security architecture tools and practice - the open group · pdf filesecurity architecture...
TRANSCRIPT
IBM
Presentation to Open Group | Oct 22, 2003 | Enterprise Security Architecture © 2003 IBM Corporation
Enterprise Security Architecture Concepts and Practice
2
IBM
Enterprise Security Architecture | Concepts and Practice | October 22, 2003 © 2003 IBM Corporation
AbstractIn the early 90’s IBM Global Services created a Security Consultancy to respond to the business
opportunity for security services for IBM customers and in support of the IBM business.
In 1999 there was an initiative in IBM to establish the security discipline within the IT Architect profession, along with related design methods and practitioner support materials.
This presentation and discussion will offer a view of security architecture and security architecture methods.
Topic Flow:• Roles• Methods, Models and Modeling for Security• Elements of Enterprise Security Architecture
3
IBM
Enterprise Security Architecture | Concepts and Practice | October 22, 2003 © 2003 IBM Corporation
Roles in solution development projects
IT Specialists develop proof of concepts, design, develop, build, test and implement systems. IT Specialists are the hands on professionals.
The IT Architect designs solutions to client business problems through the reasoned application of information technology.
A consultant is an agent of change, who advises and facilitates through: research, data collection, data analysis, preparation and presentation of recommendations, and project design.
A project manager is the person who leads and is accountable for the success of the project.
SpecialistArchitectConsultantProject Manager
Business representation of architecture
System representation of architecture
•Structural view•User view•Behavior view
•Stakeholder view
Physical representation of architecture
•Environment view •Implementation view
•Operational view
Project timeline
consultant
architect
specialist
4
IBM
Enterprise Security Architecture | Concepts and Practice | October 22, 2003 © 2003 IBM Corporation
Security in IBM Global Professions
Security ArchitectureSecurity Architecture involves the design of inter- and intra-enterprise security solutions to meet client business requirements in application and infrastructure areas.
Architects performing Security Architecture work must be capable of defining detailed technical requirements for security, and designing, documenting and assuring functional and operational architectures using appropriate security technology and process components, and validating that the solution meets the security requirements.
5
IBM
Enterprise Security Architecture | Concepts and Practice | October 22, 2003 © 2003 IBM Corporation
Methods, Models and Modeling
6
IBM
Enterprise Security Architecture | Concepts and Practice | October 22, 2003 © 2003 IBM Corporation
A design method requires a model and a systematic process with thoughtful constraints
Models are developed and applied in several ways:(1) an “example” is a model with no claims of correctness;
(2) a “pattern” is a model that represents a clear and detailed archetype or prototype;
(3) an “exemplar” is a faultless standard that is the source of comparison;
(4) an “ideal” is the best possible exemplification, either real or conceptual.
Modeling is that part of the design process that creates a new form (an instance) from the initial form (a model).
It is common practice to iterate through the modeling process several times in order to consider all of the requirements, functions and constraints before achieving a balanced solution.
On a small scale, modeling can be a mental process for a single individual. Modeling expands dramatically when there are multiple designers and hundreds of diverse requirements that need to be reconciled.
What category of model is “best practice?”
7
IBM
Enterprise Security Architecture | Concepts and Practice | October 22, 2003 © 2003 IBM Corporation
Modeling lifecycle
Self-defining, self configuring technologies that can be integrated using intuitive tools.
Basic tools and seasoned reference materials that lead to consistent and repeatable instances of architecture.
Each overall architecture is one-of-a-kind, with recognizable elements.
Each instance of architecture is one of a kind.
Plug-and-PlayMass CustomizationIntegrated sub-assemblies
Custom
archetypemodels
vetted patterns
few artifactsor reliable models
prototype modelsbased upon artifacts Embedded function
Lifecycle timelineWired networking
Object oriented programming
SecurityWireless networking
8
IBM
Enterprise Security Architecture | Concepts and Practice | October 22, 2003 © 2003 IBM Corporation
Models for security
9
IBM
Enterprise Security Architecture | Concepts and Practice | October 22, 2003 © 2003 IBM Corporation
Depending upon your background, Information Technology Security may be expressed in various ways.
Information Assurance (IA)
Information Systems Security (INFOSEC)
10
IBM
Enterprise Security Architecture | Concepts and Practice | October 22, 2003 © 2003 IBM Corporation
Here is an alternate view that aligns knowledge and the responsibility to Application Development, Systems Operations and Network Operations organizations / departments.
