supported by Management. A good security policy can be simplystated, easily understood and in a formthat can be widely ws NTUNIXStandards Security standards makespecific mention oftechnologies, methodologies,implementation procedures andother details. It is used by the enterprise toimplement the security nistrationProcesses Processes are created andimplemented with respectto polices and standards. Part of the process is anassessment of existingprocess to ensure businessneeds are still met.

Security Architecture Foundation DeliverablesRisk Management Templates and GuidelinesThreat risk assessment processPrivacy Management guide and formsEnterprise security architecture visionSecurity Architecture Design Document templatesTechnical security standards - BaselineProject team training programEnterprise security architecture migration plan

Security VisionMail, FTPInternetWeb le BasedAuthorizationThird essIntelligenceOLAPRemote irectoriesRestrictedDataSystem EventLoggingRestrictedZone SecurityCredentials

Risk Assessment MethodsSpans across all domains and is applied in contextFormal methods and deliverables must be usedShould be facilitated or reviewed by security expertsIndustry Standards (samples)Operationally critical threat asset vulnerability evaluation (OCTAVE)NIST SP 800 Threat risk assessment guideNew Zealand / Australia AZ/NZS 4360 methodIRM, ALARM

Threat Risk Assessment ProcessPlanning Scope Boundary Responsibility System and dataAsset inventory Acceptable risks General ThreatsTRAPreparation Identify Assets Tangible Intangible Statement ofSensitivityAnalysis Threat AnalysisÎIdentify ThreatsÎProbability ofOccurrenceÎConsequence Risk ion Plans Accept Risk Improve Controls New Controls Manage Risk (Avoid) (Transfer)

Threat Risk Assessment DeliverablesSecurity Plan for the systemDescription of the risks and environmentComponent placement, server functions, diagramsData classificationDescription of risks and key controls to be usedList of baseline security componentsIdentify new security methods or componentsSecurity testing methodsLogging and Monitoring requirements

Privacy RisksUnauthorized disclosure of data to externalpartiesConstruction of data profilesData matching and user monitoringUnauthorized use of private dataInadequate protection and safeguardsIncorrect data used for decision purposes

Privacy Impact AssessmentAssessment of privacy risks during systems under developmentPrivacy risk assessment document to be completedIdentify and classify personal private dataWhere and how is it collected?Where is it processed?Where is it stored and with what other data?Is the data disclosed to other users or systems?Document data flow and user actionsSelect controls and establish processes

Security Architecture BenefitsBusiness AlignmentRisk driven selection and management of controlsParticipation during system developmentBusiness support and business enablementCost ManagementReusability of components and processesEfficient administration and maintenanceEase of IntegrationScalability of solutionsTrusted solutions

Life Cycle Risk ManagementBus. Req.DesignDevelopment ImplementationOperationsMoney/RiskDesign reviewsAuditTheobjectiveis tolower theriskTests and certificationTechnology insertionInformation ProtectionCenter and InformationSecurity OperationsPractices and technologyt--1t-.1/5Information Security Operationt0GovernanceTime

Security at the Systems LayerLogical Security ArchitectureCompliance to Policies and StandardsIdentity managementAuthorizaton servicesMessaging securityData encryptionAudit and logging facilitiesMalicious code protectionApplication IntegrationDeliverables:Logical Threat Risk assessmentPrivacy impact assessment

Security at the Technology LayerInfrastructure ProtectionNetwork Perimeter security protectionNetwork SegmentationNetwork identity managementAuthorizationIntrusion detectionRemote System AccessVPN and EncryptionLogging and monitoringDeliverables:Physical Threat Risk assessmentTesting MethodsLogging and monitoring tests

Security StrategyTechnologyNetwork protection methodsIntrusion detectionLogging and monitoringChannel level encryptionSecurity StandardsSecurity AdministrationCode protectionSecurity Analysis and ManagementEnterprise Architecture MethodsRisk Management MethodsPrivacy assessment methodsIdentity, authentication and authorizationMulti-layered Security architectureIncident managementGovernance, Risk and Compliance processes

Security Management Maturity modelProcess IISecurityTechnologycentricAbstractionSecurity PoliciesOperations centricsecurity anagersProcess IIISecurityFormalizationSecurity EnabledOrganizations Governance and Risk Management Enterprise security models and tools Integrated Security Management systemIntegratedIsolated GroupsFragmented SecurityLack of standardsProcess ISecurityHuman centricDiffusion

