SlideShare une entreprise Scribd logo

Security architecture

Duncan Unwin
Duncan Unwin

This document provides an overview of how security architecture fits within enterprise architecture. It begins by noting that security architecture is a subset of enterprise architecture. It then discusses a presentation given on this topic, highlighting how security practices are often misunderstood by both IT and security professionals. The presentation explores how to better integrate security architecture with enterprise architecture frameworks and processes to ensure security priorities are properly considered throughout enterprise initiatives. It emphasizes the importance of understanding enterprise architecture, aligning security language with business needs, and using evidence-based approaches to integrate security architecture within overall enterprise architecture.

Technologie
1  sur  37
Télécharger pour lire hors ligne
Security Architecture ⊆ Enterprise Architecture An exploration of how Security Architecture fits within Enterprise Architecture Duncan Unwin Brisbane, 27th February 2013 Sponsors
Put your hand up if In your work …. — You conduct risk assessments? — You write security policies? — You developed an information security management system? — Set up a information security governance mechanism e.g. a steering committee or user group? — Design security controls for systems? A Fresh Perspective 2
Keep you hand up if… — You use a formal security architecture Hi, I’m Obi Wan and I’ll be your framework Security Architect today — Your job title includes the word ‘Architect’ — You work within the Enterprise Architecture Team — Your work is tightly integrated with the organisation’s enterprise architecture practices — Your work drives the information security teams priorities A Fresh Perspective 3
The dilemma of Information Security — Most people in your organisation do not understand your infosec risks – The Availability Heuristic (Tversky and Kahneman, 1971) —I have not been hacked so I will not be hacked —I have been hacked so I will be hacked again soon —Hacking is something that happens to others – Other cognitive biases —Security risks are hard to rate even for experts – Confusing consequences with threats —‘If my data is lost I will suffer’ is not the same as ‘someone wants to steal my data’ A Fresh Perspective 4
The dilemma of information security A Fresh Perspective 5
The dilemma of Information Security — Information Security practices are not well understood by IT The Department of NO! Wielders of arcane magic Out-of-date conspiracy theorists Compliance Droids Hackers on company payroll A Fresh Perspective 6
The dilemma of Security Architecture — Most people in Infosec do not understand Architecture – “I’m the Security Architect” “So you're writing the security policy, right?” – “We will need a TRA for the new system to get through the CAB” – “Our team lead said you’re looking after PCI” – “So are you an architect or in Security?” – “After we go live we will need you to document the firewall” A Fresh Perspective 7
The Security Guy (or Gal) in Architecture A Fresh Perspective 8
What an EA thinks of Security - an example A Fresh Perspective 9
Lets talk about Architecture….Shall we? A Fresh Perspective 10
Architecture – What is it? Enterprise architecture is the organizing logic for business processes and IT infrastructure reflecting the integration and standardization requirements of the company's operating model. The operating model is the desired state of business process integration and business process standardization for delivering goods and services to customers. - MIT Center for Information Systems Research All... must be built with due reference to durability, convenience, and beauty. Durability will be assured when foundations are carried down to the solid ground and materials wisely and liberally selected; convenience, when the arrangement of the apartments is faultless and presents no hindrance to use, and when each class of building is assigned to its suitable and appropriate exposure; and beauty, when the appearance of the work is pleasing and in good taste, and when its members are in due proportion according to correct principles of symmetry. - Vitruvius, De Achitectura (~ 15 BC), Chapter III A Fresh Perspective 11
Lots of frameworks A Fresh Perspective 12
Enterprise Architecture Frameworks — Taxonomy – Zachman — Process – TOGAF — Unified – FEA — Methodology-specific – ARIS, ArchiMate — Practice-based – Gartner Choosing between Zachman and TOGAF .. is like choosing between spinach and hammers. - Roger Sessions , 2007 A Fresh Perspective 13
Architecture – What is it? A Fresh Perspective 14
TOGAF A Fresh Perspective 15
TOGAF Business Requirements Business Governance Transition Information Applications Technology A Fresh Perspective 16
And another thing…. A Fresh Perspective 17
Security Architecture It is the common experience of many corporate organisations that information security solutions are often designed, acquired and installed on a tactical basis. The result is that the organisation builds up a mixture of technical solutions on an ad hoc basis, each independently designed and specified and with no guarantee that they will be compatible and interoperable. Security architecture is business-driven and .. describes a structured inter-relationship between the technical and procedural security solutions to support the long-term needs of the business. John Sherwood, Andrew Clark & David Lynas – SABSA.ORG A Fresh Perspective 18
Security Architecture SABSA A Fresh Perspective 19
Mid-way summary — Security Architecture is hard and often misunderstood — Security Architecture often struggle to find meaning within Enterprise Architecture for this reason — Architecture is about high-level design — Lots of frameworks – Taxonomies, Processes & Methods — TOGAF – Process to do EA with candidate taxonomy (BIAT) A Fresh Perspective 20
