Adaptive Enterprise Security Architecture

Adaptive Enterprise Security Architecture

John J. Czaplewski | Director of Professional Services | David Lynas Consulting, Ltd.

David Lynas Consulting Ltd 2

We build, deploy and operate …

Complex IT Systems

21 September 2016


Supported by …

OftenNot-So-Engineered Security

21 September 2016


Our technical security architectures focus on ...

Confidentiality, Integrity, Availability

and are becoming better and better

at adapting to dynamic threat environment

21 September 2016


But our Enterprises are concerned with much more:

21 September 2016


We need:

21 September 2016

a Framework and Methodologyfor

DevelopingAdaptive Enterprise Security Architectures


SABSA

21 September 2016

An internationally recognized methodology for:• Developing risk-driven enterprise information security

and information assurance architectures• Delivering security infrastructure solutions that support

and adapt to critical business initiatives.


SABSA

21 September 2016

• Begins with developing an understanding of key enterprise business requirements,

• Transforms them into key business drivers for security• Engineers the real business attributes that provide the

core supporting framework for an adaptive, living enterprise security architecture

• Creates a chain of traceability from “Strategy & Planning” through “Design’, “Implement” and ongoing “Manage and Measure” to ensure that the business mandate is preserved.


An Adaptive Enterprise Security Architecture

21 September 2016

Requires a comprehensive set of frameworks, models and methods


An Adaptive Enterprise Security Architecture:Frames and Structures all Aspects of Enterprise Security

21 September 2016


An Adaptive Enterprise Security Architecture:Manages all Aspects of Enterprise Security

21 September 2016


An Adaptive Enterprise Security Architecture:

Accountable Domain Authority

Develops Strategy and PlansSets Goals, Objectives & ExpectationsSets Performance TargetsSets Risk AppetiteSets Policy to Meet Objectives & Targets

Strategy & Planning Phase

Responsible Entities

Design ProcessesDesign SystemsDesign Staffing ModelDesign Controls & Enablers

DesignEstablish ProcessesImplement SystemsAppoint & Train PeopleEstablish Controls & Enablers

ImplementManage processes & operationsManage peopleManage systemsPerformance & Risk Monitoringagainst KPIs and KRIs

Manage & Measure

Informof Responsibility

ReportPerformance& ComplianceWith Target

Execute DesignTransition

Through-life AssuranceHigher Domain Authority

(SuperdomainShareholdersRegulators)

Consult & Report Performance

Requires an Enterprise Security Architecture Governance Model

21 September 2016


An Adaptive Enterprise Security Architecture:Defines Enterprise Security Architecture Capability Maturity Models

