T1 02 M.M.veeraragaloo

44
8/19/2019 T1 02 M.M.veeraragaloo http://slidepdf.com/reader/full/t1-02-mmveeraragaloo 1/44 Enterprise Security Architecture for Cyber Security M.M.Veeraragaloo 5 th  September 2013

Transcript of T1 02 M.M.veeraragaloo

Page 1: T1 02 M.M.veeraragaloo

8/19/2019 T1 02 M.M.veeraragaloo

http://slidepdf.com/reader/full/t1-02-mmveeraragaloo 1/44

EnterpriseSecurity

Architecture for

Cyber SecurityM.M.Veeraragaloo

5th September 2013

Page 2: T1 02 M.M.veeraragaloo

8/19/2019 T1 02 M.M.veeraragaloo

http://slidepdf.com/reader/full/t1-02-mmveeraragaloo 2/44

Outline

• Cyber Security Overview

• TOGAF and Sherwood Applied Business SecurityArchitecture (SABSA)o Overview of SABSA

o Integration of TOGAF and SABSA

• Enterprise Security Architecture Framework

The Open Group EA Practitioners Conference - Johannesburg 2013 2

Page 3: T1 02 M.M.veeraragaloo

8/19/2019 T1 02 M.M.veeraragaloo

http://slidepdf.com/reader/full/t1-02-mmveeraragaloo 3/44

Cyber Security

3

1. What is Cyber Security?

2. How is Cyber Security related to information security?3. How do I protect my company from malicious attacks?

The Four Types of Security Incidents1. Natural Disaster2. Malicious Attack (External Source)

3. Internal Attack4. Malfunction and Unintentional Human Error

Information security - the "preservation of confidentiality , integrity and availability

of information" (ISO/IEC 27001:2005);

"Cyber Security is to be free from danger or damage caused by disruption or fall-out ofICT or abuse of ICT. The danger or the damage due to abuse, disruption or fall-out can be comprised of a limitation of the availability and reliability of the ICT, breach of the

confidentiality  of information stored in ICT or damage to the integrity  of thatinformation.”  (The National Cyber Security Strategy 2011, Dutch Ministry of Securityand Justice)

Page 4: T1 02 M.M.veeraragaloo

8/19/2019 T1 02 M.M.veeraragaloo

http://slidepdf.com/reader/full/t1-02-mmveeraragaloo 4/44

Cyber Security in Perspective

4The Open Group EA Practitioners Conference - Johannesburg 2013

No official position about the differences between Cyber Security and Information Security

Risk Management

(ISO/IEC 27001:2005);

Information SecurityISO/IEC 2700:2009

Information Technology

Business Continuity(BS 25999-2:2007).

Cyber Security

Source: 9 Steps to Cyber Security – The Manager’s Information Security Strategy Manual (Dejan Kosutic)

Page 5: T1 02 M.M.veeraragaloo

8/19/2019 T1 02 M.M.veeraragaloo

http://slidepdf.com/reader/full/t1-02-mmveeraragaloo 5/44

Cyber Security in South Africa

5Source: SA-2012-cyber-threat (Wolf Pack) [ 2012/2013 The South African Cyber Threat Barometer]

Page 6: T1 02 M.M.veeraragaloo

8/19/2019 T1 02 M.M.veeraragaloo

http://slidepdf.com/reader/full/t1-02-mmveeraragaloo 6/44

TOGAF & SABSA

9/9/2013Footer Text 6

Page 7: T1 02 M.M.veeraragaloo

8/19/2019 T1 02 M.M.veeraragaloo

http://slidepdf.com/reader/full/t1-02-mmveeraragaloo 7/44

SABSA Overview

9/9/2013Footer Text 7

Page 8: T1 02 M.M.veeraragaloo

8/19/2019 T1 02 M.M.veeraragaloo

http://slidepdf.com/reader/full/t1-02-mmveeraragaloo 8/44

SABSA Meta Model

The Open Group EA Practitioners Conference - Johannesburg 2013 8

Page 9: T1 02 M.M.veeraragaloo

8/19/2019 T1 02 M.M.veeraragaloo

http://slidepdf.com/reader/full/t1-02-mmveeraragaloo 9/44

SABSA Matrix

The Open Group EA Practitioners Conference - Johannesburg 2013 9

Page 10: T1 02 M.M.veeraragaloo

8/19/2019 T1 02 M.M.veeraragaloo

http://slidepdf.com/reader/full/t1-02-mmveeraragaloo 10/44

SABSA Life Cycle

The Open Group EA Practitioners Conference - Johannesburg 2013 10

In the SABSA Lifecycle, the development of the contextual and conceptual layers is grouped into an activity called Strategy