Explaining Information Security Architecture to Architects — What is it — Why it matters — Their role A Fresh Perspective 21
Business Requirements — Enterprise Architecture – Goals – Rules “Ask the business” – Requirements — Security Architecture – Laws and Regulations “Ask the business” – Compliance standards + – – Contracts Explicit mandates “Ask the World” – Risk-based control requirements A Fresh Perspective 22
Business Requirements — Enterprise Architecture – Capabilities – Services — Security Architecture – Attributes – Control Objectives A Fresh Perspective 23
Business Architecture — Two Common Focus – Information Security Processes and Organisation —Developing the capability to be secure —Think ITIL Security —Think ISMS – Security within general business processes —What assets to be protected? —How, who and what will protect them? —How, who and what will address incidents? —What security governance is required? A Fresh Perspective 24
Information Architecture — Enterprise Information Architecture – Subject Area Model – Conceptual Information Model – Logical Information Model – Physical Information Model — Security Architecture – Assets – Information Inventories – Information Classification – Information Usage (CRUD) A Fresh Perspective 25
Application Architecture — Application Architecture – Information Systems – Conceptual App Architecture – Software Architecture – SOA — Security Concerns – Common security services — Identity Management and Access Control — Audit & Logging — Vulnerability management — Etc… – Information flows – Threat modelling – Control design – Operational management concepts – SDLC A Fresh Perspective 26
Technology — Technology Architecture – Standards and Reference Models – Logical & physical topologies – Dependencies – Capacity and Availability — Security Architecture – Approved products / EPL – C.I.A. of design —FMEA —Design and build assurance – Configuration standards – Operational standards – Alignment with ISMS, policies & standards A Fresh Perspective 27
Transformation & Governance — Program Management Office – Program reporting and governance – Project reporting and governance – Time, Cost, Quality BUT NOT Security — Security Architect – Ensuring Security goals and requirement in the Business Case – Providing tools to measure delivery – Identifying dependencies within the program and project – Helping with prioritisation decisions – Linkage to security governance A Fresh Perspective 28
TOGAF Security Architecture SECURITY Business Requirements Business Governance Transition Information Applications Technology A Fresh Perspective 29
Doing Security Architecture well (or better)… — Understand the EA Process A Fresh Perspective 30
Doing Security Architecture well (or better)… — Understand the EA Process — Bond with the team A Fresh Perspective 31
Doing Security Architecture well (or better)… — Understand the EA Process — Bond with the team — Align your language A Fresh Perspective 32
Doing Security Architecture well (or better)… — Understand the EA Process — Bond with the team — Align your language — Be pragmatic A Fresh Perspective 33
Doing Security Architecture well (or better)… — Understand the EA Process — Bond with the team — Align your language — Be pragmatic — Use evidence A Fresh Perspective 34
Doing Security Architecture well (or better)… — Understand the EA Process — Bond with the team — Align your language — Be pragmatic — Use evidence — Be a Boundary Rider A Fresh Perspective 35
The End A Fresh Perspective 36
About Business Aspect Duncan Unwin Business Aspect assists clients with the execution of their business strategy through either large scale business transformation or through the M: 0407 032 755 addressing of smaller challenges in specific areas of the business. We focus E: dunwin@businessaspect.com.au on the business first, and then address technology needs as an enabler of required business outcomes. We have skills, experience and expertise in; business and technology strategy, architecture, risk, control, planning, design and governance. In delivering services, we address all layers of the business, including people, organisational change, process change, information management, information and communications technology (ICT) applications and technology infrastructure. We solve complex business problems through the collaborative efforts of our team of highly experienced personnel, and through the application of proven intellectual property. One of our key strengths is the diversity of the background and skills our senior consultants bring to planning initiatives involving people, process and systems. Our ability to extend from business focused domains into architecture and complex program management builds a bond of trust with our clients and fosters more effective relationships. For our clients, we serve as the interpreter between ICT and the demands of individual business units, translating business needs into ICT outcomes. We complement this with our ability to work with all parts of the organisation, therefore maximising the benefits collectively gained from ICT. Brisbane / Sydney / Canberra / Melbourne We believe the use of senior consultants for the delivery of our clients’ www.businessaspect.com.au projects is the cornerstone of our success. We also hand pick specialists T +61 7 3831 7600 from our extensive network of associates and industry partners to F +61 7 3831 7900 complement our consulting teams. We guarantee senior people with the Head Office - 588 Boundary St right balance of qualifications and real-world industry experience, and our Spring Hill Brisbane QLD 4000 delivery capability extends across Australia. A Fresh Perspective 37

