Power Point Presentation


Published on

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Power Point Presentation

  1. 1. Enterprise Security Architecture Stefan Wahe UW - Dept of Information Technology – Security [email_address]
  2. 2. Outline <ul><li>What is Enterprise Security Architecture (ESA)? </li></ul><ul><li>What is NAC? </li></ul><ul><li>Enterprise Security Program </li></ul><ul><li>NAC’s Vision of Enterprise Security Architecture </li></ul><ul><ul><li>Overview </li></ul></ul><ul><ul><li>Governance </li></ul></ul><ul><ul><li>Architecture </li></ul></ul><ul><ul><li>Operations </li></ul></ul><ul><li>Reference Links </li></ul>
  3. 3. Enterprise Security Architecture <ul><li>Enterprise security architecture provides the conceptual design of network security infrastructure, related security mechanisms, and related security policies and procedures </li></ul><ul><li>Enterprise security architecture link components of the security infrastructure as a cohesive unit </li></ul><ul><li>The goal of this cohesive unit is to protect corporate information </li></ul><ul><ul><li>SANS: One Approach to Enterprise Security Architecture </li></ul></ul>
  4. 4. The Network Applications Consortium? <ul><li>The Network Applications Consortium founded 1990 </li></ul><ul><li>Mission Statement : Promote member collaboration and influence the strategic direction of vendors developing virtual-enterprise application and infrastructure technologies </li></ul><ul><li>Goals and Objectives : Provide members with the tools for radically improving the delivery of agile IT infrastructure in support of business objectives . NAC’s dedication to resolving the strategic issues and objectives facing member organizations, the Consortium maintains an ongoing focus on the following strategic objectives: </li></ul><ul><ul><li>Continually aligning the strategic initiatives of NAC with the strategic direction of members </li></ul></ul><ul><ul><li>Influencing the information technology industry and promoting ongoing collaboration and knowledge sharing among members, vendors, and other industry thought leaders </li></ul></ul><ul><ul><li>Improving application and infrastructure interoperability, integration, and manageability across the heterogeneous, virtual-enterprise computing environment </li></ul></ul>
  5. 5. NAC Member Organizations <ul><li>University of Wisconsin </li></ul><ul><li>Boeing Company </li></ul><ul><li>Bechtel </li></ul><ul><li>Principal Financial Group </li></ul><ul><li>State Farm Insurance </li></ul><ul><li>GlaxcoSmithKline </li></ul><ul><li>Lawrence Livermore National Laboratory </li></ul><ul><li>TD Bank of Canada </li></ul><ul><li>… to name a few </li></ul>
  6. 6. Enterprise Security Program <ul><li>NAC identified Enterprise Security Architecture as part of an overall Enterprise Security Program </li></ul><ul><li>Program drivers are: </li></ul><ul><ul><li>Business Opportunities </li></ul></ul><ul><ul><li>Business Requirements </li></ul></ul><ul><ul><li>Compliance </li></ul></ul><ul><ul><li>Threats </li></ul></ul>
  7. 7. Enterprise Security Program <ul><li>Program Management consists of: </li></ul><ul><ul><li>Requirements </li></ul></ul><ul><ul><li>Risk Management </li></ul></ul><ul><ul><li>Strategy </li></ul></ul><ul><ul><li>Planning </li></ul></ul><ul><ul><li>Ongoing Program Assessment </li></ul></ul><ul><ul><li>Education & Awareness </li></ul></ul>
  8. 8. Enterprise Security Program <ul><li>Governance consists of: </li></ul><ul><ul><li>Principles </li></ul></ul><ul><ul><li>Policies </li></ul></ul><ul><ul><li>Standards, Guidelines and Procedures </li></ul></ul><ul><ul><li>Enforcement </li></ul></ul><ul><ul><li>Ongoing Assessment </li></ul></ul>
  9. 9. Enterprise Security Program <ul><li>Architecture consists of: </li></ul><ul><ul><li>Conceptual Framework </li></ul></ul><ul><ul><li>Conceptual Architecture </li></ul></ul><ul><ul><li>Logical Architecture </li></ul></ul><ul><ul><li>Physical Architecture </li></ul></ul><ul><ul><li>Design </li></ul></ul><ul><ul><li>Development </li></ul></ul>
  10. 10. Enterprise Security Program <ul><li>Operations consists of: </li></ul><ul><ul><li>Incident Management </li></ul></ul><ul><ul><li>Vulnerability Management </li></ul></ul><ul><ul><li>Compliance </li></ul></ul><ul><ul><li>Administration </li></ul></ul><ul><ul><li>Deployment </li></ul></ul>
