risk-driven and business-outcome-focused enterprise security architecture framework by ana kukec
TRANSCRIPT
| ENTERPR ISE SECUR ITY ARCHITECTURE FRAMEWORK | ENTERPR ISE ARCHITECTS © 201 3 1
Enterprise
Security
Architecture
Framework BUSINESS-OUTCOME-FOCUSED
AND RISK-DRIVEN APPROACH
Dr Ana Kukec
Lead Enterprise Security Consultant
| ENTERPR ISE SECUR ITY ARCHITECTURE FRAMEWORK | ENTERPR ISE ARCHITECTS © 201 3 2
Enterprise Security Architecture
Framework Business-outcome-focused and risk-driven approach
Enterprise Security Architecture, Frameworks and Standards 3
The Open Group’s view of an ESAF 7
EA’s view of an ESAF 9
Case Study at the University of New South Wales 13
Value Proposition 19
| ENTERPR ISE SECUR ITY ARCHITECTURE FRAMEWORK | ENTERPR ISE ARCHITECTS © 201 3 3
Security Architecture,
Frameworks and Standards
Enterprise Security
Architecture
Framework
| ENTERPR ISE SECUR ITY ARCHITECTURE FRAMEWORK | ENTERPR ISE ARCHITECTS © 201 3 4
Security Architecture, Frameworks & Standards Enterprise security architecture as seen by practitioners
Existing security architecture-related frameworks & standards
Enterprise security architecture
is a methodology for securing an enterprise by optimising operational risks.
SECURITY SERVICE MANAGEMENT
Business Architecture
Data Architecture
Application Architecture
Technology Architecture En
terp
rise
Secu
rity
Arc
hit
ectu
re
Contextual
Conceptual
Logical
Physical
Component
| ENTERPR ISE SECUR ITY ARCHITECTURE FRAMEWORK | ENTERPR ISE ARCHITECTS © 201 3 5
Security
Architecture,
Frameworks
& Standards
Many of the ESA programmes have been failing…
What are we doing wrong? What should we be doing?
Too much emphasis on technology Security as an enabler of business strategy
Silo approach to security and risk Business risk is the key driver for security
Siloed security organisation Cohesive security organisation
Silo approach to EA and ESA Single team, common framework
Sources: [1] TOGAF and SABSA Integration Whitepaper (W117), Oct 2011 [2] SABSA Blue Book, Nov 2005
SECURITY SERVICE MANAGEMENT
Business Architecture
Data Architecture
Application Architecture
Technology Architecture
En
terp
rise
Secu
rity
Arc
hit
ectu
re
Contextual
Conceptual
Logical
Physical
Component
| ENTERPR ISE SECUR ITY ARCHITECTURE FRAMEWORK | ENTERPR ISE ARCHITECTS © 201 3 6
Enterprise
Architecture
Business Security
Management
Value
Management
Risk
Management
Enterprise
Security
Architecture
Information Security Management
Information Systems Security
Business Continuity
Physical Security
Environmental Security
Value Governance
Portfolio Management
Investment Management
Security Architecture, Frameworks & Standards
What should we be doing?
| ENTERPR ISE SECUR ITY ARCHITECTURE FRAMEWORK | ENTERPR ISE ARCHITECTS © 201 3 7
TOGAF &
Enterprise Security Architecture
Enterprise Security
Architecture
Framework
| ENTERPR ISE SECUR ITY ARCHITECTURE FRAMEWORK | ENTERPR ISE ARCHITECTS © 201 3 8
TOGAF and Enterprise
Security Architecture The Open Group identified goals for
Enterprise Security Architecture
Framework
The Open Group Architecture
Forum and Security Forum agree
that the coverage of security and
risk can be updated and improved.
The Open Group and SABSA Institute
agreed to use the TOGAF ADM as a
basis for the ESA Framework.
[1] TOGAF and SABSA Integration Whitepaper (W117), Oct 2011
Guidance on producing business and
risk management-based security
architectures.
Guidance on developing secure
architectures to support business
outcomes.