Planning. This is followed by an activity called Design, which embraces the design of the logical, physical, component, and

service management architectures. The third activity is Implement, followed by Manage & Measure. The significance of the

Manage & Measure activity is that once the system is operational, it is essential to measure actual performance against targets,

to manage any deviations observed, and to feed back operational experience into the iterative architectural development process.

Page 11: T1 02 M.M.veeraragaloo

8/19/2019 T1 02 M.M.veeraragaloo

http://slidepdf.com/reader/full/t1-02-mmveeraragaloo 11/44

SABSA Taxonomy of ICT Business Attributes

The Open Group EA Practitioners Conference - Johannesburg 2013 11

Page 12: T1 02 M.M.veeraragaloo

8/19/2019 T1 02 M.M.veeraragaloo

http://slidepdf.com/reader/full/t1-02-mmveeraragaloo 12/44

SABSA Taxonomy of General Business Attributes

The Open Group EA Practitioners Conference - Johannesburg 2013 12

Page 13: T1 02 M.M.veeraragaloo

8/19/2019 T1 02 M.M.veeraragaloo

http://slidepdf.com/reader/full/t1-02-mmveeraragaloo 13/44

SABSA Operational Risk Model

The Open Group EA Practitioners Conference - Johannesburg 2013 13

Page 14: T1 02 M.M.veeraragaloo

8/19/2019 T1 02 M.M.veeraragaloo

http://slidepdf.com/reader/full/t1-02-mmveeraragaloo 14/44

SABSA integrated withTOGAF

9/9/2013Footer Text 14

Page 15: T1 02 M.M.veeraragaloo

8/19/2019 T1 02 M.M.veeraragaloo

http://slidepdf.com/reader/full/t1-02-mmveeraragaloo 15/44

A Central Role for Requirements Management

The Open Group EA Practitioners Conference - Johannesburg 2013 15

Linking the Business Requirements (Needs) to the Security Services – which TOGAF does in the “Requirements

Management” Phase and SABSA does via the Business Attributes Profile. These Artefacts needs to be linked to ensure

traceability from Business Needs to Security Services.

Page 16: T1 02 M.M.veeraragaloo

8/19/2019 T1 02 M.M.veeraragaloo

http://slidepdf.com/reader/full/t1-02-mmveeraragaloo 16/44

Requirements Management in TOGAFusing SABSA Business Attribute Profiling

The Open Group EA Practitioners Conference - Johannesburg 2013 16

Business Attribute Profiling: This describes the level ofprotection required for each business capability.

• Requirements Catalog: This stores the architecture

requirements of which security requirements form an integral

part. The Business Attribute Profile can form the basis for all

quality requirements (including security requirements) and

therefore has significant potential to fully transform the current

TOGAF requirements management approach.•Business and Information System Service Catalogs: TOGAF

defines a business service catalog (in Phase B: Business

 Architecture) and an information system service catalog (Phase

C: Information Systems Architecture). The creation of the

information system services in addition to the core concept of

business services is intended to allow more sophisticated

modelling of the service portfolio.• The Security Service Catalog: As defined by the SABSA

Logical Layer, this will form an integral part of the TOGAF

Information System Service Catalogs.