Recommandé

Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber Security
The Open Group SA
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
Enterprise Security Architecture Design
Enterprise Security Architecture DesignEnterprise Security Architecture Design
Enterprise Security Architecture Design
Priyanka Aash
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security Architecture
Kris Kimmerle
 
Information Security Architecture: Building Security Into Your Organziation
Information Security Architecture: Building Security Into Your OrganziationInformation Security Architecture: Building Security Into Your Organziation
Information Security Architecture: Building Security Into Your Organziation
Seccuris Inc.
 
Cyber security maturity model- IT/ITES
Cyber security maturity model- IT/ITES Cyber security maturity model- IT/ITES
Cyber security maturity model- IT/ITES
Priyanka Aash
 
Security Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMESecurity Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SME
AlienVault
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)
Ahmad Haghighi
 

Recommandé

Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber Security
The Open Group SA
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
Enterprise Security Architecture Design
Enterprise Security Architecture DesignEnterprise Security Architecture Design
Enterprise Security Architecture Design
Priyanka Aash
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security Architecture
Kris Kimmerle
 
Information Security Architecture: Building Security Into Your Organziation
Information Security Architecture: Building Security Into Your OrganziationInformation Security Architecture: Building Security Into Your Organziation
Information Security Architecture: Building Security Into Your Organziation
Seccuris Inc.
 
Cyber security maturity model- IT/ITES
Cyber security maturity model- IT/ITES Cyber security maturity model- IT/ITES
Cyber security maturity model- IT/ITES
Priyanka Aash
 
Security Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMESecurity Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SME
AlienVault
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)
Ahmad Haghighi
 
Cybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoDCybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoD
Pranav Shah
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSF
Digital Bond
 
Security models for security architecture
Security models for security architectureSecurity models for security architecture
Security models for security architecture
Vladimir Jirasek
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to Cybersecurity
Krutarth Vasavada
 
Conceptual security architecture
Conceptual security architectureConceptual security architecture
Conceptual security architecture
MubashirAslam5
 
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza Adineh
ReZa AdineH
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
Shriya Rai
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
ReZa AdineH
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023
PECB
 
SABSA Implementation(Part VI)_ver1-0
SABSA Implementation(Part VI)_ver1-0SABSA Implementation(Part VI)_ver1-0
SABSA Implementation(Part VI)_ver1-0
Maganathin Veeraragaloo
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
Ahmed Ayman
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations Center
Michael Nickle
 
A Practical Example to Using SABSA Extended Security-in-Depth Strategy
A Practical Example to Using SABSA Extended Security-in-Depth Strategy A Practical Example to Using SABSA Extended Security-in-Depth Strategy
A Practical Example to Using SABSA Extended Security-in-Depth Strategy
Allen Baranov
 
The Board and Cyber Security
The Board and Cyber SecurityThe Board and Cyber Security
The Board and Cyber Security
FireEye, Inc.
 
Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)
MetroStar
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
Tandhy Simanjuntak
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM Architecture
Nishanth Kumar Pathi
 
Network Security - Defense Through Layered Information Security
Network Security - Defense Through Layered Information SecurityNetwork Security - Defense Through Layered Information Security
Network Security - Defense Through Layered Information Security
Eryk Budi Pratama
 
Governance of security operation centers
Governance of security operation centersGovernance of security operation centers
Governance of security operation centers
Brencil Kaimba
 
The difference between Cybersecurity and Information Security
The difference between Cybersecurity and Information SecurityThe difference between Cybersecurity and Information Security
The difference between Cybersecurity and Information Security
PECB
 
TOGAF 9 - Security Architecture Ver1 0
TOGAF 9 - Security Architecture Ver1 0TOGAF 9 - Security Architecture Ver1 0
TOGAF 9 - Security Architecture Ver1 0
Maganathin Veeraragaloo
 
Industrial Control System Cyber Security and the Employment of Industrial Fir...
Industrial Control System Cyber Security and the Employment of Industrial Fir...Industrial Control System Cyber Security and the Employment of Industrial Fir...
Industrial Control System Cyber Security and the Employment of Industrial Fir...
Schneider Electric
 

Contenu connexe

Tendances

Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
ReZa AdineH
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023
PECB
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
Tandhy Simanjuntak
 
The difference between Cybersecurity and Information Security
The difference between Cybersecurity and Information SecurityThe difference between Cybersecurity and Information Security
The difference between Cybersecurity and Information Security
PECB
 

Tendances (20)

Cybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoDCybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoD
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSF
 
Security models for security architecture
Security models for security architectureSecurity models for security architecture
Security models for security architecture
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to Cybersecurity
 
Conceptual security architecture
Conceptual security architectureConceptual security architecture
Conceptual security architecture
 
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza Adineh
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023
 
SABSA Implementation(Part VI)_ver1-0
SABSA Implementation(Part VI)_ver1-0SABSA Implementation(Part VI)_ver1-0
SABSA Implementation(Part VI)_ver1-0
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations Center
 
A Practical Example to Using SABSA Extended Security-in-Depth Strategy
A Practical Example to Using SABSA Extended Security-in-Depth Strategy A Practical Example to Using SABSA Extended Security-in-Depth Strategy
A Practical Example to Using SABSA Extended Security-in-Depth Strategy
 
The Board and Cyber Security
The Board and Cyber SecurityThe Board and Cyber Security
The Board and Cyber Security
 
Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM Architecture
 
Network Security - Defense Through Layered Information Security
Network Security - Defense Through Layered Information SecurityNetwork Security - Defense Through Layered Information Security
Network Security - Defense Through Layered Information Security
 
Governance of security operation centers
Governance of security operation centersGovernance of security operation centers
Governance of security operation centers
 
The difference between Cybersecurity and Information Security
The difference between Cybersecurity and Information SecurityThe difference between Cybersecurity and Information Security
The difference between Cybersecurity and Information Security
 

En vedette

Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
Craig Martin
 
Capability Model_Data Governance
Capability Model_Data GovernanceCapability Model_Data Governance
Capability Model_Data Governance
Steve Novak
 

En vedette (7)

TOGAF 9 - Security Architecture Ver1 0
TOGAF 9 - Security Architecture Ver1 0TOGAF 9 - Security Architecture Ver1 0
TOGAF 9 - Security Architecture Ver1 0
 
Industrial Control System Cyber Security and the Employment of Industrial Fir...
Industrial Control System Cyber Security and the Employment of Industrial Fir...Industrial Control System Cyber Security and the Employment of Industrial Fir...
Industrial Control System Cyber Security and the Employment of Industrial Fir...
 
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
 
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
 
Enterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to auditEnterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to audit
 
NIST Cybersecurity Framework - Mindmap
NIST Cybersecurity Framework - MindmapNIST Cybersecurity Framework - Mindmap
NIST Cybersecurity Framework - Mindmap
 
Capability Model_Data Governance
Capability Model_Data GovernanceCapability Model_Data Governance
Capability Model_Data Governance
 

Similaire à Security architecture

Application Security Done Right
Application Security Done RightApplication Security Done Right
Application Security Done Right
pvanwoud
 
The Perils that PCI brings to Security
The Perils that PCI brings to SecurityThe Perils that PCI brings to Security
The Perils that PCI brings to Security
Tripwire
 
What affects security program confidence? - may2014 - bill burns
What affects security program confidence? - may2014 - bill burnsWhat affects security program confidence? - may2014 - bill burns
What affects security program confidence? - may2014 - bill burns
Bill Burns
 
PCI: A Valuable Security Framework, Not a Punishment
PCI: A Valuable Security Framework, Not a PunishmentPCI: A Valuable Security Framework, Not a Punishment
PCI: A Valuable Security Framework, Not a Punishment
Tripwire
 

Similaire à Security architecture (20)

