PwC CONFIDENTIAL 11

Enterprise Security Architecture

Alvin TanSecurity Architect

Creative Quest Solutions Sdn Bhd

alvint@cre8tivequest.com

PwC CONFIDENTIAL 22

Agenda

• Enterprise Security Architecture FAQs

• Incorporating Security in Enterprise Architecture

• Guidelines

• Keeping Current

PwC CONFIDENTIAL 33

Enterprise Security Architecture FAQs

PwC CONFIDENTIAL 44

Enterprise Security Architecture FAQs

• Is the current architecture supporting and adding value to the security of the organization?

• How might a security architecture be modified so that it adds more value to the organization?

• Based on what we know about what the organization wants to accomplish in the future, will the current security architecture support or hinder that?

PwC CONFIDENTIAL 55

Incorporating Security in Enterprise Architecture

• Assessment

– Basic information (servers, workstation etc)

– Infrastructure Security

– Application Security

– Operation Security

– People Security

– Environment

Creating

Business

Risk

Profile

PwC CONFIDENTIAL 66

Incorporating Security in Enterprise Architecture

• Infrastructure security (int & ext)

– Perimeter (Firewalls, IDS, AntiVirus)

– Authentication (Password policies)

– Management & Monitoring (staff/vendor)

• Application security

– Application (Line of Business, High Availability,

patches)

– Application Design (Password policy, Access controls)

– Data Storage & Communication (DES, 3DES. RC2,

RC3, RC4, etc)

PwC CONFIDENTIAL 77

Incorporating Security in Enterprise Architecture

• Operations (Op practices & guidelines)– Environment (self/outsource, SLA, ACs, FWs )

– Security Policy (IT/Business, documentation, guildlines)

– Patch & Update Management (Change, Update policy)

– Backup & Recovery (logs, Firewall logs,

• People– Requirement & Assessment (IT expertise)

– Policy & Procedures (hiring process)

– Training & Awareness (program exist, frequency)

PwC CONFIDENTIAL 88

Enterprise Security Architecture FAQs

• Having documented the organization's strategy and structure, the architecture process then flows down into the discrete information technology components such as:

• Organization charts, activities, and process flows of how the IT Organization operates

• Organization cycles, periods and timing

• Suppliers of technology hardware, software, and services

• Applications and software inventories and diagrams

• Interfaces between applications - that is: events, messages and data flows

• Intranet, Extranet, Internet, eCommerce, EDI links with parties within and outside of the organization

• Data classifications, Databases and supporting data models

• Hardware, platforms, hosting: servers, network components and security devices and where they are kept

• Local and wide area networks, Internet connectivity diagrams

PwC CONFIDENTIAL 99

Enterprise Security Architecture FAQs

answered

• The organization must design and implement a process that ensures continual movement from the current state to the future state. The future state will generally be a combination of one or more:

• Closing gaps that are present between the current organization strategy and the ability of the IT security dimensions to support it

• Closing gaps that are present between the desired future organization strategy and the ability of the security dimensions to support it

• Necessary upgrades and replacements that must be made to the IT security architecture based on supplier viability, age and performance of hardware and software, capacity issues, known or anticipated regulatory requirements, and other issues not driven explicitly by the organization's functional management.

• On a regular basis, the current state and future state are redefined to account for evolution of the architecture, changes in organizational strategy, and purely external factors such as changes in technology and customer/vendor/government requirements.

PwC CONFIDENTIAL 1010

Guidelines

PwC CONFIDENTIAL 1111

Guidelines

• Guidelines for Auditing

• Guidelines for Securing Operating Systems

• Guidelines for Monitoring Network Traffic

• Guidelines for using IDS

• Guidelines for Securing Wireless

Transmissions

• Methods for Enforcing Security Policies

PwC CONFIDENTIAL 1212

Guidelines for Auditing

PwC CONFIDENTIAL 1313

Guidelines for Auditing the Use of

Permissions and User Rights

• Use the appropriate group to ensure adequate

auditing information

• Do not audit everything

• Monitor the Audit policy to prevent a rogue

administrator from turning off auditing to perform

a forbidden action

• Configure the size of the security log to

accommodate additional auditing information

• Audit for successes and failures depending on

what is being audited

PwC CONFIDENTIAL 1414

Guidelines for Securing Operating Systems

PwC CONFIDENTIAL 1515

Guidelines for Securing Operating Systems

•Use NTFS on Web

sites running

Microsoft Windows

•Review directory

permissions

•Set access control for

the anonymous user

account

•Store executable files

in a separate directory

File System

•Choose strong

passwords for all

accounts including the

Administrator account

•Change passwords

frequently

•Review user accounts

frequently

•Maintain strict account

policies

•Limit membership of

the Administrators

group

User Accounts

•Run necessary

services only

•Unbind unnecessary

services from your

Internet adapter cards

•Enable auditing

•Use encryption when

administering your

computer remotely

•Back up the registry

and vital files often

•Run virus checks

regularly

Services

PwC CONFIDENTIAL 1616

Guidelines for Monitoring Network Traffic

PwC CONFIDENTIAL 1717

Guidelines for Monitoring Network Traffic

• Document types of allowed network traffic

• Observe regular network traffic and look for

anomalies

• Review logs and network statistics regularly

• Set triggers for common intrusions

• Use multiple IDS products

PwC CONFIDENTIAL 1818

Guidelines for using IDS

PwC CONFIDENTIAL 1919

Guidelines for using IDS

• Consider using both network-based IDS and

host-based IDS

• Frequently update IDS signatures

• Understand the nature of intrusions that an IDS

can detect

• Distinguish between real intrusions and false

positives

• Deploy an IDS on each network segment

• Use a centralized management console to

manage an IDS

PwC CONFIDENTIAL 2020

Methods for Enforcing Security Policies

PwC CONFIDENTIAL 2121

Firewalls and proxy serversGroup Policy

Authorized Hardware and

Software

AccountableEmployees

Smart Cards

AssetMonitoringPhysical

SecurityFile Permissions

and ACLs

Auditing

PwC CONFIDENTIAL 2222

Keeping Current

PwC CONFIDENTIAL 2323

Keeping Current

• http://attrition.org/news/

• http://www.cert.org/

• http://www.ciac.org/ciac/index.html

• www.securityfocus.com

• www.securityfocus.com/tools

• http://sectools.org/

PwC CONFIDENTIAL 2424

Thank You

This presentation is for informational purposes only. IASA MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

Regional IT Architect Symposium 2007

You can make a difference!