View
548
Download
0
Embed Size (px)
Citation preview
PowerPoint Presentation
Enterprise Security Architecture A Business ApproachM. M. VeeraragalooMarch 2016
AgendaStrategy and PlanningRisk and OpportunityBusiness Context and RequirementsArchitectural Strategies Internet of Things / EverythingCloudBi-ModalDigitisation / DisruptorsBring Your Own Identity (BYOID)Choose Your Own Device (CYOD)
Strategy and Planning
Strategy and Planning
Does Enterprise Architecture Drive the Strategy?Source: Enterprise Architecture as a Strategy
Source: TOGAF Capability Framework
Source: FEAF
Source: Gartner
All Enterprise Architectures refer to the Strategy and how it will be driving this Strategy within the organisation4
Architecture Supports StrategyEvery morning in Africa, a Gazelle wakes up . It knows it must run faster than the fastest lion. or it will be killed.
Business View Survival StrategyWhen the sun comes up in Africa, it doesnt matter what shape you are:If you want to survive, what matters is that youd better be running!Every morning in Africa, a Lion wakes up. It knows it must run faster than the slowest Gazelle . or it will die of starvation.Is it better to be a Lion or a Gazelle?
5
Strategy and PlanningSecurity in Context? Legacy of Security as a Restraint
The Business Prevention Department
Security is Complex to Define
Security Does not exist in Isolation
SECURE has no intrinsic meaningTo much emphasis on TechnologySilo Approach to Security
The Legacy of Security within the Organisation 6
Strategy and PlanningEnterprise Security Architecture?
Layered Framework
Integrated System Approach
Security meets the Needs of Business
7
Strategy and PlanningFeatureAdvantagesChairman / Board ViewBusiness-DrivenValue-AssuredProtects shareholder valueRisk FocusedPrioritised and ProportionalOptimizes shareholder risk & aligns with risk appetiteComprehensiveScalable ScopeAddresses all shareholder concernsModularAgilityEnables flexibility to meet dynamic market & economic conditionsOpen SourceFree use, StandardGuarantees perpetuity of return on investmentAuditableDemonstrates ComplianceDemonstrates compliance to regulators & external auditorsTransparentTwo Way TraceabilitySupports market transparency & disclosure
Enterprise Security Architecture Framework?
Requires a ESA that can cater for different views from a CXO perspective8
Strategy and PlanningFeatureAdvantagesCEO ViewBusiness-DrivenValue-AssuredProtects corporate reputationRisk FocusedPrioritised and ProportionalMeets corporate governance requirementsComprehensiveScalable ScopeMeets enterprise-wide requirementsModularAgilityEnables fast time to market with business solutionsOpen SourceFree use, StandardProvides assurance through industry standardAuditableDemonstrates ComplianceEnsures a smooth & successful external & regulatory audit processTransparentTwo Way TraceabilityProvides a clear view of expenditure and value returned
Enterprise Security Architecture Framework?
Strategy and PlanningFeatureAdvantagesCFO ViewBusiness-DrivenValue-AssuredEnsures efficient return on investmentRisk FocusedPrioritised and ProportionalImproves predictability & consistencyComprehensiveScalable ScopeSupports scalable, granular budgetingModularAgilityFacilitates effective management of capital & operational costsOpen SourceFree use, StandardEliminates expensive & on-going license feesAuditableDemonstrates ComplianceMinimizes cost of management time dealing with audit processesTransparentTwo Way TraceabilityEnables full audit ability for effectiveness of expenditure
Enterprise Security Architecture Framework?
Strategy and PlanningFeatureAdvantagesCOO ViewBusiness-DrivenValue-AssuredFocuses on performance managementRisk FocusedPrioritised and ProportionalEnables process improvementComprehensiveScalable ScopeProvides end-to-end process coverageModularAgilityIntegrates legacy and future environmentsOpen SourceFree use, StandardSimplifies recruitment and trainingAuditableDemonstrates ComplianceMinimises adverse effect of audit findings on performance targetsTransparentTwo Way TraceabilityMeasures efficiency & effectiveness of processes & resources
Enterprise Security Architecture Framework?
Strategy and PlanningFeatureAdvantagesCRO ViewBusiness-DrivenValue-AssuredEnables flexible fit with industry regulationsRisk FocusedPrioritised and ProportionalSupports enterprise risk & opportunity managementComprehensiveScalable ScopeEnables a fully-integrated risk management strategyModularAgilityEnables incrementally increasing maturityOpen SourceFree use, StandardProvides global acceptability for auditors & regulatorsAuditableDemonstrates ComplianceEnsures that compliance risk is effectively managedTransparentTwo Way TraceabilityDemonstrates current state, desired state of compliance levels
Enterprise Security Architecture Framework?
