reference architecture version 1 - cloud security alliance · pdf filereference architecture...
TRANSCRIPT
Business OperationSupport Services
(BOSS)
Data Governance
Operational Risk Management
Compliance
Security and RiskManagement
Presentation Services
Information Services
Infrastructure ServicesFacility Security
Asset Handling
Controlled Physical Access
Information TechnologyOperation & Support
(ITOS)
Application Services
Service Support
Configuration Management
Problem ManagementIncident Management
Change Management Release Management
Service Delivery
Policies and Standards
Data Protection
Audit Planning
Reference Architecture Version 1.1
Guiding PrinciplesDefine protections that enable trust in the cloud.Develop cross-platform capabilities and patterns for proprietary and open-source providers.Will facilitate trusted and efficient access, administration and resiliency to the customer/consumer.Provide direction to secure information that is protected by regulations.The Architecture must facilitate proper and efficient identification, authentication, authorization, administration and auditability.Centralize security policy, maintenance operation and oversight functions. Access to information must be secure yet still easy to obtain.Delegate or Federate access control where appropriate. Must be easy to adopt and consume, supporting the design of security patternsThe Architecture must be elastic, flexible and resilient supporting multi-tenant, multi-landlord platformsThe architecture must address and support multiple levels of protection, including network, operating system, and application security needs.
High Level Use Cases
Chief Architect: Jairo OreaLead Architects: Marlin Pholman, Yaron Levi, Dan Logan.Team: David Sherr, Richard Austin , Vern Williams, Anish Mohammed, Harel Hadass, Phil Cox, Yale Li, Price Oden, Tuhin Kumar, Rajiv Mishra, Ravila White, Scott Matsumoto, Rob Wilson, Charlton Barreto, Ryan Bagnulo, Subra Kumaraswamy.Date: 07/20/2011Revision: 12th Review
SABSAITIL v3
JERICHO
Independent Audits
Third-Party Audits
Internal Audits
Contact/Authority Maintenance
Information System Regulatory Mapping Intellectual Property Protection
Data Ownership / Stewardship
Data Classification
Handling / Labeling / Security Policy
Secure Disposal of Data
Data GovernanceRisk
Assessments
Non-Production
Data
Rules for Information Leakage Prevention
Information Leakage Metadata
Technical Security Standards Data/Asset Classification
Barriers Electronic Surveillance
Physical AuthenticationSecurity Patrols
Business Impact Analysis
TOGAF
Data
SoftwareHardware
Information Technology Resiliency
Capacity Planning Software Management Physical Inventory
Automated Asset Discovery
Configuration Management
Emergency Changes
Planned Changes
Project Changes
Scheduling
Operational Chages
Service Provisioning
Approval Workflow
Change Review Board
Security Incident Response
Automated Ticketing
Self-Service Ticketing
Event Classifiation
Root Cause Analysis
Source Code Management
Trend Analysis
Problem Resolution
TestingBuild
VersionControl
Availability Management
Resiliency Analysis
Capacity Planning
Service Level Management
Objectives Internal SLAs
External SLAs
Vendor Management
OLAs
Service Dashboard
Asset ManagementService Costing
Operational Bugdeting
InvestmentBudgeting
Charge Back
Connectivity & Delivery
Abstraction
Integration MiddlewareProgramming Interfaces
Knowledge Management
Presentation ModalityPresentation Platform
Service Support
Configuration Rules
(Metadata)
Service Events
Service DeliveryService Catalog SLAs OLAs
Contracts Recovery Plans
Business Continuity
DomainContainer
Process or Solution Data
Human Resources Security
Crisis Management
Background Screening
Employment Agreements
Employee Termination
Governance Risk & Compliance
Policy Management
IT Risk Management
Compliance Management
Technical Awareness and Training
InfoSec Management
Capability MappingRisk Portfolio Management
Risk Dashboard
Vendor Management
Audit Management
Residual Risk Management
Best practices
Trend Analysis Benchmarking
Job Descriptions
Roles and Responsibilities
Employee Code of Conduct
IT Operation
Resource Management
Segregation of Duties
PMO Portfolio ManagementMaturity Model
Roadmap
IT GovernanceArchitectrure Governance
Standards and Guidelines
Project Mgmnt
Clear Desk PolicyStrategy Alignment
Data Leakage Prevention
Network (Data in Transit)
End-Point(Data in Use)
Server(Data at Rest)
Intellectual Property Prevention
Intellectual Property
Digital Rights Management
Cryptographic Services
Threat and Vulnerability Management
Patch Management
Compliance TestingDatabases
Signature ServicesPKI
Data-in-Transit Encryption
(Transitory, Fixed)
Privilege Management InfrastructureIdentity Management
Domain Unique Identifier Federated IDM
Identity Provisioning
Attribute Provisioning
Authentication ServicesSAML Token
Risk Based Auth
OTP Smart Card
Multifactor
Password Management
Authorization ServicesPolicy
Enforcement Policy Definition