Network Security
System Security
FirewallsEncryptionVirtual Private NetworksIntrusion Detection
AuthenticationAuthorizationAccess ControlCallable Security Services
PerformanceAvailabilityConfigurationOperations
Application and Data Security
11
IBM
Enterprise Security Architecture | Concepts and Practice | October 22, 2003 © 2003 IBM Corporation
However security is described, an effective Information Securitystrategy requires a broad understanding of the business landscape…
Network Security
FirewallsEncryptionVirtual Private NetworksIntrusion Detection
AuthenticationAuthorizationAccess ControlCallable Security Services
PerformanceAvailabilityConfigurationOperations
Application and Data Security System Security
Information Assurance (IA)
Information Systems Security (INFOSEC)Corporate Information Security Officer
perspective
12
IBM
Enterprise Security Architecture | Concepts and Practice | October 22, 2003 © 2003 IBM Corporation
… and knowledge of how to apply a wide range of security-related technologies.
Cryptographic
Network Security
FirewallsEncryptionVirtual Private NetworksIntrusion Detection
AuthenticationAuthorizationAccess ControlCallable Security Services
PerformanceAvailabilityConfigurationOperations
Corporate Information Security Officer
perspective
Hardware
MiddlewareServicesApplications
Business Driven Integrated solutions
SecurityProtocols
services
Biometrics
Operating Systems
Perimeters
Anti-virus
Application and Data Security
Data
System Security
This is not a model !
13
IBM
Enterprise Security Architecture | Concepts and Practice | October 22, 2003 © 2003 IBM Corporation
In support of IBM security practitioners, a conceptual model forSecurity functions has been developed from Common Criteria Security Functional Requirements.
Common Criteria Functional Requirements classes
Security Audit (FAU)Communication (FCO)Cryptographic support (FCS)User data protection (FDP)Identification and authentication (FIA)Security management (FMT)Privacy (FPR)Protection of functions (FPT)Resource utilization (FRU)TOE access (FTA)Trusted path/channels (FTP)
Security Subsystems
Security Audit Subsystem
Solution Integrity Subsystem
Information Flow Control Subsystem
Access Control Subsystem
Credential Subsystem
Patent Pending # 20020157015 Method for Designing Secure Solutions, IBM Systems Journal, September 2001 (see References page)
14
IBM
Enterprise Security Architecture | Concepts and Practice | October 22, 2003 © 2003 IBM Corporation
The model provides a bridge between multiple views of Information Systems Security and Security Management tasks of policy definition, enforcement and review.
Network Security
System Security
FirewallsEncryptionVirtual Private NetworksIntrusion Detection
AuthenticationAuthorizationAccess ControlCallable Security Services
PerformanceAvailabilityConfigurationOperations
Corporate Information Security Officer perspective
Hardware
Middleware
ServicesApplications
Business Driven Integrated solutions
SecurityProtocols
Cryptographicservices
Biometrics
Operating Systems
Perimeters
Anti-virus
Application and Data Security
Data
Security Subsystems
Security Audit Subsystem
Solution Integrity Subsystem
Information Flow Control Subsystem
Access Control Subsystem
Credential Subsystem
15
IBM
Enterprise Security Architecture | Concepts and Practice | October 22, 2003 © 2003 IBM Corporation
When combined with a thoughtful constraints, this Security system model can provide a starting point for design as well as a baseline for evaluating the completeness of a design.
Some thoughtful constraints:1. All five subsystems exist in every design2. All five subsystems are interdependent3. The strength of security mechanisms and services
helps determine trustworthiness of solution4. The integration of security mechanisms and services
with business processes helps determine trustworthiness of solution
5. Some security mechanisms and services may necessarily exist in “non-security” components
Output of the design process:1. Stakeholder view2. Structural view3. User view4. Behavior view5. Environment view6. Implementation view7. Operational view
Security Subsystems
Security Audit Subsystem
Solution Integrity Subsystem
Information Flow Control Subsystem
Access Control Subsystem
Credential Subsystem
16
IBM
Enterprise Security Architecture | Concepts and Practice | October 22, 2003 © 2003 IBM Corporation
Modeling for security
17
IBM
Enterprise Security Architecture | Concepts and Practice | October 22, 2003 © 2003 IBM Corporation
Functional modeling vs. Pattern-based modeling
Self-defining, self configuring technologies that can be integrated using intuitive tools.
Basic tools and seasoned reference materials that lead to consistent and repeatable instances of architecture.
