Date post: | 05-Dec-2014 |
Category: |
Technology |
Upload: | aamir97 |
View: | 1,004 times |
Download: | 1 times |
Enterprise Security Architecture
Enterprise Security Architecture
Stefan WaheUW - Dept of Information Technology – Security
Lockdown 2004 - Enterprise Security Architecture
Enterprise Security Architecture
Outline
• What is Enterprise Security Architecture (ESA)? • What is NAC?• Enterprise Security Program• NAC’s Vision of Enterprise Security Architecture
– Overview– Governance– Architecture– Operations
• Reference Links
Lockdown 2004 - Enterprise Security Architecture
Enterprise Security Architecture
Enterprise Security Architecture
• Enterprise security architecture provides the conceptual design of network security infrastructure, related security mechanisms, and related security policies and procedures
• Enterprise security architecture link components of the security infrastructure as a cohesive unit
• The goal of this cohesive unit is to protect corporate information – SANS: One Approach to Enterprise Security Architecture
Lockdown 2004 - Enterprise Security Architecture
Enterprise Security Architecture
The Network Applications Consortium?• The Network Applications Consortium founded 1990• Mission Statement: Promote member collaboration and influence the
strategic direction of vendors developing virtual-enterprise application and infrastructure technologies
• Goals and Objectives: Provide members with the tools for radically improving the delivery of agile IT infrastructure in support of business objectives. NAC’s dedication to resolving the strategic issues and objectives facing member organizations, the Consortium maintains an ongoing focus on the following strategic objectives:– Continually aligning the strategic initiatives of NAC with the strategic
direction of members – Influencing the information technology industry and promoting ongoing
collaboration and knowledge sharing among members, vendors, and other industry thought leaders
– Improving application and infrastructure interoperability, integration, and manageability across the heterogeneous, virtual-enterprise computing environment
Lockdown 2004 - Enterprise Security Architecture
Enterprise Security Architecture
NAC Member Organizations• University of Wisconsin• Boeing Company• Bechtel• Principal Financial Group• State Farm Insurance• GlaxcoSmithKline• Lawrence Livermore National Laboratory • TD Bank of Canada• … to name a few
Lockdown 2004 - Enterprise Security Architecture
Enterprise Security Architecture
Enterprise Security Program
• NAC identified Enterprise Security Architecture as part of an overall Enterprise Security Program
• Program drivers are:– Business Opportunities– Business Requirements– Compliance– Threats Physical
SecurityEnt
erpr
ise
Secur
ity P
rogr
am
Co
rpo
rate
IT
Go
vern
ance
En
terp
rise
A
rch
itec
ture
Physical Security
Corporate Risk Management
Physical Security
Enter
pris
e Sec
urity
Pro
gram
Co
rpo
rate
IT
Go
vern
ance
En
terp
rise
A
rch
itec
ture
Physical Security
Corporate Risk Management
Lockdown 2004 - Enterprise Security Architecture
Enterprise Security Architecture
Enterprise Security Program
• Program Management consists of:– Requirements– Risk Management– Strategy– Planning– Ongoing Program
Assessment– Education & Awareness
Conceptual Framework
Incident Management
Administration
Vulnerability Management
DeploymentLogical
Architecture
Physical Architecture
Design
Development
Principles
Policies
Standards, Guidelines & Procedures
Enforcement
Ongoing Assessment
Strategy
Planning
Risk Management
Education & Awareness
Ongoing Program
Assessment
Requirements
Conceptual Architecture
Compliance
Conceptual Framework
Incident Management
Administration
Vulnerability Management
DeploymentLogical
Architecture
Physical Architecture
Design
Development
Principles
Policies
Standards, Guidelines & Procedures
Enforcement
Ongoing Assessment
Strategy
Planning
Risk Management
Education & Awareness
Ongoing Program
Assessment
Requirements
Conceptual Architecture
Compliance
Lockdown 2004 - Enterprise Security Architecture
Enterprise Security Architecture
Enterprise Security Program
• Governance consists of:– Principles– Policies– Standards, Guidelines
and Procedures– Enforcement– Ongoing Assessment
Conceptual Framework
Incident Management
Administration
Vulnerability Management