Page 17: T1 02 M.M.veeraragaloo

8/19/2019 T1 02 M.M.veeraragaloo

http://slidepdf.com/reader/full/t1-02-mmveeraragaloo 17/44

The Business Attribute Profile Mapped onto the TOGAFContent Meta Model

The Open Group EA Practitioners Conference - Johannesburg 2013 17

Page 18: T1 02 M.M.veeraragaloo

8/19/2019 T1 02 M.M.veeraragaloo

http://slidepdf.com/reader/full/t1-02-mmveeraragaloo 18/44

SABSA Life Cycle and TOGAF ADM

The Open Group EA Practitioners Conference - Johannesburg 2013 18

Ma i TOGAF a d SABSA Ab t a tio

Page 19: T1 02 M.M.veeraragaloo

8/19/2019 T1 02 M.M.veeraragaloo

http://slidepdf.com/reader/full/t1-02-mmveeraragaloo 19/44

Mapping TOGAF and SABSA AbstractionLayers

The Open Group EA Practitioners Conference - Johannesburg 2013 19

Page 20: T1 02 M.M.veeraragaloo

8/19/2019 T1 02 M.M.veeraragaloo

http://slidepdf.com/reader/full/t1-02-mmveeraragaloo 20/44

Mapping of TOGAF to SABSA Strategy andPlanning Phase

The Open Group EA Practitioners Conference - Johannesburg 2013 20

 As the SABSA phases extend beyond the core phases of the TOGAF ADM, the scoping provided by

the SABSA Domain Model extends beyond these core phases of TOGAF, both in terms of solution

design and system and process management during the operational lifecycle.

Page 21: T1 02 M.M.veeraragaloo

8/19/2019 T1 02 M.M.veeraragaloo

http://slidepdf.com/reader/full/t1-02-mmveeraragaloo 21/44

Overview of Security Related Artifacts in the TOGAF ADM

The Open Group EA Practitioners Conference - Johannesburg 2013 21

Page 22: T1 02 M.M.veeraragaloo

8/19/2019 T1 02 M.M.veeraragaloo

http://slidepdf.com/reader/full/t1-02-mmveeraragaloo 22/44

Preliminary Phase – Security Artifacts

The Open Group EA Practitioners Conference - Johannesburg 2013 22

Page 23: T1 02 M.M.veeraragaloo

8/19/2019 T1 02 M.M.veeraragaloo

http://slidepdf.com/reader/full/t1-02-mmveeraragaloo 23/44

Phase A - Architecture Vision – Security Artifacts

The Open Group EA Practitioners Conference - Johannesburg 2013 23

Page 24: T1 02 M.M.veeraragaloo

8/19/2019 T1 02 M.M.veeraragaloo

http://slidepdf.com/reader/full/t1-02-mmveeraragaloo 24/44

Phase B – Business Architecture – Security Artifacts

The Open Group EA Practitioners Conference - Johannesburg 2013 24

Page 25: T1 02 M.M.veeraragaloo

8/19/2019 T1 02 M.M.veeraragaloo

http://slidepdf.com/reader/full/t1-02-mmveeraragaloo 25/44

Phase C – Information Systems Architecture – Security Artifacts

The Open Group EA Practitioners Conference - Johannesburg 2013 25

Page 26: T1 02 M.M.veeraragaloo

8/19/2019 T1 02 M.M.veeraragaloo

http://slidepdf.com/reader/full/t1-02-mmveeraragaloo 26/44

Phase D – Technology Architecture – Security Artifacts

The Open Group EA Practitioners Conference - Johannesburg 2013 26

Page 27: T1 02 M.M.veeraragaloo

8/19/2019 T1 02 M.M.veeraragaloo

http://slidepdf.com/reader/full/t1-02-mmveeraragaloo 27/44

Page 28: T1 02 M.M.veeraragaloo

8/19/2019 T1 02 M.M.veeraragaloo

http://slidepdf.com/reader/full/t1-02-mmveeraragaloo 28/44

Phase H – Architecture Change Management – Security Artifacts

The Open Group EA Practitioners Conference - Johannesburg 2013 28

Page 29: T1 02 M.M.veeraragaloo

8/19/2019 T1 02 M.M.veeraragaloo

http://slidepdf.com/reader/full/t1-02-mmveeraragaloo 29/44

Enterprise Security

Architecture - Framework

9/9/2013Footer Text 29

ICT i id t id th h l

Page 30: T1 02 M.M.veeraragaloo

8/19/2019 T1 02 M.M.veeraragaloo

http://slidepdf.com/reader/full/t1-02-mmveeraragaloo 30/44

ICT service providers must consider the wholemarket. Four dimensions to put in one line