Each overall architecture is one-of-a-kind, with recognizable elements.
Each instance of architecture is one of a kind.
Plug-and-PlayMass CustomizationIntegrated sub-assemblies
Custom
Functional / Operational modeling Pattern-based modeling
Design Traceability via documentation
Design Traceability via certificationDesign by “best practice” ?
archetypemodels
vetted patterns
few artifactsor reliable models
prototype modelsbased upon artifacts Embedded function
Lifecycle timelineWired networking
Object oriented programming
SecurityWireless networking
18
IBM
Enterprise Security Architecture | Concepts and Practice | October 22, 2003 © 2003 IBM Corporation
Functional / Operational Modeling for Security
Collection function
Correlation function
Report function
Analysis function
Domain Boundary function
Transfer protocol
Identification function
Authentication function
Authorization function
Enrollment function
CredentialDistribution function
CredentialValidation function
Credential lifecycle function
Physical and logical Protections
Credential
Access Control
Flow Control
Audit
Solution Integrity
(exa
mple
)
Attachment function
Tests Recovery functions
Functional: Technology independent abstraction of security components
•Structural view•User view•Behavior view
Applications
Middlew
are
Business D
rivenS
olution Packages
Digital S
ignatureP
ublic Key Infrastructure
Sym
metric and A
symm
etric Cryptography
Directory-white pages-entitlements
Intrusion Detection
Federa te d Ide nt ity
Priv ac yJAAS
Web S
er vic es
Security A
dministration and P
olicy Mgm
t
Services-Managed Security-Emergency Response
Kerbe ros
RA
CF - S
AF
Monitor- Device- Component - System
Operation practicesService level agreementsStorage backup Capacity planFailover configuration
AznAPI
VPN
Proxy
Anti-virus
Security P
rotocols
Firewalls
Perimeters
Domains
Testing-Ethical hack
Recovery-Disaster plan
ID / passwd
Biometrics
H/W crypto4758, TPM-PCIA / PCIC-Tokens/smartcards
Identity Mgmt
Access Mgmt
Flow Control
Event Mgmt
Operational Resilience
(exa
mple
)
Operational: Technology related mapping of security components
•Environment view •Implementation view •Operational view
19
IBM
Enterprise Security Architecture | Concepts and Practice | October 22, 2003 © 2003 IBM Corporation
Here is a sample e-Business architecture (see reference page)E
nter
pris
e S
ecur
ity A
rchi
tect
ure
SolutionIntegrity
AccessControl
FlowControl
SecurityAudit
TrustedCredential
Uncontrolled Controlled Restricted Secured
Event Logging Component logging
Event Analyze
Event AlertingReporting
ControlledZone
Boundary
RestrictedZone
Boundary
SecuredZone
BoundaryClosed CommunityManaged CommunityManaged CommunityExternal Community
E-Business Community
ExternalAttachment
SSLGateway
SSLGateway
BrowserApplication
Client
WebPortal
SSOPortal
StaticAttachment
SecuredApplication
Server
ManagedAttachment
SecuredApplication
Client
StaticAttachment
StaticAttachment
SSOServices
StaticAttachment
ServiceManagement
PolicyAuditAvailability
ManagementData
IntegritySoftwareIntegrity
SystemIntegrity
User/systemadmin
CredentiStorag
AuthorizationsCredential
Distribution
Otheruserid /pswdSSO
Digital SigCredentiStorag
AuthorizationsCredential
CreationCredentiAuthorizationsCredentialStorage
User/groupenrollment
User/groupapproval
20
IBM
Enterprise Security Architecture | Concepts and Practice | October 22, 2003 © 2003 IBM Corporation
Patterns-based modeling…a starting point for architecture
Y
Y
+/-
Extended
Enterprise
Y
Y
Y
Information
Aggregation
Y
Y
Collaboration
Y
Y
Y
Self service
Business patterns
Y
Y
e-Com
merce
Y
Y
Y
Portal
Integration patterns
Composite patterns
IBM Patterns for e-business*
Y
Y
Y
Access
Integration
YWeb Presence
YYYBusiness-to-Consumer
YYYYYBusiness-to-Business
Account A
ccess
Trading E
xchange
Sell-side hub
Buy-side hub
Application
Integration
Examples
* http://www.ibm.com/developerworks/patterns/
21
IBM
Enterprise Security Architecture | Concepts and Practice | October 22, 2003 © 2003 IBM Corporation
Patterns-based modeling for Security
Y
Y
Y
Y
Y
Business
System
Mgm
t
+/-
+/-
Y
Y
+/-
Extended