DeploymentLogical
Architecture
Physical Architecture
Design
Development
Principles
Policies
Standards, Guidelines & Procedures
Enforcement
Ongoing Assessment
Strategy
Planning
Risk Management
Education & Awareness
Ongoing Program
Assessment
Requirements
Conceptual Architecture
Compliance
Conceptual Framework
Incident Management
Administration
Vulnerability Management
DeploymentLogical
Architecture
Physical Architecture
Design
Development
Principles
Policies
Standards, Guidelines & Procedures
Enforcement
Ongoing Assessment
Strategy
Planning
Risk Management
Education & Awareness
Ongoing Program
Assessment
Requirements
Conceptual Architecture
Compliance
Lockdown 2004 - Enterprise Security Architecture
Enterprise Security Architecture
Enterprise Security Program
• Architecture consists of:– Conceptual Framework– Conceptual Architecture– Logical Architecture– Physical Architecture– Design– Development
Conceptual Framework
Incident Management
Administration
Vulnerability Management
DeploymentLogical
Architecture
Physical Architecture
Design
Development
Principles
Policies
Standards, Guidelines & Procedures
Enforcement
Ongoing Assessment
Strategy
Planning
Risk Management
Education & Awareness
Ongoing Program
Assessment
Requirements
Conceptual Architecture
Compliance
Conceptual Framework
Incident Management
Administration
Vulnerability Management
DeploymentLogical
Architecture
Physical Architecture
Design
Development
Principles
Policies
Standards, Guidelines & Procedures
Enforcement
Ongoing Assessment
Strategy
Planning
Risk Management
Education & Awareness
Ongoing Program
Assessment
Requirements
Conceptual Architecture
Compliance
Lockdown 2004 - Enterprise Security Architecture
Enterprise Security Architecture
Enterprise Security Program
• Operations consists of:– Incident Management– Vulnerability
Management– Compliance– Administration– Deployment
Conceptual Framework
Incident Management
Administration
Vulnerability Management
DeploymentLogical
Architecture
Physical Architecture
Design
Development
Principles
Policies
Standards, Guidelines & Procedures
Enforcement
Ongoing Assessment
Strategy
Planning
Risk Management
Education & Awareness
Ongoing Program
Assessment
Requirements
Conceptual Architecture
Compliance
Conceptual Framework
Incident Management
Administration
Vulnerability Management
DeploymentLogical
Architecture
Physical Architecture
Design
Development
Principles
Policies
Standards, Guidelines & Procedures
Enforcement
Ongoing Assessment
Strategy
Planning
Risk Management
Education & Awareness
Ongoing Program
Assessment
Requirements
Conceptual Architecture
Compliance
Lockdown 2004 - Enterprise Security Architecture
Enterprise Security Architecture
Enterprise Security ProgramSecurity Drivers
Sec
uri
ty P
rog
ram
Man
agem
ent
Compliance
Requirements
Strategy
Compliance Threats Business Opportunities
Sec
uri
ty
Go
ver
nan
ce
En
d U
sers
Security Technology Architecture
Security Operations
Principles
Policies
Sta
ndar
ds
Business Requirements
Gui
delin
es
Conceptual Architecture
App
licat
ions
Services
Design
Pro
cedu
res
Physical Architecture
Logical Architecture
Conceptual Framework
Education &
Awareness
Ris
k M
anag
emen
t
Planning
AuditAdministration
Com
plia
nce
Deployment
Development
Enf
orce
men
t
Vulnerability Management
Incident Management
Event Management
Ongoing Program AssessmentGap Analysis
Security Drivers
Sec
uri
ty P
rog
ram
Man
agem
ent
Compliance
Requirements
Strategy
Compliance Threats Business Opportunities
Sec
uri
ty
Go
ver
nan
ce
En
d U
sers
Security Technology Architecture
Security Operations
Principles
Policies
Sta
ndar
ds
Business Requirements
Gui
delin
es
Conceptual Architecture
App
licat
ions
Services
Design
Pro
cedu
res
Physical Architecture
Logical Architecture
Conceptual Framework
Education &
Awareness
Ris
k M
anag
emen
t
Planning
AuditAdministration
Com
plia
nce
Deployment
Development
Enf
orce
men
t
Vulnerability Management
Incident Management
Event Management
Ongoing Program AssessmentGap Analysis
Security Drivers
Security Program Management
Security Governance
Security Technology Architecture
Security Operations
The End User
Lockdown 2004 - Enterprise Security Architecture
Enterprise Security Architecture
ESA - Overview
• In NAC’s vision of ESA there is a strong linkage between governance, technology architecture and operations.
