enterprise security architecture
TRANSCRIPT
Enterprise Security Architecture
Arnab ChattopadhayayVice President, Engineering
Infoworks Inc.
About Me• Love to design, build and protect large scale systems• IAM, Cryptography, Consulting, Program Management and Governance• Large MNC to startup across the globe
• VP Engineering of Infoworks (a silicon valley Big Data Startup)• Prior to this, I had worked with British Telecom Research, BT Consulting, iViZ and
MetricStream
• Patent – USPTO 9,348,901• MS (Telecom Engineering), University College London
Enterprise Architecture
•A field born about 30 years ago•Initially targeted to address two problems•System complexity•Inadequate business alignment
Enterprise Architectural Methodologies
• Consortia-developed Frameworks
• ISO 19439• RM-ODP (ITU-T X.901-904)• TOGAF
• Defense Industry Framework• DoDAF• MODAF• NAF
• Open Source Frameworks• TRAK• SABSA
• Proprietary Frameworks• Zachman Frameworks• IAF (Capgemini, 1993)
• Government Framework• ESAAF• FEAF• NIST Enterprise Architecture
Model
A Brief History of Enterprise Architecture
Zachman’s first article
1987
TAFIM released
1994
Clinger-Cohen bill passed
1996 1998
TAFIM retiredFEAF 1.2 released
1999 2002
FEA replaces FEAF
TOGAF EE 8.0 released
2003 2003
FEA mostly complete
2011
TOGAF 9.1
Zachman Framework• The Zachman "Framework" is actually a taxonomy for
organizing architectural artifacts
• Two dimensions• Players in the game• Architectural Artifacts
• Players in the game: Actors
• Architectural Artifacts: the What, How, Where, When, Who and Why
Zachman Framework
Source: zachmaninternational.com
[Executive Mgmt Perspective]
[Business Mgmt Perspective]
[Architect’s Perspective]
[Engineer’s Perspective]
[Technician’s Perspective]
4 Ways Zachman helps in Architecture Dev•Every stakeholder's perspective is captured
•Completeness of every artifact•Provide strong traceability •Improve Tech-Business Alignment
What Zachman does not provide
•Step-by-step process to create new architecture
•Validating an architecture•Deciding future architecture
•It is not a Methodology
Enterprise Information Security Architecture
• Is the practice of applying comprehensive and rigorous methods for describing security of current and future systems
• Ref: Wikipedia
• Applied to people, process and technologies• Goals
• Provide structure• Enable business-to-security alignment• Enforce Top down approach• Strong traceability• Abstract complex concepts• Establish common lingua of information security
Well Known Cyber Security Frameworks
•NIST CSF
•Sherwood Applied Business Security Architecture (SABSA)
•We will discuss SABSA in details
What is SABSA
• Methodology for Building Security Architecture:• Business-driven• Risk and opportunity focused • Includes security service management
• Comprised of a number of integrated frameworks, models, methods and processes
SABSA Model
• Comprises of six layers• Based on Zachman framework/taxonomy• The Security Service Management Architecture has been
placed vertically across the other five layers• Each horizontal layer is made of a series of vertical
communication interrogatives• What (Assets)• Why (Motivation)• How (Process and Technology)• Who (People)• Where (Location)• When (Time)
©SABSA foundation, 2010
Business Driven Architecture
•Never losing site of the organisation’s goals, objectives, success factors and targets
•Contextual architecture captures and presents the full set of relevant requirements
Credible Abstraction is Key •Meaningful traceability is enabled by credible abstraction from business context to business security context
•Traceability therefore starts by delivering two slightly different sets of requirements:•Business Requirement: Business reputation•Business Driver for Security: What can security do to protect reputation
Business Attributes Profiling
•Conceptual abstraction of a real business requirement
•Standardized and re-usable set of specifications
•Provides standardized lingua
Attributes Profiling Rules & Features
• Can be tangible or intangible• Requires a meaningful name and details• Can be customized specifically for a particular organization• Requires a measurement approach and metric • Must be validated (and preferably created) by senior
management & the business stake-holders • Performance targets are basis for reporting and/or SLAs in the
SABSA Manage & Measure phase
Two-way Traceability – Drivers to Attributes
Two-way Traceability – Attributes to Drivers
Sample of Business DriversDriver ID Business Drivers
BD1Protecting the reputation of the Organization, ensuring that it is perceived as competent in its sector
BD2
Providing support to the claims made by the Organization about its competence to carry out its intended functions
BD3
Protecting the trust that exists in business relationships and propagating that trust across remote electronic business communications links and distributed information systems
BD4Maintaining the confidence of other key parties in their relationships with the Organization
Implementation - User AttributeBusiness Attribute Business Attribute Definition Measurement Approach
Metric Type
AccessibleInformation to which the user is entitled to gain access should be easily found and accessed by that user.
Search tree depth necessary to find the information
Soft
AnonymousFor certain specialized types of service, the anonymity of the user should be protected.
Rigorous proof of system functionality Red team review
HardSoft
Consistent
The way in which log-in, navigation, and target services are presented to the user should be consistent across different times, locations, and channels of access.
Conformance with design style guides Red team review
Soft
Protected
The exchanged information must remain confidential between exchanging parties and must remain untampered
Conformance with confidentiality and integrity policies
Hard
Features and AdvantagesFeature Advantage
Business Driven Value-assured
Risk Focused Prioritized and proportional responses
Comprehensive Scalable scope
Modular Agility – ease of implementation and management
Open Source (protected) Free use, open source global standard
Auditable Demonstrate compliance
Transparent Two-way traceability
©SABSA Foundation 2010
SABSA Lifecycle
Business View Contextual Architecture
Architect’s View Conceptual Architecture
Designer’s View Logical Architecture
Builder’s View Physical Architecture
Tradesman’s View Component Architecture
Service Manager’s View Operational Architecture
SABSA Mapping with other Security Standards
Applications
Presentation
Session
Transport
Network
Link
Physical
Applications
Presentation
Session
Transport
Network
Link
Physical
ISO 7498-1 ISO 7498-2
LogicalSecurityServices
PhysicalSecurity
Mechanisms
Contextual Architecture
Conceptual Architecture
BusinessDriven
Requirements& Strategy
SABSA Views
Logical Architecture
Physical Architecture
Component Architecture
Operational Architecture ServiceManagement
DetailedCustom
Specification
Bringing All Together
Busi
ness
Str
ateg
yGoals
Relationship
Market
Regulation
People
Materials
Finance
Production
Logistics
BAP
Risk Model
Trust Model
Secu
rity
Stra
tegy
Process Design
Policy & Legal Framework
Technical Design
Logi
cal S
ecur
ity S
ervi
ces
Confidentiality
Identification
Registration
Certification
Directories
Authentication
Authorization
Access Control
Audit TrailPh
ysic
al S
ecur
ity M
echa
nism
Encryption
Naming
Procedures
Signatures
Databases
Passwords
ACLs
Firewalls
Event Logs
Com
pone
nts
Trus
ted
Busi
ness
Ope
ratio
ns
Prod
ucts
Tool
s
SABSA Development Process
SMP Maturity Levels
Architecture Measurement Categories
• Completeness• Do we have all of the components?• Do they form an integrated system?
• Assurance• Does the system run smoothly?• Are we assured that it is properly
assembled?• Is the system fit-for-purpose?
• Compliance• Do we maintain the system?• Do we follow the architecture
roadmap• Do we comply with the rules?
• Performance
• Is the system properly tuned?• Do the components work together?• Do we operate the system correctly?
• Justification & significance• Does the system have business value?
SABSA Vitality Framework
Thank You