Security For Free
Security For FreeSecurity For Free
Security For Free
 
ISO 27001 - IMPLEMENTATION CONSULTING
ISO 27001 - IMPLEMENTATION CONSULTINGISO 27001 - IMPLEMENTATION CONSULTING
ISO 27001 - IMPLEMENTATION CONSULTING
 
Is3 Capabilities Brief
Is3 Capabilities BriefIs3 Capabilities Brief
Is3 Capabilities Brief
 
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
 
The Thing That Should Not Be
The Thing That Should Not BeThe Thing That Should Not Be
The Thing That Should Not Be
 
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
 
Security architecture analyses brief 21 april 2015
Security architecture analyses brief 21 april 2015Security architecture analyses brief 21 april 2015
Security architecture analyses brief 21 april 2015
 
Indranil Guha - It transformation challenges & choices...
Indranil Guha - It transformation challenges & choices...Indranil Guha - It transformation challenges & choices...
Indranil Guha - It transformation challenges & choices...
 
Präsentation: Wie Energieversorger ihre IT-Systeme durch Systemhärtung absich...
Präsentation: Wie Energieversorger ihre IT-Systeme durch Systemhärtung absich...Präsentation: Wie Energieversorger ihre IT-Systeme durch Systemhärtung absich...
Präsentation: Wie Energieversorger ihre IT-Systeme durch Systemhärtung absich...
 
Why physical security just isn’t enough, Sending the heavies into virtualized...
Why physical security just isn’t enough, Sending the heavies into virtualized...Why physical security just isn’t enough, Sending the heavies into virtualized...
Why physical security just isn’t enough, Sending the heavies into virtualized...
 
Application Security Done Right
Application Security Done RightApplication Security Done Right
Application Security Done Right
 
The Perils that PCI brings to Security
The Perils that PCI brings to SecurityThe Perils that PCI brings to Security
The Perils that PCI brings to Security
 
Secure Data Center for Enterprise— Threat Management with NextGen IPS
Secure Data Center for Enterprise— Threat Management with NextGen IPSSecure Data Center for Enterprise— Threat Management with NextGen IPS
Secure Data Center for Enterprise— Threat Management with NextGen IPS
 
[Round table] zeroing in on zero trust architecture
[Round table] zeroing in on zero trust architecture[Round table] zeroing in on zero trust architecture
[Round table] zeroing in on zero trust architecture
 
IANS-2008
IANS-2008IANS-2008
IANS-2008
 
NUS-ISS Learning Day 2019-Architecting security in the digital age
NUS-ISS Learning Day 2019-Architecting security in the digital ageNUS-ISS Learning Day 2019-Architecting security in the digital age
NUS-ISS Learning Day 2019-Architecting security in the digital age
 
What affects security program confidence? - may2014 - bill burns
What affects security program confidence? - may2014 - bill burnsWhat affects security program confidence? - may2014 - bill burns
What affects security program confidence? - may2014 - bill burns
 
ASFWS 2012 - Theory vs Practice in implementing Software Security related act...
ASFWS 2012 - Theory vs Practice in implementing Software Security related act...ASFWS 2012 - Theory vs Practice in implementing Software Security related act...
ASFWS 2012 - Theory vs Practice in implementing Software Security related act...
 
10 KEYS TO EFFECTIVE NETWORK SECURITY
10 KEYS TO EFFECTIVE NETWORK SECURITY10 KEYS TO EFFECTIVE NETWORK SECURITY
10 KEYS TO EFFECTIVE NETWORK SECURITY
 
PCI: A Valuable Security Framework, Not a Punishment
PCI: A Valuable Security Framework, Not a PunishmentPCI: A Valuable Security Framework, Not a Punishment
PCI: A Valuable Security Framework, Not a Punishment
 

Dernier

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 

Dernier (20)