Developing the Corporate Security ArchitectureDefine Security Principles and StandardsSecurity Policies, Principles and StandardsSecurity VisionBaseline security methods and controlsDefine Security Artefacts and templatesIntegrate with Technology and application domainsDefine and document Core security tools and servicesIdentity managementLogging and MonitoringNetwork protection (firewalls and IDS)Malicious code protectionDefine IT Security Governance processesParticipation in Systems development and technology procurement projectsIntegration with Project management methodsPhased approach for development of security artefacts (Risk Management Plan and securitydiagrams)Define Security testing requirementsAssess if the security methods / tools will be sustainableDefine a refresh process for the security architecture

Security Architecture DevelopmentWhat architecture development methods are right for you?Can the security architecture be developed as a standalone domain?Formal ADM (Strategic)Formal templates and processesArchitecture Vision and DefinitionArchitecture Core Teams and Review BoardsArchitecture Foundation and reference libraryGuidelines (Tactical)Just in time architectureArchitecture LITESecurity Vision and templates

Security Architecture Development MethodologyConceptual Risk AssessmentIdentify Security business requirementsDescription of current environment and processesHigh level Risk Assessment of business practices, data and technologyAssess applicability of government or industry regulationsRefine risk assessment and include future plansCreate conceptual risk reportBusiness risksTechnology risksOperational / financial risksDecide level of project involvement40

Security Architecture Development MethodologyLogical Risk AssessmentLogical Security Model DevelopmentReview with project team and create logical security architecture usingcore componentsIdentify new security components or methodsCreate logical threat risk assessment documentRisk assessment of each component in systemSecurity methods and controls to be implementedAssess data protection methods and privacy impactReview with Enterprise Architecture

Security Architecture Development MethodologyPhysical Security AssessmentInformation Security Deployment and TestingReview physical deployment diagramsValidate that security requirements are implementedReview security methods and activitiesSystem logging and monitoringUser managementSource Code validationDefine / Execute Security test strategy and planSecurity ScansVulnerability assessmentsPenetration testsDisaster Recovery TestUpdate Enterprise Architecture documentsUpdate governance risk and compliance processes

Assessing the Security ArchitectureControl Objectives for IT (COBiT)Developed by ISACA as a governance frameworkPlan and OrganizeAcquire and ImplementDeliver and SupportMonitor and EvaluateIncludes a guide for measuring maturityCapability Maturity ModelMust be tailored for the organizationApplied to security functions and services

Corporate Security Architecture AssessmentStep 1 - Preliminary Review of Security ArchitectureReview the scope of the security architectureReview target security architectureReview security policies and standardsReview security principles and visionAssess security organization and staffingIdentify Regulatory Compliance requirementsEvaluate the Risk Assessment methods in use for projects and systemsIdentify and map out the Architecture governance process for securityReview Risk issue management processAssess Security Design Plan templates and completed formsReview security management proceduresAssess Business Continuity Plan and maintenance

Corporate Security Architecture AssessmentStep 2 - Evaluate Security foundation and componentsValidate security plans to actual implementationAssessment of security methods, technologySecurity awareness and risk management trainingAssess how security is integrated with other architecture domainsAssess Security ComponentsIdentity managementLogging and Monitoring systemsNetwork protectionEncryption key management processesMalicious code protection

Corporate Security Architecture AssessmentStep 3 - Assess the Technical Security ArchitectureSecurity implemented for the Technology and Application layersVulnerability Assessment methods in useSecurity Scan test methodsSecurity Reviews completed by third partiesSource code reviews and testingPhysical securityTechnical support accessBackup and Recovery processesNetwork security

Summary and ConclusionsNew risks created by new technologies and business processesRegulatory compliance, including privacy is driving enhanced securityrequirementsIncrease risk of attacks from external sourcesEnterprise Architecture is growing in popularityChallenge to implement and maintainSecurity architecture is pervasive across the other domains of architecture Business, data, technology and applicationsSecurity architecture is completed in layersConceptual, Logical, TechnicalRequires a framework of risk management methods, baseline standards andgovernance processComprehensive risk management plan for security, privacy and businesscontinuity

Security Architecture Frameworks TOGAF Version 9 SABSA - Sherwood ISO 17799 security framework Agile Security Strategies ISO 13335 - security practices ISO 7498-2 NSA standards - Gold for Win2K Cisco SAFE. TOGAF and Security Security domain is pervasive across the o