Power Point Presentation

Enterprise Security Architecture


Stefan WaheUW - Dept of Information Technology – Security

[email protected]

Lockdown 2004 - Enterprise Security Architecture


Outline

• What is Enterprise Security Architecture (ESA)? • What is NAC?• Enterprise Security Program• NAC’s Vision of Enterprise Security Architecture

– Overview– Governance– Architecture– Operations

• Reference Links




• Enterprise security architecture provides the conceptual design of network security infrastructure, related security mechanisms, and related security policies and procedures

• Enterprise security architecture link components of the security infrastructure as a cohesive unit

• The goal of this cohesive unit is to protect corporate information – SANS: One Approach to Enterprise Security Architecture



The Network Applications Consortium?• The Network Applications Consortium founded 1990• Mission Statement: Promote member collaboration and influence the

strategic direction of vendors developing virtual-enterprise application and infrastructure technologies

• Goals and Objectives: Provide members with the tools for radically improving the delivery of agile IT infrastructure in support of business objectives. NAC’s dedication to resolving the strategic issues and objectives facing member organizations, the Consortium maintains an ongoing focus on the following strategic objectives:– Continually aligning the strategic initiatives of NAC with the strategic

direction of members – Influencing the information technology industry and promoting ongoing

collaboration and knowledge sharing among members, vendors, and other industry thought leaders

– Improving application and infrastructure interoperability, integration, and manageability across the heterogeneous, virtual-enterprise computing environment



NAC Member Organizations• University of Wisconsin• Boeing Company• Bechtel• Principal Financial Group• State Farm Insurance• GlaxcoSmithKline• Lawrence Livermore National Laboratory • TD Bank of Canada• … to name a few



Enterprise Security Program

• NAC identified Enterprise Security Architecture as part of an overall Enterprise Security Program

• Program drivers are:– Business Opportunities– Business Requirements– Compliance– Threats Physical

SecurityEnt

erpr

ise

Secur

ity P

rogr

am

Co

rpo

rate

IT

Go

vern

ance

En

terp

rise

A

rch

itec

ture

Physical Security

Corporate Risk Management

Physical Security

Enter

pris

e Sec

urity

Pro

gram

Co

rpo

rate

IT

Go

vern

ance

En

terp

rise

A

rch

itec

ture

Physical Security

Corporate Risk Management




• Program Management consists of:– Requirements– Risk Management– Strategy– Planning– Ongoing Program

Assessment– Education & Awareness

Conceptual Framework

Incident Management

Administration

Vulnerability Management

DeploymentLogical

Architecture

Physical Architecture

Design

Development

Principles

Policies

Standards, Guidelines & Procedures

Enforcement

Ongoing Assessment

Strategy

Planning

Risk Management

Education & Awareness

Ongoing Program

Assessment

Requirements

Conceptual Architecture

Compliance


Incident Management

Administration


DeploymentLogical

Architecture


Design

Development

Principles

Policies


Enforcement

Ongoing Assessment

Strategy

Planning

Risk Management


Ongoing Program

Assessment

Requirements


Compliance




• Governance consists of:– Principles– Policies– Standards, Guidelines

and Procedures– Enforcement– Ongoing Assessment


Incident Management

Administration


DeploymentLogical

Architecture


Design

Development

Principles

Policies


Enforcement

Ongoing Assessment

Strategy

Planning

Risk Management


Ongoing Program

Assessment

Requirements


Compliance


Incident Management

Administration


DeploymentLogical

Architecture


Design

Development

Principles

Policies


Enforcement

Ongoing Assessment

Strategy

Planning

Risk Management


Ongoing Program

Assessment

Requirements


Compliance




• Architecture consists of:– Conceptual Framework– Conceptual Architecture– Logical Architecture– Physical Architecture– Design– Development