Enterprise
+/-
+/-
Y
Y
Y
Information
Aggregation
+/-
+/-
Y
Y
Collaboration
+/-
+/-
Y
Y
Y
Self service
Business patterns
+/-
+/-
Y
Ye-C
omm
erce
+/-
+/-
Y
Y
YP
ortal
Integration patternsComposite patterns
IBM Patterns for e-business*
Y
Y
Y
Y
Y
Access
Integration
YY+/-+/-+/-+/-Operational Security
YYWeb Presence
YYYYBusiness-to-Consumer
YYYYYYBusiness-to-Business
+/-
Account A
ccess
+/-
Trading E
xchange
+/-
Sell-side hub
+/-
Buy-side hub
Y
Application
Integration
YHigh Assurance
Security
Integration
IBM Business Security
Patterns**
* http://www.ibm.com/developerworks/patterns/ ** http://www.ibm.com/security/patterns/intro.pdf- work in progress
22
IBM
Enterprise Security Architecture | Concepts and Practice | October 22, 2003 © 2003 IBM Corporation
Patterns-based Modeling…
Business representation
System representation with security
•Stakeholder view•Business behavior view
•Structural view•System behavior view
Self ServiceEnterprise
Systems and Databases
User
Business System Management
Knowledge processes
Information Aggregation
Aggregator
Example Business System using “Web Presence” model
UsersUsers UsersData
Policy enforcement
processes
Policy
Policy
Example Business System using “Web Presence” model
Self Service UserEnterprise
Systems and Databases
Information Aggregation
Users AggregatorUsers UsersData
23
IBM
Enterprise Security Architecture | Concepts and Practice | October 22, 2003 © 2003 IBM Corporation
Patterns-based Modeling…Business pattern: Self-service; Application pattern: Stand-Alone Single Channel Security Application Services: Access Mgmt with Self-service Identity Mgmt
Runtime View
•User view•Environment view •Implementation view •Operational view
(example)
Business flowSecurity flow
Approve
Legend
Security integration flow
Security policy or rule
External Application domain
Reverse proxyServer
Outside world Demilitarized zone Internal Network
Domain Name Server
User
Internet
Access MgmtService Security
User
Security Mgmt domain
Public Key Infrastructure
Security Mgmt domain
Identity Mgmt App Service
DirectoryService
Identity Mgmt Service
ID mgmt app
Authenticate Authorize
Identity Mgmt Application pattern: self-service
ID mgmtApprove
encryptPresentationencrypt
Client
Pack
et filt
er
RelayCo
nnec
tion
filter
Presentation Application
Application pattern 1: channel authorization
Client
Pack
et filt
er
Conn
ectio
n filt
er Authenticate
encryptencryptRelay
Business application
Presentation Application
Authorize
Application pattern 1a: channel & content authorization
Client
Pack
et filt
er
Conn
ectio
n filt
er Authenticate
encryptencryptRelay
Business application
Security application
Web Application Server
Application domainPr
otoc
ol fi
rewa
ll
Dom
ain fi
rewa
ll
Database
24
IBM
Enterprise Security Architecture | Concepts and Practice | October 22, 2003 © 2003 IBM Corporation
Summary…
Architecture has multiple views.
A design method requires a model and a systematic process with thoughtful constraints
The effective practice of security architecture is dependent upon many aspects of the design process.
More work needs to be done in the area of architecture representation and visualization.
Business representation of architecture
System representation of architecture
•Structural view•User view•Behavior view
•Stakeholder view
Physical representation of architecture
•Environment view •Implementation view
•Operational view
25
IBM
Enterprise Security Architecture | Concepts and Practice | October 22, 2003 © 2003 IBM Corporation
Selected Resource LinksCommon Criteria http://www.commoncriteria.org/
International Telecommunications Union http://www.itu.int/home/index.html
International Organization for Standardisation http://www.iso.ch
Internet Engineering Task Force http://www.ietf.org/
Open Group (TOGAF) http://www.opengroup.org/togaf/start.htm
IBM Patterns for e-business http://www.ibm.com/developerworks/patterns/
IBM Systems Journal: Security Design Method http://researchweb.watson.ibm.com/journal/sj/403/whitmore.html
Enterprise Security Architecture Redbook http://www.redbooks.ibm.com/redbooks/pdfs/sg246014.pdf