Guidance on producing architectures
that enable the efficient management
of security. Specific goals include [1]:
| ENTERPR ISE SECUR ITY ARCHITECTURE FRAMEWORK | ENTERPR ISE ARCHITECTS © 201 3 9
Business and risk
management based security
architectures
• Architecture asset identification
• Architecture asset evaluation
• Architecture asset risk
assessment
• Risk-driven opportunities and
solutions
Secure architectures
supporting the business
outcomes
• Business security requirements
management
• Architecture asset threat,
vulnerability and risk analysis
• Architecture asset classification
• Controls determination
Efficient management of
security
• Security capability-based
planning
• Security architecture and
management maturity
monitoring
EA’s view: Implications of the identified goals define the cornerstones
for an effective Enterprise Security Architecture Framework
TOGAF and
Enterprise Security
Architecture
The cornerstones have been identified based on
our practical experience and the best practice
industry standards and frameworks.
Business security motivation
Risk-driven portfolio
Business & risk-driven security strategies, tactics & operations
| ENTERPR ISE SECUR ITY ARCHITECTURE FRAMEWORK | ENTERPR ISE ARCHITECTS © 201 3 10
Business and risk
management based security
architectures
• TOGAF ADM & Content Meta-model
• ISO/IEC 31000 standards
• SABSA Risk Management Model
• COBIT 5 Balanced Scorecard Risk
Management Model
• COBIT 5 Enablers: Processes, People,
Services, Infrastructure and
Applications
Secure architectures
supporting the business
outcomes
• TOGAF ADM & Content Meta-model
• COBIT 5 for Information Security
• Data security classification &
information system controls
standards (ISO, FIPS, NIST,
Government frameworks)
• Jericho Forum Models/Whitepapers
• Application security standards
• Platform/Network security standards
Efficient management of
security
• TOGAF ADM & Content Meta-model
• COBIT 5 for Information Security
Enablers: Principles, Policies,
Processes, People, Information,
Services, Infrastructure and
Applications
• O-ISM3: Information Security
Management Maturity Standard
• ITIL v3 security service management
• ISO/IEC 27000 standards
• ISO/IEC 31000 standards
TOGAF and
Enterprise Security
Architecture
The challenge is in the integration of existing
security architecture frameworks, information
security management standards and information
systems security standards.
EA’s view: The cornerstones can be delivered through integration of existing
information security management and architecture frameworks and standards
SABSA Business Attributes Profiling, COBIT 5 Goals Cascade & Risk IT
| ENTERPR ISE SECUR ITY ARCHITECTURE FRAMEWORK | ENTERPR ISE ARCHITECTS © 201 3 11
BUSINESS SECURITY
ARCHITECTURE
INF. SYS. SECURITY
ARCHITECTURE
SECURITY OPPORTUNITIES & SOLUTIONS
SECURITY CHANGE MANAGEMENT
TECH. SECURITY
ARCHITECTURE
Service
catalogue
Inf. systems
reference
model
Technology
reference
model
Business
reference
model
Risk
profiles
Architecture
roadmap
Business
motivation
Architecture
risk
roadmap
ADOPT OPERATING MODEL
MA
NA
GE P
OR
TFO
LIO
(B
usin
ess &
risk m
an
ag
em
en
t base
d
secu
rity a
rch
itectu
res)
Classify enterprise assets
Assess BDAT risks
Define controls
Domain
security
architecture
roadmap
Identify security assets
Assess security capability risks
Define security policies
Security
capability
roadmap
ARCHITECT/TRANSFORM SECURITY PRACTICE (Efficient & effective management of security)
Business
security
motivation
SECURE BDAT ARCHITECTURES (Secure architectures supporting the business outcomes)
EA’s view: An Enterprise Security Architecture Framework as a process of
iterations through the ADM tailored for enterprise security, risk and compliance
| ENTERPR ISE SECUR ITY ARCHITECTURE FRAMEWORK | ENTERPR ISE ARCHITECTS © 201 3 12
DATA SECURITY ARCHITECTURE APPLICATION SECURITY ARCHITECTURE TECHNOLOGY SECURITY ARCHITECTURE
SECURITY ARCHITECTURE PRINCIPLES, REQUIREMENTS AND ROADMAP
Information Security
Principle
External Compliance
Requirement
Internal Compliance
Requirement
Continuity
Requirement
Security
Capability Gap
Security
Capability
BUSINESS SECURITY ARCHITECTURE
Motivation
Security Goal
Security Objective
Organization
Actor Security Attribute
Function
Policy
Strategic Security Risk
Security Classification
(CIA) Security Control Security Standard
Information Risk Security Guideline Technology Risk
Business Service
Sensitivity
Continuity Procedure
Application Risk
Policy Framework
ES Requirements
ES Motivation
Risk Management
Business Service
Criticality
Risk Appetite
Security Service Security Service
Risk Tolerance
EA’s view: ESA Content Meta-model (In addition to the TOGAF Content Meta-
model)
| ENTERPR ISE SECUR ITY ARCHITECTURE FRAMEWORK | ENTERPR ISE ARCHITECTS © 201 3 13
TOGAF-based ESAF:
Case Study at the University of
New South Wales
Enterprise Security
Architecture
Framework
| ENTERPR ISE SECUR ITY ARCHITECTURE FRAMEWORK | ENTERPR ISE ARCHITECTS © 201 3 14
Case Study:
ESAF at
University of
New South Wales
UNSW security organisation relies on the security
operations, and is seeking to establish
• An enterprise security architecture capability
• An enterprise security architecture framework
to help revise the security strategic plan, information security plan
and transform the security practice.