Incident Management

Administration


DeploymentLogical

Architecture


Design

Development

Principles

Policies


Enforcement

Ongoing Assessment

Strategy

Planning

Risk Management


Ongoing Program

Assessment

Requirements


Compliance


Incident Management

Administration


DeploymentLogical

Architecture


Design

Development

Principles

Policies


Enforcement

Ongoing Assessment

Strategy

Planning

Risk Management


Ongoing Program

Assessment

Requirements


Compliance




• Operations consists of:– Incident Management– Vulnerability

Management– Compliance– Administration– Deployment


Incident Management

Administration


DeploymentLogical

Architecture


Design

Development

Principles

Policies


Enforcement

Ongoing Assessment

Strategy

Planning

Risk Management


Ongoing Program

Assessment

Requirements


Compliance


Incident Management

Administration


DeploymentLogical

Architecture


Design

Development

Principles

Policies


Enforcement

Ongoing Assessment

Strategy

Planning

Risk Management


Ongoing Program

Assessment

Requirements


Compliance



Enterprise Security ProgramSecurity Drivers

Sec

uri

ty P

rog

ram

Man

agem

ent

Compliance

Requirements

Strategy

Compliance Threats Business Opportunities

Sec

uri

ty

Go

ver

nan

ce

En

d U

sers

Security Technology Architecture

Security Operations

Principles

Policies

Sta

ndar

ds

Business Requirements

Gui

delin

es


App

licat

ions

Services

Design

Pro

cedu

res


Logical Architecture


Education &

Awareness

Ris

k M

anag

emen

t

Planning

AuditAdministration

Com

plia

nce

Deployment

Development

Enf

orce

men

t


Incident Management

Event Management

Ongoing Program AssessmentGap Analysis

Security Drivers

Sec

uri

ty P

rog

ram

Man

agem

ent

Compliance

Requirements

Strategy

Compliance Threats Business Opportunities

Sec

uri

ty

Go

ver

nan

ce

En

d U

sers


Security Operations

Principles

Policies

Sta

ndar

ds

Business Requirements

Gui

delin

es


App

licat

ions

Services

Design

Pro

cedu

res


Logical Architecture


Education &

Awareness

Ris

k M

anag

emen

t

Planning

AuditAdministration

Com

plia

nce

Deployment

Development

Enf

orce

men

t


Incident Management

Event Management

Ongoing Program AssessmentGap Analysis

Security Drivers

Security Program Management

Security Governance


Security Operations

The End User



ESA - Overview

• In NAC’s vision of ESA there is a strong linkage between governance, technology architecture and operations.

• That linkage is provided via:– The policy framework as part of the

governance model– The policy-driven security architecture

framework, which develop the technology architecture and operations model



ESA - Governance• Identify

– Principles follow the securing of information technology assets of the enterprise

– Principles provide the highest level of guidance for the security governance process itself and technology architecture and operations

• Authorize – Enforcement of the guiding principles through

the creation of policies– The control domains represent the highest-

level identification of policy• Implement

– The authorized courses of action– The results are the technical standards,

guidelines and procedures that govern information technology security

Ide

ntify

Ide

ntify

Au

tho

rizeA

uth

orize

Imp

lem

en

tIm

ple

me

nt

Principles

Policies

Standards, Guidelines

and Procedures

En

forc

em

en

t

On

go

ing

As

se

ss

me

nt



ESA - Governance• Enforcement

– Built into the technical standards and procedures

– Requirements for separate enforcement processes triggered; ex - as a result of security-related events

• Ongoing Assessment – Respond to change – business models

change, new technologies are developed and new legislation is passed; ex - when business products and services are offered directly to the consumer through web-based front ends

Ide

ntify

Ide

ntify

Au

tho

rizeA

uth

orize

Imp

lem

en

tIm

ple

me

nt

Principles

Policies

Standards, Guidelines

and Procedures

En

forc

em

en

t

On

go

ing

As

se

ss

me

nt



ESA - Governance• The Policy Framework – Principles

– The basic identified assumptions, beliefs, theories, and values guiding the use and management of technology within an organization