The Open Group EA Practitioners Conference - Johannesburg 2013 30

Service Models

Cloud (XaaS)

Hosting

Managed Service

Monitoring

Frameworks

ISO 27002

NIST

ISF

Requirements

national/intern. law

industries

SOX, PCI DSS… 

customers

Service Types

Desktop

Communication

Collaboration

Computing

LogonLogonLogon

Service Provider

ICT e i e o ide u t o ide the hole

Page 31: T1 02 M.M.veeraragaloo

8/19/2019 T1 02 M.M.veeraragaloo

http://slidepdf.com/reader/full/t1-02-mmveeraragaloo 31/44

ICT service providers must consider the wholemarket. Four dimensions to put in one line

The Open Group EA Practitioners Conference - Johannesburg 2013 31

4) Mapping Model to demonstrate fulfillment of

all types of security requirements

3) Hierarchy of Security Standards

delivering information on each level of detail

2) Modular and Structured approach

that serves all possible models

and offerings

1) Produce Standardized Security measures for

industrialized ICT production

Enterprise Security Architecture

» shaping the security of ICT service provisioning «

deliver assurance to customers and provide directions for production

From Requirements to ICT Services

Page 32: T1 02 M.M.veeraragaloo

8/19/2019 T1 02 M.M.veeraragaloo

http://slidepdf.com/reader/full/t1-02-mmveeraragaloo 32/44

From Requirements to ICT Services.Standardisation is Key

The Open Group EA Practitioners Conference - Johannesburg 2013 32

requirements identification

requirements consolidation

conception, integration

operations, maintenance

Corporate Governance, Risk, &

Compliance

customer requirements

(Automotive, Finance, Public, …)

partiallyoverlap

standard options full custom

no-go

industrialized services

(established platforms and processes)

customer-specific

services

F k f E t i S it

Page 33: T1 02 M.M.veeraragaloo

8/19/2019 T1 02 M.M.veeraragaloo

http://slidepdf.com/reader/full/t1-02-mmveeraragaloo 33/44

Framework for Enterprise SecurityArchitecture

The Open Group EA Practitioners Conference - Johannesburg 2013 33

Requirements (corporate and customer)

Framework for ESA 

Enablement (ISMS)

security management process and

reference model (mainly ISO 27001)

Enforcement (Practices)

controls / techniques

(mainly ISO 27002)

specific standards

impact analysis for

non-framework

requirements

Enterprise Security Architecture 

Industrialized ESA Services 

processes including roles for newbusiness, changes and operational

services

technology platform evidence (monitoring, analytics

and reporting)

custom services

(specific service andrealization for a

customer)

Framework for ESA

Page 34: T1 02 M.M.veeraragaloo

8/19/2019 T1 02 M.M.veeraragaloo

http://slidepdf.com/reader/full/t1-02-mmveeraragaloo 34/44

Framework for ESA.The Enablement Framework with ISMS activities.

The Open Group EA Practitioners Conference - Johannesburg 2013 34

Define scope and

ISMS policy

Define risk assessment approach

Identify risks, derive control obj.

& controls

 Approve residual risks

Draw up statement of

applicability (SoA)

P1

P2

P3

P4

P5

Implement risk handling plan &

controls

Define process for monitoring the

effectiveness of controls

Develop security awareness

D1

D2

D3

Lead ISMS and steer fundsD4

Implement methods to identify /

handle security incidentsD5

Monitoring & review security

incidents

Review risk assessment approach

C1

Evaluate effectiveness of the

controls implementedC2

C3

Perform and document ISMS

auditsC4

Carry out management

evaluationsC5

Implement appropriate corrective

and preventative controls

Communicate activities &

improvements

Ensure improvements achieve

targets

Implement identified

improvements in ISMS A1

 A2

 A3

 A4

 Activities of the Enablement Framework

Considering: Plan Build Run

Page 35: T1 02 M.M.veeraragaloo

8/19/2019 T1 02 M.M.veeraragaloo

http://slidepdf.com/reader/full/t1-02-mmveeraragaloo 35/44

Considering: Plan – Build – Run.Sales, Service, Production, (Integration).

