Date post: | 28-Nov-2014 |
Category: |
Technology |
Upload: | dr-mehmet-yildiz |
View: | 1,617 times |
Download: | 0 times |
1
Governance of Information Security Elements inService-Oriented Enterprise Architecture
Dr. Mehmet YildizCertified Executive IT Architect IBM Australia and New ZealandMelbourne, Australia
I-SPAN09 – IASM
Proposed Abstract: This paper identifies and analyzes governance roles and tasks in SOA security governance at macro level. Drawing from Information Security Management standards and frameworks on one hand and SOA considerations on the other hand, the identified governance elements are mapped to a governance structure that specifies planning and execution aspects at four organizational decision-making levels, resulting in a prescriptive model with practical relevance. This constructive study combines theoretical models and standards with industry experience of the authors.
Mr Janne J. KorhonenDepartment of Computer Scienceand EngineeringHelsinki University of TechnologyHelsinki, Finland
Dr. Juha MykkänenHIS R&D UnitUniversity of KuopioKuopio, Finland
10th International Symposium on Pervasive Systems, Algorithms, and Networks
2
IASM ���
Agenda
-Methodology
-Security governance meta-structure
-Conclusion
-Introduction & Background
3
IASM ���
Biography of Authors• Janne J. Korhonen• Researcher at Helsinki University of Technology• Research areas:
– Enterprise Architecture and IT Governance
• Particular research interest: Agile Governance Model
• Dr Juha Mykkänen, post-doctoral researcher• University of Kuopio, Health Information Systems R&D Unit• Research activities: interoperability, standardization, modelling,
service-oriented architectures, application integration, enterprise architecture
• projects developing and applying SOA and integration approaches
• Dr. Mehmet Yildiz, Enterprise Architect, IBM• Resarch interests: enterprise architecture, service oriented
arthitecture, cloud computing, self healing systems, social computing
4
IASM ���
Background on EA and SOA in Dynamic Enterprise
SO
A
E AE S B
5
IASM ���
There are many vendors investing on SOA Application Projects. Leveraging their experience is important
Gartner’s Magic Quadrant for Application Infrastructure for New Systematic SOA Application Projects
SOA Vendors for New Systematic Applications
Ref: Gartner’s Magic Quadrant for New Systematic Applications
6
IASM ���
Ref: Susanne Leist and Gregor Zellner University of Regensburg, Institute of Information Management, Germany
Evaluation of Current Architecture FrameworksNone of the assessed frameworks fully meets the major criteria in the Regensburg study. Hence use of combination of frameworks is suggested.
7
IASM ���
… a service?
A repeatable business task – e.g., check
customer credit; open new account
… service orientation?
A way of integrating your business as linked
servicesand the outcomes that
they bring
… service oriented architecture (SOA)?
An IT architectural stylethat supports
service orientation
… a composite application?
A set of related & integrated services that
support a business process built on an SOA
ComposableComposable
InteroperableInteroperable
LooselyLooselyCoupledCoupled
ReRe--UsableUsableSOASOASOA
Key SOA Concepts
8
IASM ���
EnterpriseArchitecture Ref Architecture for
Service Areas Ref Architecture for a Program Ref Architecture for a
Single Project
A SOA Reference Architecture Sample
Ref: IBM and Open Group
9
IASM ���
1.Increased virtualization
2.Loose coupling
3.Widespread use of XML
4.The composition of federated services
5.Heterogeneous computing infrastructures
6.Decentralized SLAs
7.The need to aggregate IT QoS metrics to produce
business metrics
Concerns at Layer 7 - QoS
Ref: IBM and Open Group SOA Reference Architecture
10
IASM ���
Typical Security Architecture for an Enterprise
External Uncontrolled
Internal Zone
HighlySecure Zone
Demilitarized Zone
External Business Zone
Special Domain
Externally Controlled
11
IASM ���
SOA Security Reference Model by IBM
Ref: IBM SOA Security Red Book, Dr. Paul Ashley et al
12
IASM ���
Real
-Tim
eTa
ctic
alO
pera
tiona
lSt
rate
gic
Design, Planning and Support Development and Execution
Strategy
Macro Design
Micro DesignBuild /
Construct
Run / Operate
13
IASM ���
Real
-Tim
eTa
ctic
alO
pera
tiona
lSt
rate
gic
Development and ExecutionDesign, Planning and Support
Security Policy
Organizational Security
Asset Classification and Control
Access Control
Compliance
Personnel Security
Physical and Environmental
Security
Business Continuity Management
Communications and Operations Management
System Development and
Maintenance
14
IASM ���
- Agile Governance Model promotes clarity in the role definition and requirements management related to the key security elements in enterprise architecture and SOAs.
- The governance model, combined with suitable industry standards such as SOGP or ISO/IEC 17799 can be applied to the definition of roles and responsibilities of security governance activities in complex enterprise systems.
- Specifically, it helps in positioning the security activities at the right organizational levels and at each level on either the planning or execution side so that all security requirements will be addressed adequately throughout the enterprise.
Conclusion of paper