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 

Security architecture

  • 1. Security Architecture ⊆ Enterprise Architecture An exploration of how Security Architecture fits within Enterprise Architecture Duncan Unwin Brisbane, 27th February 2013 Sponsors
  • 2. Put your hand up if In your work …. — You conduct risk assessments? — You write security policies? — You developed an information security management system? — Set up a information security governance mechanism e.g. a steering committee or user group? — Design security controls for systems? A Fresh Perspective 2
  • 3. Keep you hand up if… — You use a formal security architecture Hi, I’m Obi Wan and I’ll be your framework Security Architect today — Your job title includes the word ‘Architect’ — You work within the Enterprise Architecture Team — Your work is tightly integrated with the organisation’s enterprise architecture practices — Your work drives the information security teams priorities A Fresh Perspective 3
  • 4. The dilemma of Information Security — Most people in your organisation do not understand your infosec risks – The Availability Heuristic (Tversky and Kahneman, 1971) —I have not been hacked so I will not be hacked —I have been hacked so I will be hacked again soon —Hacking is something that happens to others – Other cognitive biases —Security risks are hard to rate even for experts – Confusing consequences with threats —‘If my data is lost I will suffer’ is not the same as ‘someone wants to steal my data’ A Fresh Perspective 4
  • 5. The dilemma of information security A Fresh Perspective 5
  • 6. The dilemma of Information Security — Information Security practices are not well understood by IT The Department of NO! Wielders of arcane magic Out-of-date conspiracy theorists Compliance Droids Hackers on company payroll A Fresh Perspective 6
  • 7. The dilemma of Security Architecture — Most people in Infosec do not understand Architecture – “I’m the Security Architect” “So you're writing the security policy, right?” – “We will need a TRA for the new system to get through the CAB” – “Our team lead said you’re looking after PCI” – “So are you an architect or in Security?” – “After we go live we will need you to document the firewall” A Fresh Perspective 7
  • 8. The Security Guy (or Gal) in Architecture A Fresh Perspective 8
  • 9. What an EA thinks of Security - an example A Fresh Perspective 9
  • 10. Lets talk about Architecture….Shall we? A Fresh Perspective 10
  • 11. Architecture – What is it? Enterprise architecture is the organizing logic for business processes and IT infrastructure reflecting the integration and standardization requirements of the company's operating model. The operating model is the desired state of business process integration and business process standardization for delivering goods and services to customers. - MIT Center for Information Systems Research All... must be built with due reference to durability, convenience, and beauty. Durability will be assured when foundations are carried down to the solid ground and materials wisely and liberally selected; convenience, when the arrangement of the apartments is faultless and presents no hindrance to use, and when each class of building is assigned to its suitable and appropriate exposure; and beauty, when the appearance of the work is pleasing and in good taste, and when its members are in due proportion according to correct principles of symmetry. - Vitruvius, De Achitectura (~ 15 BC), Chapter III A Fresh Perspective 11
  • 12. Lots of frameworks A Fresh Perspective 12
  • 13. Enterprise Architecture Frameworks — Taxonomy – Zachman — Process – TOGAF — Unified – FEA — Methodology-specific – ARIS, ArchiMate — Practice-based – Gartner Choosing between Zachman and TOGAF .. is like choosing between spinach and hammers. - Roger Sessions , 2007 A Fresh Perspective 13
  • 14. Architecture – What is it? A Fresh Perspective 14
  • 16. TOGAF Business Requirements Business Governance Transition Information Applications Technology A Fresh Perspective 16
  • 17. And another thing…. A Fresh Perspective 17
  • 18. Security Architecture It is the common experience of many corporate organisations that information security solutions are often designed, acquired and installed on a tactical basis. The result is that the organisation builds up a mixture of technical solutions on an ad hoc basis, each independently designed and specified and with no guarantee that they will be compatible and interoperable. Security architecture is business-driven and .. describes a structured inter-relationship between the technical and procedural security solutions to support the long-term needs of the business. John Sherwood, Andrew Clark & David Lynas – SABSA.ORG A Fresh Perspective 18
  • 19. Security Architecture SABSA A Fresh Perspective 19
  • 20. Mid-way summary — Security Architecture is hard and often misunderstood — Security Architecture often struggle to find meaning within Enterprise Architecture for this reason — Architecture is about high-level design — Lots of frameworks – Taxonomies, Processes & Methods — TOGAF – Process to do EA with candidate taxonomy (BIAT) A Fresh Perspective 20
  • 21. Explaining Information Security Architecture to Architects — What is it — Why it matters — Their role A Fresh Perspective 21
  • 22. Business Requirements — Enterprise Architecture – Goals – Rules “Ask the business” – Requirements — Security Architecture – Laws and Regulations “Ask the business” – Compliance standards + – – Contracts Explicit mandates “Ask the World” – Risk-based control requirements A Fresh Perspective 22