• That linkage is provided via:– The policy framework as part of the
governance model– The policy-driven security architecture
framework, which develop the technology architecture and operations model
Lockdown 2004 - Enterprise Security Architecture
Enterprise Security Architecture
ESA - Governance• Identify
– Principles follow the securing of information technology assets of the enterprise
– Principles provide the highest level of guidance for the security governance process itself and technology architecture and operations
• Authorize – Enforcement of the guiding principles through
the creation of policies– The control domains represent the highest-
level identification of policy• Implement
– The authorized courses of action– The results are the technical standards,
guidelines and procedures that govern information technology security
Ide
ntify
Ide
ntify
Au
tho
rizeA
uth
orize
Imp
lem
en
tIm
ple
me
nt
Principles
Policies
Standards, Guidelines
and Procedures
En
forc
em
en
t
On
go
ing
As
se
ss
me
nt
Lockdown 2004 - Enterprise Security Architecture
Enterprise Security Architecture
ESA - Governance• Enforcement
– Built into the technical standards and procedures
– Requirements for separate enforcement processes triggered; ex - as a result of security-related events
• Ongoing Assessment – Respond to change – business models
change, new technologies are developed and new legislation is passed; ex - when business products and services are offered directly to the consumer through web-based front ends
Ide
ntify
Ide
ntify
Au
tho
rizeA
uth
orize
Imp
lem
en
tIm
ple
me
nt
Principles
Policies
Standards, Guidelines
and Procedures
En
forc
em
en
t
On
go
ing
As
se
ss
me
nt
Lockdown 2004 - Enterprise Security Architecture
Enterprise Security Architecture
ESA - Governance• The Policy Framework – Principles
– The basic identified assumptions, beliefs, theories, and values guiding the use and management of technology within an organization
– Organization specific business, legal and technical principles
– Principles Template include: Security by Design, Managed Risk, Usability and Manageability, Defense in Depth, Simplicity, Resilience, Integrity and Enforced Policy
Lockdown 2004 - Enterprise Security Architecture
Enterprise Security Architecture
ESA - Governance• The Policy Framework – Policy
– Policies authorize and define a program of actions adopted by an organization to govern the use of technology in specific areas of management control
– Policies are a security governance tool used to enforce an organization’s guiding principles, while adhering to legal and business principles for establishing and maintaining policy through standards, guidelines and procedures
Lockdown 2004 - Enterprise Security Architecture
Enterprise Security Architecture
ESA - Governance• The Policy Framework – Policy
– Policy Framework Templates• NIST 800-XX Policy Framework Template
– Computer Usage Guidelines – Acceptable Use Policy– Special Access Policy– Special Access Guidelines Agreement– Computer Network Hook-up Policy– Escalation Procedures for Security Incidents– Security Incident Handling Procedures– Third Party Network Connections Policy
• ISO 17799 - A Framework and Template for Policy Driven Security
• SANS – Security Policy Project
Lockdown 2004 - Enterprise Security Architecture
Enterprise Security Architecture
ESA - Governance• The Policy Framework – Standards,
Guidelines and Procedures – Policies are implemented through technical
standards, guidelines and procedures, which NAC distinguishes as follows: • Standards are mandatory directives• Guidelines are recommended best practices• Procedures describe how to comply with the
standard or guideline
Lockdown 2004 - Enterprise Security Architecture
Enterprise Security Architecture
ESA - Architecture• Conceptual Framework – generic framework for policy-
based management of security services• Conceptual Architecture – conceptual structure for
management of decision making and policy enforcement across a broad set of security services
• Logical Architecture – provides more detail on the various logical components necessary to deliver each security service
• Physical Architecture – identifies specific products, showing their placement and connectivity relationships required to deliver the necessary functionality, performance and reliability
Lockdown 2004 - Enterprise Security Architecture
Enterprise Security Architecture
ESA - Architecture
• Design and Development– Range from overall process guidelines to
specific guides, templates, and tools – Include design patterns, code samples,
reusable libraries, and testing tools– Aimed at effective utilization of ESA and
effective integration into the ESA environment
Lockdown 2004 - Enterprise Security Architecture
Enterprise Security Architecture
ESA – Operations
• Security Operations defines the processes required for operational support of a policy-driven security environment– Administration, compliance, and vulnerability
management processes required to ensure that the technology as deployed conforms to policy and provides adequate protection to control the level of risk to the environment
– The administration, event, and incident management processes required to enforce policy on the users of the environment
Lockdown 2004 - Enterprise Security Architecture
Enterprise Security Architecture
ESA – Operations• Asset Management - a component and process for
maintaining the inventory of hardware and software assets required to support device administration, compliance monitoring, vulnerability scanning and other aspects of security operations. Though not strictly an ESA component, it is a key dependency of security operations
• Administration – process for securing the organization’s operational digital assets against accidental or unauthorized modification or disclosure
• Compliance – process for ensuring that the deployed technology conforms to the organization’s policies, procedures and architecture
Lockdown 2004 - Enterprise Security Architecture
Enterprise Security Architecture
ESA – Operations• Vulnerability Management – process for identifying high-
risk infrastructure components, assessing their vulnerabilities, and taking the appropriate actions to control the level of risk to the operational environment
• Event Management – process for day-to-day management of the security-related events generated by a variety of devices across the operational environment, including security, network, storage and host devices
• Incident Management – process for responding to security-related events that indicate a violation or imminent threat of violation of security policy
Lockdown 2004 - Enterprise Security Architecture
Enterprise Security Architecture
References Links• Corporate Governance Task Force’s Call to Action -
http://www.cyberpartnership.org/InfoSecGov4_04.pdf• ISO/IEC 17799:2000 Code of Practice for Information Security
Management - http://csrc.nist.gov/publications/secpubs/otherpubs/reviso-faq.pdf
• Network Application Consortium’s Enterprise Security Architecture A Framework and Template for Policy Driven Security - http://www.netapps.org
• NIST Security Self Assessment Guide - http://csrc.nist.gov/publications/nistpubs/800-26/sp800-26.pdf
• SANS Security Policy Project - http://www.sans.org/resources/policies
• Email: [email protected]