enterprise security architecture
TRANSCRIPT
Enterprise Security Architecture
Jeff MurphyInterim Information Security Officer
University at [email protected]
GovernanceFour main functions
1. Establish accountability relationship structures, and2. Resource allocation at a strategic level, priority setting, make broad funding
decisions based on risk appetite3. Conflict resolution4. Assurance
Policy, Compliance and Audit
Key to the success of any security program
Policy: Aligns security to business culture
Compliance: Aligns security to legal environment
Audit: If you can’t measure it, you can’t manage it
Policy, Compliance and Audit
Key to the success of any security program
Removes conflicts of interest
Ok, on to the nuts and bolts
Business leadership is key to security being effective,
technology is key to security being useful
Ok, on to the nuts and bolts
“We depend more and more on computer systems that are
undependable” Leslie Lamport
It’s about the data – not the device!
Security Operations
Key areas:
SLA, SDLC, DR/BCChange Management, CMDBIncident ManagementForensics and InvestigationsEvent ManagementIDM
Security Operations - SDLC
SDLC – too often security is not integrated into the process.
Security is a young discipline comparatively
You must include security in the design process
Security Operations – DR/BC
DR/BC is important. Downtime is money lost, especially in the financial sector!
You must test, test, test.
Decide how much risk you can accept, and then design your infrastructure accordingly.
Security Operations – CM/CMDB
Change management is important.
It mitigates mistakes.
A CMDB is needed in order to assess change risk in today’s complex environments.
Security Operations – Incidents
Manage your incidents with a repeatable process
Rapid, practiced response is needed to reduce your exposure
Forensics must be unimpeachable
If you can’t do it internally, do it externally.
Security Is About People
In the “old days” hackers just walked into your systems
Now things are fairly well hardened and it takes persistence and effort
Thieves want low-effort high-reward
Instead of breaking in, they just ask for an invitation
Security Is About Automation
Security costs you
Rarely does it add to your bottom line
“The only reasonable answer to the challenges of
compliance, security and configuration management is
to automate the tasks.”SC Magazine 2010
Where Does It Fail In Practice
IT is often busy adjusting to new opportunities, there is too much information. Security is often equated to IT but shouldn’t be.
Target Corp had no CSO, IT ignored vendor warnings (outsourced event management), didn’t understand the risk of granting third parties access to internal network.
Security Architecture was an after thought.