21 September 2016

Unreliable1

Informal2

Defined3

Monitored4

Optimised5

Ass

ets

Mot

ivat

ion

Pro

cess

Peo

ple

Loca

tion

Tim

e

Contextual

Ass

ets

Mot

ivat

ion

Pro

cess

Peo

ple

Loca

tion

Tim

e

Conceptual

Ass

ets

Mot

ivat

ion

Pro

cess

Peo

ple

Loca

tion

Tim

e

Logical

Ass

ets

Mot

ivat

ion

Pro

cess

Peo

ple

Loca

tion

Tim

e

Physical

Ass

ets

Mot

ivat

ion

Pro

cess

Peo

ple

Loca

tion

Tim

e

Component

Ass

ets

Mot

ivat

ion

Pro

cess

Peo

ple

Loca

tion

Tim

e

ServiceManagement

Ass

ets

Mot

ivat

ion

Pro

cess

Peo

ple

Loca

tion

Tim

e

Ass

ets

Mot

ivat

ion

Pro

cess

Peo

ple

Tim

e

Ass

ets

Mot

ivat

ion

Peo

ple

Tim

e

Ass

ets

Mot

ivat

ion

Peo

ple

Tim

e

Ass

ets

Tim

e

Ass

ets

Mot

ivat

ion

Pro

cess

Peo

ple

Loca

tion

Tim

e

Ass

ets

Mot

ivat

ion

Pro

cess

Loca

tion

Pro

cess

Pro

cess

Ass

ets

Mot

ivat

ion

Pro

cess

Peo

ple

Loca

tion

Tim

e

Ass

ets

Mot

ivat

ion

Pro

cess

Peo

ple

Loca

tion

Ass

ets

Ass

ets

Ass

ets

Mot

ivat

ion

Pro

cess

Peo

ple

Loca

tion

Tim

e

Ass

ets

Mot

ivat

ion

Pro

cess

Peo

ple

Loca

tion

Tim

e

Ass

ets

Mot

ivat

ion

Pro

cess

Peo

ple

Loca

tion

Tim

e

Ass

ets

Mot

ivat

ion

Pro

cess

Tim

e

Ass

ets

Mot

ivat

ion

Ass

ets

Mot

ivat

ion

Pro

cess

Peo

ple

Loca

tion

Tim

e

Ass

ets

Mot

ivat

ion

Pro

cess

Peo

ple

Loca

tion

Ass

ets

Peo

ple

Loca

tion

Ass

ets

Mot

ivat

ion

Pro

cess

Peo

ple

Loca

tion

Tim

e

Ass

ets

Mot

ivat

ion

Pro

cess

Peo

ple

Loca

tion

Tim

e

Ass

ets

Mot

ivat

ion

Pro

cess

Peo

ple

Tim

e

Mot

ivat

ion

Peo

ple

Tim

e

Peo

ple

Tim

e



Super Domain

DomainA External

Impacted Domain

(customer)

ImpactedPeer Domain

C

Consult (C)to definepolicy &

targetC

C

Subdomain

External Provider Domain

(service provider)

Inform (I)policy &target to

R domains

R

I

IR

Inform (I*)performance

to Super&

Impacteddomains

I*

I*I

Models Domain Roles and Responsibilities

21 September 2016


Risk Context

Assetsat Risk

Overalllikelihood

of loss

Likelihood ofthreat

materialising

Likelihood ofweaknessexploited

NegativeOutcomes

Threats

Loss Event

PositiveOutcomes

Opportunities

Beneficial Event

Overallloss

value

Assetvalue

Negativeimpactvalue

Overallbenefitvalue

Assetvalue

Positiveimpactvalue

Overalllikelihoodof benefit

Likelihood ofopportunity

materialising

Likelihood ofstrengthexploited

Analyses Threats and Opportunities


21 September 2016


Understands and Communicates Technical Risk in Business Terms


21 September 2016


An Adaptive Enterprise Security Architecture:Creates Enterprise Policy Frameworks

Contextual Enterprise-wide Business Risk Policy

ConceptualPolicies for Enterprise-wide Risk & Opportunity Categories

FinanceRisk

OperationalRisk

EnvironmentRisk

Health &Safety Risk

InformationRisk Etc.

Logical Policies for Logical Domains

Policies for Logical Domains

Policies for Logical Domains

Physical Procedures for Physical Domains

Procedures for Physical Domains

Procedures for Physical Domains

Component Standards for Nodes, Addressed, Components

Standards for Nodes, Addressed, Components

Standards for Nodes, Addressed, Components

21 September 2016



BusinessLegislation

ProcessEngineering

Methods

BusinessGovernanceFrameworks

BusinessSector

Regulation

Point of Primary Integration for any Standard

Requiring measurable

Targets

Total Quality Framework

Aligns and Integrates Business Requirements

21 September 2016



Contextual: Meta-Processes

Vertical Security C

onsistency

Horizontal Security Consistency

Conceptual: Strategic View of Process

Logical: Information Flows & Transformations

Physical: Data Flows & System Interactions

Component: Protocols & Step Sequences

Delivers Top-Down, End-to-End Process Security

21 September 2016


An Adaptive Enterprise Security Architecture:Derives Business-Linked Security Controls & Enablers

21 September 2016


An Adaptive Enterprise Security Architecture:Builds Defence/Strength-in-Depth Control & Enablement Strategies

21 September 2016



TechnicalControls

ManagementControls PCI

SOx

HIPAA

NIST

CobiT

ISO 27002

Integrates Controls Frameworks & Libraries

21 September 2016


An Adaptive Enterprise Security Architecture:Develops Re-usable Operational Risk Management Architectures

Attributes

with performance targets & risk appetite thresholds

Risk Assessment Ratings

Threat

Opportunity

Vulnerability

Strength

- Impact

+ Impact

Integrated Controls & Enablers Library – MTCS Modelled

Service 1

Mechanism 1

Component 1

Activity 1

Service 2

Mechanism 2

Component 2

Activity 2

Service 3

Mechanism 3

Component 3

Activity 3

21 September 2016


An Adaptive Enterprise Security Architecture:Incorporates Business-Linked Risk Monitoring and Reporting Dashboards

21 September 2016

Risk Management

Attributes

Legal / RegulatoryAttributes

Access-controlled

Accountable

Assurable Enforceable

Compliant

Admissible

Business Attributes

Business RequirementsBusiness Drivers for Security


An Adaptive Enterprise Security Architecture:Ensures the Enterprise Security Architecture Lives

21 September 2016



• Security is about mitigating threats AND enabling opportunities

• Change the security conversation to focus on delivering value to the Enterprise

• Include security at the strategy and planning table• Develop Enterprise Security Architecture that

enables the Enterprise to meet its mission, goals and objectives

21 September 2016

Technology

Adaptive Enterprise Security Architecture