  • 23. Business Requirements — Enterprise Architecture – Capabilities – Services — Security Architecture – Attributes – Control Objectives A Fresh Perspective 23
  • 24. Business Architecture — Two Common Focus – Information Security Processes and Organisation —Developing the capability to be secure —Think ITIL Security —Think ISMS – Security within general business processes —What assets to be protected? —How, who and what will protect them? —How, who and what will address incidents? —What security governance is required? A Fresh Perspective 24
  • 25. Information Architecture — Enterprise Information Architecture – Subject Area Model – Conceptual Information Model – Logical Information Model – Physical Information Model — Security Architecture – Assets – Information Inventories – Information Classification – Information Usage (CRUD) A Fresh Perspective 25
  • 26. Application Architecture — Application Architecture – Information Systems – Conceptual App Architecture – Software Architecture – SOA — Security Concerns – Common security services — Identity Management and Access Control — Audit & Logging — Vulnerability management — Etc… – Information flows – Threat modelling – Control design – Operational management concepts – SDLC A Fresh Perspective 26
  • 27. Technology — Technology Architecture – Standards and Reference Models – Logical & physical topologies – Dependencies – Capacity and Availability — Security Architecture – Approved products / EPL – C.I.A. of design —FMEA —Design and build assurance – Configuration standards – Operational standards – Alignment with ISMS, policies & standards A Fresh Perspective 27
  • 28. Transformation & Governance — Program Management Office – Program reporting and governance – Project reporting and governance – Time, Cost, Quality BUT NOT Security — Security Architect – Ensuring Security goals and requirement in the Business Case – Providing tools to measure delivery – Identifying dependencies within the program and project – Helping with prioritisation decisions – Linkage to security governance A Fresh Perspective 28
  • 29. TOGAF Security Architecture SECURITY Business Requirements Business Governance Transition Information Applications Technology A Fresh Perspective 29
  • 30. Doing Security Architecture well (or better)… — Understand the EA Process A Fresh Perspective 30
  • 31. Doing Security Architecture well (or better)… — Understand the EA Process — Bond with the team A Fresh Perspective 31
  • 32. Doing Security Architecture well (or better)… — Understand the EA Process — Bond with the team — Align your language A Fresh Perspective 32
  • 33. Doing Security Architecture well (or better)… — Understand the EA Process — Bond with the team — Align your language — Be pragmatic A Fresh Perspective 33
  • 34. Doing Security Architecture well (or better)… — Understand the EA Process — Bond with the team — Align your language — Be pragmatic — Use evidence A Fresh Perspective 34
  • 35. Doing Security Architecture well (or better)… — Understand the EA Process — Bond with the team — Align your language — Be pragmatic — Use evidence — Be a Boundary Rider A Fresh Perspective 35
  • 36. The End A Fresh Perspective 36
  • 37. About Business Aspect Duncan Unwin Business Aspect assists clients with the execution of their business strategy through either large scale business transformation or through the M: 0407 032 755 addressing of smaller challenges in specific areas of the business. We focus E: dunwin@businessaspect.com.au on the business first, and then address technology needs as an enabler of required business outcomes. We have skills, experience and expertise in; business and technology strategy, architecture, risk, control, planning, design and governance. In delivering services, we address all layers of the business, including people, organisational change, process change, information management, information and communications technology (ICT) applications and technology infrastructure. We solve complex business problems through the collaborative efforts of our team of highly experienced personnel, and through the application of proven intellectual property. One of our key strengths is the diversity of the background and skills our senior consultants bring to planning initiatives involving people, process and systems. Our ability to extend from business focused domains into architecture and complex program management builds a bond of trust with our clients and fosters more effective relationships. For our clients, we serve as the interpreter between ICT and the demands of individual business units, translating business needs into ICT outcomes. We complement this with our ability to work with all parts of the organisation, therefore maximising the benefits collectively gained from ICT. Brisbane / Sydney / Canberra / Melbourne We believe the use of senior consultants for the delivery of our clients’ www.businessaspect.com.au projects is the cornerstone of our success. We also hand pick specialists T +61 7 3831 7600 from our extensive network of associates and industry partners to F +61 7 3831 7900 complement our consulting teams. We guarantee senior people with the Head Office - 588 Boundary St right balance of qualifications and real-world industry experience, and our Spring Hill Brisbane QLD 4000 delivery capability extends across Australia. A Fresh Perspective 37