  11. 11. Enterprise Security Program Security Drivers Security Program Management Security Governance Security Technology Architecture Security Operations The End User
  12. 12. ESA - Overview <ul><li>In NAC’s vision of ESA there is a strong linkage between governance, technology architecture and operations. </li></ul><ul><li>That linkage is provided via: </li></ul><ul><ul><li>The policy framework as part of the governance model </li></ul></ul><ul><ul><li>The policy-driven security architecture framework, which develop the technology architecture and operations model </li></ul></ul>
  13. 13. ESA - Governance <ul><li>Identify </li></ul><ul><ul><li>Principles follow the securing of information technology assets of the enterprise </li></ul></ul><ul><ul><li>Principles provide the highest level of guidance for the security governance process itself and technology architecture and operations </li></ul></ul><ul><li>Authorize </li></ul><ul><ul><li>Enforcement of the guiding principles through the creation of policies </li></ul></ul><ul><ul><li>The control domains represent the highest-level identification of policy </li></ul></ul><ul><li>Implement </li></ul><ul><ul><li>The authorized courses of action </li></ul></ul><ul><ul><li>The results are the technical standards, guidelines and procedures that govern information technology security </li></ul></ul>Identify Authorize Implement Principles Policies Standards, Guidelines and Procedures Enforcement Ongoing Assessment
  14. 14. ESA - Governance <ul><li>Enforcement </li></ul><ul><ul><li>B uilt into the technical standards and procedures </li></ul></ul><ul><ul><li>Requirements for separate enforcement processes triggered; ex - as a result of security-related events </li></ul></ul><ul><li>Ongoing Assessment </li></ul><ul><ul><li>Respond to change – business models change, new technologies are developed and new legislation is passed; ex - when business products and services are offered directly to the consumer through web-based front ends </li></ul></ul>Identify Authorize Implement Principles Policies Standards, Guidelines and Procedures Enforcement Ongoing Assessment
  15. 15. ESA - Governance <ul><li>The Policy Framework – Principles </li></ul><ul><ul><li>The basic identified assumptions, beliefs, theories, and values guiding the use and management of technology within an organization </li></ul></ul><ul><ul><li>Organization specific business, legal and technical principles </li></ul></ul><ul><ul><li>Principles Template include: Security by Design, Managed Risk, Usability and Manageability, Defense in Depth, Simplicity, Resilience, Integrity and Enforced Policy </li></ul></ul>
  16. 16. ESA - Governance <ul><li>The Policy Framework – Policy </li></ul><ul><ul><li>Policies authorize and define a program of actions adopted by an organization to govern the use of technology in specific areas of management control </li></ul></ul><ul><ul><li>Policies are a security governance tool used to enforce an organization’s guiding principles, while adhering to legal and business principles for establishing and maintaining policy through standards, guidelines and procedures </li></ul></ul>
  17. 17. ESA - Governance <ul><li>The Policy Framework – Policy </li></ul><ul><ul><li>Policy Framework Templates </li></ul></ul><ul><ul><ul><li>NIST 800-XX Policy Framework Template </li></ul></ul></ul><ul><ul><ul><ul><li>Computer Usage Guidelines </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Acceptable Use Policy </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Special Access Policy </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Special Access Guidelines Agreement </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Computer Network Hook-up Policy </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Escalation Procedures for Security Incidents </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Security Incident Handling Procedures </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Third Party Network Connections Policy </li></ul></ul></ul></ul><ul><ul><ul><li>ISO 17799 - A Framework and Template for Policy Driven Security </li></ul></ul></ul><ul><ul><ul><li>SANS – Security Policy Project </li></ul></ul></ul>
