View
237
Download
1
Category
Preview:
Citation preview
PwC CONFIDENTIAL 11
Enterprise Security Architecture
Alvin TanSecurity Architect
Creative Quest Solutions Sdn Bhd
alvint@cre8tivequest.com
PwC CONFIDENTIAL 22
Agenda
• Enterprise Security Architecture FAQs
• Incorporating Security in Enterprise Architecture
• Guidelines
• Keeping Current
PwC CONFIDENTIAL 44
Enterprise Security Architecture FAQs
• Is the current architecture supporting and adding value to the security of the organization?
• How might a security architecture be modified so that it adds more value to the organization?
• Based on what we know about what the organization wants to accomplish in the future, will the current security architecture support or hinder that?
PwC CONFIDENTIAL 55
Incorporating Security in Enterprise Architecture
• Assessment
– Basic information (servers, workstation etc)
– Infrastructure Security
– Application Security
– Operation Security
– People Security
– Environment
Creating
Business
Risk
Profile
PwC CONFIDENTIAL 66
Incorporating Security in Enterprise Architecture
• Infrastructure security (int & ext)
– Perimeter (Firewalls, IDS, AntiVirus)
– Authentication (Password policies)
– Management & Monitoring (staff/vendor)
• Application security
– Application (Line of Business, High Availability,
patches)
– Application Design (Password policy, Access controls)
– Data Storage & Communication (DES, 3DES. RC2,
RC3, RC4, etc)
PwC CONFIDENTIAL 77
Incorporating Security in Enterprise Architecture
• Operations (Op practices & guidelines)– Environment (self/outsource, SLA, ACs, FWs )
– Security Policy (IT/Business, documentation, guildlines)
– Patch & Update Management (Change, Update policy)
– Backup & Recovery (logs, Firewall logs,
• People– Requirement & Assessment (IT expertise)
– Policy & Procedures (hiring process)
– Training & Awareness (program exist, frequency)
PwC CONFIDENTIAL 88
Enterprise Security Architecture FAQs
• Having documented the organization's strategy and structure, the architecture process then flows down into the discrete information technology components such as:
• Organization charts, activities, and process flows of how the IT Organization operates
• Organization cycles, periods and timing
• Suppliers of technology hardware, software, and services
• Applications and software inventories and diagrams
• Interfaces between applications - that is: events, messages and data flows
• Intranet, Extranet, Internet, eCommerce, EDI links with parties within and outside of the organization
• Data classifications, Databases and supporting data models
• Hardware, platforms, hosting: servers, network components and security devices and where they are kept
• Local and wide area networks, Internet connectivity diagrams
PwC CONFIDENTIAL 99
Enterprise Security Architecture FAQs
answered
• The organization must design and implement a process that ensures continual movement from the current state to the future state. The future state will generally be a combination of one or more:
• Closing gaps that are present between the current organization strategy and the ability of the IT security dimensions to support it
• Closing gaps that are present between the desired future organization strategy and the ability of the security dimensions to support it
• Necessary upgrades and replacements that must be made to the IT security architecture based on supplier viability, age and performance of hardware and software, capacity issues, known or anticipated regulatory requirements, and other issues not driven explicitly by the organization's functional management.
• On a regular basis, the current state and future state are redefined to account for evolution of the architecture, changes in organizational strategy, and purely external factors such as changes in technology and customer/vendor/government requirements.
PwC CONFIDENTIAL 1111
Guidelines
• Guidelines for Auditing
• Guidelines for Securing Operating Systems
• Guidelines for Monitoring Network Traffic
• Guidelines for using IDS
• Guidelines for Securing Wireless
Transmissions
• Methods for Enforcing Security Policies
PwC CONFIDENTIAL 1313
Guidelines for Auditing the Use of
Permissions and User Rights
• Use the appropriate group to ensure adequate
auditing information
• Do not audit everything
• Monitor the Audit policy to prevent a rogue
administrator from turning off auditing to perform
a forbidden action
• Configure the size of the security log to
accommodate additional auditing information
• Audit for successes and failures depending on
what is being audited
PwC CONFIDENTIAL 1515
Guidelines for Securing Operating Systems
•Use NTFS on Web
sites running
Microsoft Windows
•Review directory
permissions
•Set access control for
the anonymous user
account
•Store executable files
in a separate directory
File System
•Choose strong
passwords for all
accounts including the
Administrator account
•Change passwords
frequently
•Review user accounts
frequently
•Maintain strict account
policies
•Limit membership of
the Administrators
group
User Accounts
•Run necessary
services only
•Unbind unnecessary
services from your
Internet adapter cards
•Enable auditing
•Use encryption when
administering your
computer remotely
•Back up the registry
and vital files often
•Run virus checks
regularly
Services
PwC CONFIDENTIAL 1717
Guidelines for Monitoring Network Traffic
• Document types of allowed network traffic
• Observe regular network traffic and look for
anomalies
• Review logs and network statistics regularly
• Set triggers for common intrusions
• Use multiple IDS products
PwC CONFIDENTIAL 1919
Guidelines for using IDS
• Consider using both network-based IDS and
host-based IDS
• Frequently update IDS signatures
• Understand the nature of intrusions that an IDS
can detect
• Distinguish between real intrusions and false
positives
• Deploy an IDS on each network segment
• Use a centralized management console to
manage an IDS
PwC CONFIDENTIAL 2121
Firewalls and proxy serversGroup Policy
Authorized Hardware and
Software
AccountableEmployees
Smart Cards
AssetMonitoringPhysical
SecurityFile Permissions
and ACLs
Auditing
PwC CONFIDENTIAL 2323
Keeping Current
• http://attrition.org/news/
• http://www.cert.org/
• http://www.ciac.org/ciac/index.html
• www.securityfocus.com
• www.securityfocus.com/tools
• http://sectools.org/
Recommended