Strategy and PlanningFeatureAdvantagesCIO ViewBusiness-DrivenValue-AssuredEnables a digital information-age businessRisk FocusedPrioritised and ProportionalIdentifies information exploitation opportunitiesComprehensiveScalable ScopeSustains through-life information architectureModularAgilityEnables technology-neutral information management strategiesOpen SourceFree use, StandardProvides a future-proof framework for information managementAuditableDemonstrates ComplianceFacilitates smooth & successful audits of systems & processesTransparentTwo Way TraceabilityEncourages fully integrated people-process-technology solutions
Enterprise Security Architecture Framework?
Strategy and PlanningFeatureAdvantagesCISO ViewBusiness-DrivenValue-AssuredFacilitates alignment of security strategy with business goalsRisk FocusedPrioritised and ProportionalFacilitates prioritization of security and risk-control solutionsComprehensiveScalable ScopeEnsures all business security & control concerns are addressedModularAgilityEnables a project-focused approach to security developmentOpen SourceFree use, StandardProvides a sustainable framework for security integrationAuditableDemonstrates ComplianceSupports security, risk & opportunity review processesTransparentTwo Way TraceabilityProvides traceability of business-aligned security implementations
Enterprise Security Architecture Framework?
Strategy and PlanningFeatureAdvantagesCTO / Architect ViewBusiness-DrivenValue-AssuredLeverages the full power of information technologyRisk FocusedPrioritised and ProportionalManages information system riskComprehensiveScalable ScopeApplies at any project size or level of complexityModularAgilityProvides a holistic and integrated architectural approachOpen SourceFree use, StandardAvoids vendor-dependence and lock-inAuditableDemonstrates ComplianceImproves relationship and interactions with auditors & reviewersTransparentTwo Way TraceabilityVerifies justification and completeness of technical solutions
Enterprise Security Architecture Framework?
Strategy and PlanningSherwood Applied Business Security Architecture (SABSA)
SABSA META MODEL
SABSA Matrix
SABSA and TOGAF
Risk and Opportunity
Risk and OpportunityRegulatory Drivers for Operational Risk ManagementBASEL II, SOX, Corporate Governance, PCI, HIPAAISO 31000 Improved planning through provision of information for decision-makingRisk Management Strategic, operational and business imperativeRisk Analysis Measures Risk ElementsValuing assets, Identifying threats, Quantifying business impacts, Identifying vulnerabilitiesIssues with Threat-driven ApproachTechnical threats are not well understood by stakeholdersImpact-based ApproachProvides a good view of business criticalityOperational Risk SABSA ApproachBusiness enablement is achieved through excellence in operational processes, people and technical systems
Risk and Opportunity
SABSA Risk & Opportunity Model
Business Context and Requirements
Business Context and RequirementsBusiness-Driven means never losing site of the organisations goals, objectives, success factors and targets.Ensuring that the security strategy demonstrably supports, enhances and protects this.Contextual Architecture LayerFull Set of Requirements, including conflicts in Business Strategy, Risks & PrioritiesConceptual Architecture LayerResolve these conflicts by delivering an appropriate, measurable security strategyBusiness Driven Architecture
Business Context and RequirementsEach Organisations Business Needs are UniqueMeaningful traceability is enabled by credible abstraction from business context (assets, goals & objectives) to a business security contextBusiness Driven Architecture
Business Context and RequirementsAn Attribute is a conceptual abstraction of a real business requirement (the goals, objectives, drivers, targets, and assets confirmed as part of the business contextual architecture)The Attributes Profiling technique enables any unique set of business requirements to be engineered as a standardised and re-usable set of specificationsThe Attributes are modeled into a normalised language that articulates requirements and measures performance in a way that is instinctive to all stakeholdersDefining Business Attributes
Business Context and RequirementsAttributes can be tangible or intangibleEach attribute requires a meaningful name and detailed definition customised specifically for a particular organisationEach attribute requires a measurement approach and metric to be defined during the SABSA Strategy & Planning phase to set performance targets for securityAttributes must be validated (and preferably created) by senior management & the business stake-holders by report, interview or facilitated workshopThe performance targets are then used as the basis for reporting and/or SLAs in the SABSA Manage & Measure phasePowerful requirements engineering techniquePopulates the vital missing link between business requirements and technology / process designAttributes Profiling Rules & Features
Business Context and RequirementsSample Taxonomy of Attributes
Architectural Strategies
Architectural StrategiesDefine the Business Drivers for the IndustryDriver #Business DriversBD1Protecting the reputation of the Organization, ensuring that it is perceived as competent in its sectorBD2Providing support to the claims made by the Organization about its competence to carry out its intended functions BD3Protecting the trust that exists in business relationships and propagating that trust across remote electronic business communications links and distributed information systems BD4Maintaining the confidence of other key parties in their relationships with the OrganizationBD5Maintaining the operational capability of the Organizations systemsBD6Maintaining the continuity of service delivery, including the ability to meet the requirements of service level agreements where these existBD7Maintaining the accuracy of informationBD8Maintaining the ability to governBD9Preventing losses through financial fraud