  18. 18. ESA - Governance <ul><li>The Policy Framework – Standards, Guidelines and Procedures </li></ul><ul><ul><li>Policies are implemented through technical standards, guidelines and procedures, which NAC distinguishes as follows: </li></ul></ul><ul><ul><ul><li>Standards are mandatory directives </li></ul></ul></ul><ul><ul><ul><li>Guidelines are recommended best practices </li></ul></ul></ul><ul><ul><ul><li>Procedures describe how to comply with the standard or guideline </li></ul></ul></ul>
  19. 19. ESA - Architecture <ul><li>Conceptual Framework – generic framework for policy-based management of security services </li></ul><ul><li>Conceptual Architecture – conceptual structure for management of decision making and policy enforcement across a broad set of security services </li></ul><ul><li>Logical Architecture – provides more detail on the various logical components necessary to deliver each security service </li></ul><ul><li>Physical Architecture – identifies specific products, showing their placement and connectivity relationships required to deliver the necessary functionality, performance and reliability </li></ul>
  20. 20. ESA - Architecture <ul><li>Design and Development </li></ul><ul><ul><li>Range from overall process guidelines to specific guides, templates, and tools </li></ul></ul><ul><ul><li>Include design patterns, code samples, reusable libraries, and testing tools </li></ul></ul><ul><ul><li>Aimed at effective utilization of ESA and effective integration into the ESA environment </li></ul></ul>
  21. 21. ESA – Operations <ul><li>Security Operations defines the processes required for operational support of a policy-driven security environment </li></ul><ul><ul><li>Administration, compliance, and vulnerability management processes required to ensure that the technology as deployed conforms to policy and provides adequate protection to control the level of risk to the environment </li></ul></ul><ul><ul><li>The administration, event, and incident management processes required to enforce policy on the users of the environment </li></ul></ul>
  22. 22. ESA – Operations <ul><li>Asset Management - a component and process for maintaining the inventory of hardware and software assets required to support device administration, compliance monitoring, vulnerability scanning and other aspects of security operations. Though not strictly an ESA component, it is a key dependency of security operations </li></ul><ul><li>Administration – process for securing the organization’s operational digital assets against accidental or unauthorized modification or disclosure </li></ul><ul><li>Compliance – process for ensuring that the deployed technology conforms to the organization’s policies, procedures and architecture </li></ul>
  23. 23. ESA – Operations <ul><li>Vulnerability Management – process for identifying high-risk infrastructure components, assessing their vulnerabilities, and taking the appropriate actions to control the level of risk to the operational environment </li></ul><ul><li>Event Management – process for day-to-day management of the security-related events generated by a variety of devices across the operational environment, including security, network, storage and host devices </li></ul><ul><li>Incident Management – process for responding to security-related events that indicate a violation or imminent threat of violation of security policy </li></ul>
  24. 24. References Links <ul><li>Corporate Governance Task Force’s Call to Action - http://www.cyberpartnership.org/InfoSecGov4_04.pdf </li></ul><ul><li>ISO/IEC 17799:2000 Code of Practice for Information Security Management - http://csrc.nist.gov/publications/secpubs/otherpubs/reviso-faq.pdf </li></ul><ul><li>Network Application Consortium’s Enterprise Security Architecture A Framework and Template for Policy Driven Security - http://www.netapps.org </li></ul><ul><li>NIST Security Self Assessment Guide - http://csrc.nist.gov/publications/nistpubs/800-26/sp800-26.pdf </li></ul><ul><li>SANS Security Policy Project - http:// www.sans.org /resources/policies </li></ul><ul><li>Email: Stefan.Wahe@doit.wisc.edu </li></ul>