The Open Group EA Practitioners Conference - Johannesburg 2013 35

ESA reflects three types of business:

Customer Projects  – Operations  – Platform Preparation

Bid, Transition, Transformation

Set-up for operations

Major Changes

New Business & Major Changes

(Project Business)

Service Delivery Management

Provide industrialized and customer specific ICT

Services

Evidence

Operations

(Daily Business)

Define Offering and SDEs

Initial set-up of ESA (creation and extension)

Maintenance of ESA (improvements)

ESA Platform

  E  n  t  e  r  p  r

  i  s  e  S  e  c  u  r  i  t  y  A  r  c   h  i  t  e  c  t  u  r  e

    f  o  r  I  C  T

  S  e  r  v  i  c  e  s

Co ide i Pla Build Ru

Page 36: T1 02 M.M.veeraragaloo

8/19/2019 T1 02 M.M.veeraragaloo

http://slidepdf.com/reader/full/t1-02-mmveeraragaloo 36/44

Considering: Plan – Build – Run.Sales, Service, Production, (Integration).

The Open Group EA Practitioners Conference - Johannesburg 2013 36

   H  o  w   ?   S

   t  a  n   d  a  r   d  s

3

   W   h  o   ?   R

  o   l  e  s  e   t  c .

2

Define Offering and Service Delivery Elements Initial set-up of ESA Maintenance

ESA Technology Platform

Bid, Transition,Transformation

Set-up for operations Major Changes

New Business & Change(Project Business)

Service Delivery Management Provide ICT Services Evidence

Operations(Daily Business)

   W   h  a   t   ?   W  o  r   k  a  r  e  a  s

1

Page 37: T1 02 M.M.veeraragaloo

8/19/2019 T1 02 M.M.veeraragaloo

http://slidepdf.com/reader/full/t1-02-mmveeraragaloo 37/44

 Cooperation: Implementation of Roles.Customer Projects, Portfolio, and Operations.

The Open Group EA Practitioners Conference - Johannesburg 2013 37

Security Manager

Customer

ICT SRC Manager

Security Architects and Experts

(engineering)

Customer Security Manager

Operations Manager

Operations Personnel

step-by-step transfer of business

Project (bid,

transition, transformation)Operations

(CMO+FMO)

requirements requirements

governance

Offering Manager

Considering: Plan Build Run

Page 38: T1 02 M.M.veeraragaloo

8/19/2019 T1 02 M.M.veeraragaloo

http://slidepdf.com/reader/full/t1-02-mmveeraragaloo 38/44

Considering: Plan – Build – Run.Sales, Service, Production, (Integration).

The Open Group EA Practitioners Conference - Johannesburg 2013 38

   H  o  w   ?   S   t  a  n   d  a  r   d  s

3

   W   h  o   ?   R

  o   l  e  s  e   t  c .

2

Define Offering and Service Delivery Elements Initial set-up of ESA Maintenance

ESA Technology Platform

Bid, Transition,Transformation

Set-up for operations Major Changes

New Business & Change(Project Business)

Service Delivery Management Provide ICT Services Evidence

Operations(Daily Business)

   W   h  a   t   ?   W  o  r   k  a  r  e  a  s

1

Corporate and Product Security

Page 39: T1 02 M.M.veeraragaloo

8/19/2019 T1 02 M.M.veeraragaloo

http://slidepdf.com/reader/full/t1-02-mmveeraragaloo 39/44

Corporate and Product Securityincorporated in one Hierarchy

The Open Group EA Practitioners Conference - Johannesburg 2013 39

Corporate Security Rule Base

Corporate Security Policy

ICT Security Standards

ICT Security Principles

ICT Security Baselines

Refinement Pyramid of Standards Requirements for

ICT Service Provisioning

(“product security”) 