BD33Ensuring that security services can be extended to all user locations, to all interface types and across all network types that will be used to support deliveryBD34Maximize the economic advantage of the Enterprise Security ArchitectureBD35Security services to be supported through electronic communications, without the need for physical transfer of documents or storage media.BD36System security solutions should as far as possible comply with internal and external standards and best practicesBD37The Security Architecture should be independent of any specific vendor or product, and should be capable of supporting multiple products from multiple vendorsBD38The Security Architecture must remain compatible with new technical solutions as these evolve and become available, and with new business requirements as these emerge, with a minimum of redesignBD39The Security Architecture must be able to be adapted to counter new threats and vulnerabilities as they are discovered
BD40Ensure that the required internal and external cultural shift is achieved to support the Security ArchitectureBD41Ensuring accurate information is available when neededBD42Minimise the risk of loss of key customer relationshipsBD43Minimize the risk of excessive loading on insurance premiums due to negligence on the Organizations behalf or lack of due diligence
Architectural StrategiesDefine the Business Attributes for the IndustryBusiness AttributeBusiness Attribute DefinitionSuggested Measurement ApproachMetric TypeUser AttributesAccessibleInformation to which the user is entitled to gain access should be easily found and accessed by that user.Search tree depth necessary to find the information SoftAccurateThe information provided to users should be accurate within a range that has been preagreed upon as being applicable to the service being delivered. Acceptance testing on key data to demonstrate compliance with design rules HardAnonymousFor certain specialized types of service, the anonymity of the user should be protected. Rigorous proof of system functionality Red team reviewHardSoft
Business Attribute integrated with Measurements for the Industry
Architectural StrategiesIntegrate the Business Drivers and Business Attributes for the IndustryBusiness Attribute integrated with Measurements for the IndustryBusiness AttributeBusiness DriverBusiness Attribute DefinitionMeasurement ApproachMetric Performance TargetUser AttributesAccessible5Information to which the user is entitled to gain access should be easily found and accessed by that user.Search tree depth necessary to find the information SoftAccurate7The information provided to users should be accurate within a range that has been preagreed upon as being applicable to the service being delivered. Acceptance testing on key data to demonstrate compliance with design rules HardAnonymous4For certain specialized types of service, the anonymity of the user should be protected. Rigorous proof of system functionality Red team reviewHardSoft
Architectural Strategies
Architectural StrategiesInternet of Things / Everything
ConfidentialityIntegrityAvailibilitySafety
The IoT comprises an ecosystem that includes things, communication, applications and data analysisAs IoT use grows, ensuring IoT device authentication is crucial. A lack of authentication standards for most IoT devices has led to highly customized authentication methods in the industry. 36
Architectural Strategies
Cloud Computing
Data Sovereignty Are you allowed to store your data outside of the country what laws allow / deny this?Data Protection Data Privacy, Data Location, Data Management and Protection, Tenancy37
Architectural Strategies
Architectural Strategies
AgileSource: An Enterprise Architecture Practitioners Notes: Volume 3 Solution Level ArchitectureEnterprise Security ArchitectureBimodal
Architectural StrategiesDigitisation / DisruptorsDigital Disruptors
Source: Gartner 2015
Digital business is the creation of new business designs that not only connect people and businesses, but also connect people and businesses with things todrive revenue and efficiency. Digital business helps to eliminate barriers that now exist among industry segments, while creating new value chains andbusiness opportunities that traditional businesses cannot offer.40
Architectural StrategiesDigitisation / DisruptorsDigital Disruptors
Risk & Opportunity
Business Drivers & Business AttributesSolution GranularitySecure by Design
Maintaining effective security starts with knowing what effect you need to achieve. This means you need to start by focusing on risk. Through risk assessment and risk management practices we can identify the critical outcomes for the enterprise and transform those outcomes into security tactics.41
Architectural StrategiesBring Your Own Identity (BYOID)
Security Risk? or Business Advantage?What is the Business Value? Is it part of the Corporate Strategy? Loss of Control vs Cost
Identity and Access Management accessing anything from anywhere42
Architectural StrategiesBYODCYODEmployees appreciate using the device with which they are the most comfortable with.Requires employees to choose from a list of preapproved devices.Mobile Protection StrategyData Management on the DeviceData Backup PolicyPersonal Data vs. Business dataUser Acceptance PolicyLack of support and application consistency across all platformsIncreased threat of mobile malwareUser Awareness and TrainingPolicies Agile enough?
Business Models
Secure byDesignSecure byDesignSecure byDesignSecure byDesign
Cloud ServicesBimodal Services
Digital DisruptorsIoT
Green ITBYOD CYODBYOIDBig Data
The Journey is the Reward ~ Chinese Proverb