– Organization specific business, legal and technical principles

– Principles Template include: Security by Design, Managed Risk, Usability and Manageability, Defense in Depth, Simplicity, Resilience, Integrity and Enforced Policy



ESA - Governance• The Policy Framework – Policy

– Policies authorize and define a program of actions adopted by an organization to govern the use of technology in specific areas of management control

– Policies are a security governance tool used to enforce an organization’s guiding principles, while adhering to legal and business principles for establishing and maintaining policy through standards, guidelines and procedures



ESA - Governance• The Policy Framework – Policy

– Policy Framework Templates• NIST 800-XX Policy Framework Template

– Computer Usage Guidelines – Acceptable Use Policy– Special Access Policy– Special Access Guidelines Agreement– Computer Network Hook-up Policy– Escalation Procedures for Security Incidents– Security Incident Handling Procedures– Third Party Network Connections Policy

• ISO 17799 - A Framework and Template for Policy Driven Security

• SANS – Security Policy Project



ESA - Governance• The Policy Framework – Standards,

Guidelines and Procedures – Policies are implemented through technical

standards, guidelines and procedures, which NAC distinguishes as follows: • Standards are mandatory directives• Guidelines are recommended best practices• Procedures describe how to comply with the

standard or guideline



ESA - Architecture• Conceptual Framework – generic framework for policy-

based management of security services• Conceptual Architecture – conceptual structure for

management of decision making and policy enforcement across a broad set of security services

• Logical Architecture – provides more detail on the various logical components necessary to deliver each security service

• Physical Architecture – identifies specific products, showing their placement and connectivity relationships required to deliver the necessary functionality, performance and reliability



ESA - Architecture

• Design and Development– Range from overall process guidelines to

specific guides, templates, and tools – Include design patterns, code samples,

reusable libraries, and testing tools– Aimed at effective utilization of ESA and

effective integration into the ESA environment



ESA – Operations

• Security Operations defines the processes required for operational support of a policy-driven security environment– Administration, compliance, and vulnerability

management processes required to ensure that the technology as deployed conforms to policy and provides adequate protection to control the level of risk to the environment

– The administration, event, and incident management processes required to enforce policy on the users of the environment



ESA – Operations• Asset Management - a component and process for

maintaining the inventory of hardware and software assets required to support device administration, compliance monitoring, vulnerability scanning and other aspects of security operations. Though not strictly an ESA component, it is a key dependency of security operations

• Administration – process for securing the organization’s operational digital assets against accidental or unauthorized modification or disclosure

• Compliance – process for ensuring that the deployed technology conforms to the organization’s policies, procedures and architecture



ESA – Operations• Vulnerability Management – process for identifying high-

risk infrastructure components, assessing their vulnerabilities, and taking the appropriate actions to control the level of risk to the operational environment

• Event Management – process for day-to-day management of the security-related events generated by a variety of devices across the operational environment, including security, network, storage and host devices

• Incident Management – process for responding to security-related events that indicate a violation or imminent threat of violation of security policy



References Links• Corporate Governance Task Force’s Call to Action -

http://www.cyberpartnership.org/InfoSecGov4_04.pdf• ISO/IEC 17799:2000 Code of Practice for Information Security

Management - http://csrc.nist.gov/publications/secpubs/otherpubs/reviso-faq.pdf

• Network Application Consortium’s Enterprise Security Architecture A Framework and Template for Policy Driven Security - http://www.netapps.org

• NIST Security Self Assessment Guide - http://csrc.nist.gov/publications/nistpubs/800-26/sp800-26.pdf

• SANS Security Policy Project - http://www.sans.org/resources/policies

• Email: [email protected]

Date post:	05-Dec-2014
Category:	Technology
Upload:	aamir97
View:	1,004 times
Download:	1 times