ISO 27001

Certificate

Detailed

customer

inquiry

Software

settings,

configuration

Examples

Certification and Audit

Security Measures

Security Implementation

Demonstrating that Customer

Page 40: T1 02 M.M.veeraragaloo

8/19/2019 T1 02 M.M.veeraragaloo

http://slidepdf.com/reader/full/t1-02-mmveeraragaloo 40/44

Demonstrating that CustomerRequirements are met

The Open Group EA Practitioners Conference - Johannesburg 2013 40

Customer Requirements

R1

R2

R3

R4R5

C1 C2 C3 C4 C5 C6 C7

Set of Controls(contractual )

Requirements are met

(Suitability)

Controls of ESA and its

ICT Security Standards

Service type:

Desktop

Communication

Collaboration

Computing

Certification and 3rdSecurity

Page 41: T1 02 M.M.veeraragaloo

8/19/2019 T1 02 M.M.veeraragaloo

http://slidepdf.com/reader/full/t1-02-mmveeraragaloo 41/44

9/9/2013Footer Text 41

   E  v   i   d  e  n  c  e  a  n   d

   C  u  s   t  o  m  e  r   R  e   l  a   t   i  o  n

   S  e  r  v   i  c  e   M  a  n  a  g  e  m

  e  n   t

Wide Area Network

Security

Customer and users Data Center

User LANPeriphery

Remote UserAccess

User IdentityManagement

Mobile Work-

place Security

Office Work-place Security

CorporateProvider Access

Gateway andCentral Services

Provider IdentityManagement

Data Center

Security

Data CenterNetworks

Computer SystemsSecurity

Application and

AM Security

VM and S/W

Image Mngt.

Database andStorage Security

OperationsSupport Security

Networks

Asset and Configu-ration Management

Business ContinuityManagement

Security PatchManagement

Hardening, Provisio-ning & Maintenance

Change and ProblemManagement

Customer Communication and Security

System DevelopmentLife-Cycle

Systems Acquisitionand Contracting

Risk Management

Logging, Monitoring &Security Reporting

Incident Handling andForensics

VulnerabilityAssessment, MitigationPlan

Release Mngt. andAcceptance Testing

Certification and 3rdParty Assurance

Administration Network

Security

SecurityTaxonomy.

EAS M t M d l

Page 42: T1 02 M.M.veeraragaloo

8/19/2019 T1 02 M.M.veeraragaloo

http://slidepdf.com/reader/full/t1-02-mmveeraragaloo 42/44

EAS – Meta Model

The Open Group EA Practitioners Conference - Johannesburg 2013 42

Queries,Analysis,Portfolios,

etc.

Stakeholder

Views

“Model World” Architecture

Repository

“Real World” Enterpriseapplicationsteams &information

Industry Glossaries

Industry Reference Models

 Application Models

 Application Glossaries

“Meta-Model” Common Language

“Standardized” Content, e.g. businessprocesses, applicationsetc.

“Integrated andconsistent Views” Stakeholder specificviews & reports

Page 43: T1 02 M.M.veeraragaloo

8/19/2019 T1 02 M.M.veeraragaloo

http://slidepdf.com/reader/full/t1-02-mmveeraragaloo 43/44

 ICT Security Services and Solutions

The Open Group EA Practitioners Conference - Johannesburg 2013 43

EnterpriseSecurityManagement

Identityand AccessManagement

ICTInfrastructureSecurity

Architecture and Processes

Applications, Risk and Compliance

Security and Vulnerability Management

Users and Identities

Smart Cards

Trust Centers

BusinessEnablementEnabling the managed useof ICT resources and ITapplications with digitalidentities, roles and rights.

BusinessIntegrationEmbedding security inprocesses, defining goalsand responsibilities,ensuring goodgovernance andcompliance.

Workplace, Host and Storage Security

Network Security

Physical Security

BusinessProtectionDefending from hostileaction: protectingnetworks, IT applications,data and building security

Page 44: T1 02 M.M.veeraragaloo

8/19/2019 T1 02 M.M.veeraragaloo

http://slidepdf.com/reader/full/t1-02-mmveeraragaloo 44/44

If you have one last breath

use it to say...