Business, IT &
Enterprise
Architects
described their
vision for the
security
organisation.
THE SITUATION
| ENTERPR ISE SECUR ITY ARCHITECTURE FRAMEWORK | ENTERPR ISE ARCHITECTS © 201 3 15
Case Study: ESAF at University of New South Wales Our Approach
TAILORED ENTERPRISE SECURITY
ARCHITECTURE FRAMEWORK
BUSINESS SECURITY MOTIVATION &
BUSINESS CAPABILITY ANCHOR MODEL
CURRENT STATE ASSESSMENT
Security capability maturity assessment
Architecture risk assessment
Architecture asset security classification
ASPIRATIONAL TARGET STATE
Target security capability model w/ functional roles to fulfil,
policies, standards, regulations
Application security guidelines and continuity procedures
BUSINESS RISK-DRIVEN SECURITY STRATEGIES
| ENTERPR ISE SECUR ITY ARCHITECTURE FRAMEWORK | ENTERPR ISE ARCHITECTS © 201 3 16
EA’s Enterprise Security Architecture Framework Artefacts (Samples)
SECURITY CAPABILITY MODEL
BUSINESS CAPABILITY MODEL W/
SECURITY CLASSIFICATION
ARCHITECTURE RISK ROADMAP
SECURITY CAPABILITY ROADMAP BUSINESS SECURITY MOTIVATION
| ENTERPR ISE SECUR ITY ARCHITECTURE FRAMEWORK | ENTERPR ISE ARCHITECTS © 201 3 17
• Inability to communicate value of security architecture,
compliance and risks to business, services & projects
• Lack of consistency in providing security support
across the SDLC
• Operational imbalance
• Organically grown information security and
technology security architecture
• Low maturity of the risk management capability
• Ineffective IT audits
Case Study: ESAF at University of New South Wales Outcomes
CHALLENGES OUTCOMES
• Common language and framework
• Governance & mgt security capabilities integrated into
the IT operating model
• Security classifications, internal compliance, regulatory
compliance
• Better alignment to service management and projects
• Revised security strategy & informed application
security portfolio management
• Revised risk management capability, disaster recovery
and business continuity plans
• IT audit planning framework
| ENTERPR ISE SECUR ITY ARCHITECTURE FRAMEWORK | ENTERPR ISE ARCHITECTS © 201 3 18
TOGAF-based ESAF:
Value proposition
Enterprise Security
Architecture
Framework
| ENTERPR ISE SECUR ITY ARCHITECTURE FRAMEWORK | ENTERPR ISE ARCHITECTS © 201 3 19
• Business, security, risk and IT
• EA and ESA
• Various security functions
COMMON LANGUAGE & FRAMEWORK
• Better investment management in security
• Shift from gap-control operations to strategic
initiatives
STRATEGIC ALIGNMENT
• Holistic approach to security solutions
• Strategic security solutions enabling business &
improving customer experience (strategic or segment –
cloud., BYOD, mobile, outsourcing, …)
• Reusable & scalable security building blocks
HOLISTIC APPROACH & STRATEGIC SECURITY
SOLUTIONS
• Cohesive security organisation
• Integration of standards and regulations
• Positioning within business & IT operating model
• Clarity around security functional roles and work
products
• Alignment to service management office & projects
EFFICIENT MANAGEMENT OF SECURITY
• Effective IT audits
• Compliance with industry regulations
• Cost-effective operational risk management
GOVERNANCE, RISK & COMPLIANCE
TOGAF-based Enterprise Security Architecture Framework
Value Proposition
| ENTERPR ISE SECUR ITY ARCHITECTURE FRAMEWORK | ENTERPR ISE ARCHITECTS © 201 3 20