Policy Mangement
Principal Data Management
Resource Data Management XACML
Network Authentication
Biometrics
Single Sign OnMiddleware
AuthenticationWS-Security
Privilege Usage Management
Servers Network
Vulnerability ManagementApplication Infrastructure DB
Penetration TestingInternal External
Threat ManagementSource Code Scanning Risk Taxonomy
Infrastructure Protection Services Server
Anti-Virus
HIPS /HIDS
Host Firewall
End-PointAnti-Virus, Anti-
Spam, Anti-Malware HIPS /HIDS Host Firewall
Data-at-Rest Encryption(DB, File, SAN, Desktop,
Mobile)
Media Lockdown
Hardware Based Trusted Assets Forensic Tools
Inventory Control Content Filtering
ApplicationXML Applicance Application Firewall
Secure Messaging Secure Collaboration
NetworkFirewall Content
FilteringNIPS / NIDS
Link Layer Network Security
Wireless Protection
User Directory Services
Active Directory Services
LDAP Repositories
X.500 Repositories
DBMS Repositories
Registry Services
Location Services
Federated Services
Reporting ServicesDashboard Reporting ToolsData Mining Business Intelligence
Virtual Directory Services
Security Monitoring
Risk ManagementGRC RA BIA
DR & BC Plans
VRA TVM
Availability Services
Network Services
Storage Services
Development Process
Configuration Management
Database (CMDB)
Knowledge Repository
Change Logs
Meta Directory Services
Internal Infrastructure
Servers
End-Points
Virtual Infrastructure
BOSS
SaaS, PaaS, IaaS
Identity Verification
DPI
Session Events
AuthorizationEvents
Authentication Events
Application Events
Network Events
Computer Events
Risk Assessments
Audit Findings
Data Classification
Process Ownership
HR Data(Employees & Contractors)
BusinessStrategy
HIPS
Database Events
ACLs CRLs Compliance Monitoring
NIPSEvents
DLPEVents
Transformation Services
NIPSEvents
Privilege Usage Events
eDiscoveryEvents
ITOSPMO Strategy
Problem Management
Incident Management
CMDB Knowledge Management
ServiceManagement
ChangeManagement
RoadmapSecurity Monitoring ServicesSIEM
PlatformEvent Mining
Database Monitoring
Application Monitoring
End-PointMonitoring
Event Correlation
SOC Portal
Market Threat Intelligence
Counter Threat
Management
Cloud Monitoring
HoneyPot
E-Mail Journaling
Managed Security Services
Knowledge Base
Branding Protection Anti-Phishing
Legal ServicesContracts E-Discovery
Internal InvestigationsForensic Analysis
Data lifecycle managementData
De-IdentificationLife cycle
management Data Seeding
Data TaggingMeta Data Control
e-Mail Journaling
Data Obscuring
Data Masking
eSignature(Unstructured data)
Key ManagementSynchronous
KeysAsynchronous
Keys
Role Management
Keystroke/Session Logging
Privilege Usage Gateway
Password Vaulting
Resource Protection
DRPPlan
ManagementTest
Management
Contractors
Network Virtualizaton
External(VLAN)
Internal (VNIC)
Application Virtualization
Desktop “Client” Virtualization
Local Remote
Session-Based
VM-Based (VDI)
Server VirtualizationVirtual Machines (Hosted Based)
Hardware-AssistedParavirtualizationFull
Storage Virtualization <<insert Jairo’s content>
Network Address Space
VirtualizationIPv4 IPv6
OS VIrtualization
TPM Virtualization
Server Application Streaming
Block-Based VirtualizationHost-Based
Storage Device-Based
Network-Based
LVM
LUN
LDM Appliance
Switched
File-Based Virtualization
Database Virtualization
VirtualMemory
Client Application Streaming
Mobile Device Virtualization
Smartcard Virtualization
VirtualWorkspaces
Data Discovery
Obligation
Remediation
Exceptions Self Assessment
Program Mgmnt
Best Practices & Regulatory correlation
Image Management
Out of the Box (OTB) AutZ
Application Performance Monitoring
Security Knowledge Lifecycle
SecurityDesign
Patterns
Real-time internetwork defense (SCAP)
Cross Cloud Security Incident Response
User Behavior & Profile Patterns
Black Listing Filtering
Self-ServiceSecurity
Code Review
Application Vulnerability
Scanning
Stress and Volume Testing
Attack Patterns
Real Time
Filtering
Software Quality Assurance
Security Application Framwrok - ACEGI
Code Samples
Risk Management Framework
Employee Awareness
Security Job Aids
Security FAQ
Orphan Incident Management
Secure BuildCompliance Monitoring
Service Discovery
OTB AutN
Mobile Devices Desktops
Portable Devices
Smart AppliancesMedical DevicesHandwriting
(ICR)
Speech Recognition(IVR)
Company owned Third-Party Public Kiosk
Consumer Service Platform
Social Media Colaboration
Enterprise Service Platform
B2B B2C
B2E B2M
Search E-Mail P2Pe-Readers
Rules for Data Retention
Information Security Policies
Independent Risk Management
Operational Security Baselines Job Aid Guidelines Role Based Awareness
Business Assessment
TechnicalAssessment
Data-in-use Encryption (Memory)
Incident Response Legal Preparation
Key Risk Indicators
Fixed Devices
Mobile Device Management
Equipment Maintenance
Data Segregation
Input Validation
Planning Testing
Environmental Risk ManagementPhysical Security Equipment
Location Power
Redundancy
Network Segementation
Authoritative Time Source
White Listing
White Listing
Operational Risk Committee