Security Patterns How To Make Security Arch Easy To Consume

1,781 views
1,619 views

Published on

A challenge security professionals often face is ensuring security is aligned with the business strategy. Enterprise Security Architecture can solve that problem, but to do so you need a way to make it easy for the rest of IT to follow the security architecture. Security Patterns is one solution to that problem.

Published in: Technology
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,781
On SlideShare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
104
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide

Security Patterns How To Make Security Arch Easy To Consume

  1. 1. Security Patterns: How to Make Security Architecture Easy to Consume Enterprise Risk/Security Management Conference Jeff L. Johnson, CISSP Insurance Americas Enterprise S E i Security A hi i Architect Minneapolis, MN – 06.10.2010 www.ing.com
  2. 2. Security Architecture Roadmap Business Goals Market Trends Security Architecture Information Security Roadmap Management Business Goals The future state of the enterprise security program Capabilities Matrix Security P tt S it Patterns 2
  3. 3. ING Insurance Americas 8th Largest Co. in the World1 Dutch Origins 107,000 107 000 employees 40 countries 10,000 Employees 29 mil Customers 500+ Applications pp 3,000+ Servers 2nd largest provider of Pensions 15,000 Employees 1 FORTUNE 2009 Global 500 List Retirement - Insurance - Investments 3 www.ing.com/us
  4. 4. Define - Step 3 Customers Drive Business Goals Easy to Use – Transparent – Compliant 4
  5. 5. Define - Step 3 Market Trends Competitors Legal Regulations Technology 5
  6. 6. Define - Step 3 Architecture Frameworks Togaf, Zachman, SABSA, etc. SABSA etc Challenges • Complex • Sequential Process • Time to Value • Resources 6
  7. 7. ISM Structure Risk Area Building Building Block Block Component Component Building Control Control Block Component 7
  8. 8. Define - Step 3 Risk Areas and Building Blocks User Access Platform IT Resilience Change Sourcing Security Security Management Monitoring User Access OS Hardening Hardware Infrastructure Change Management Vendor Management Security Event Management Resilience Monitoring Segregation of Duties Network Hardening Business and Generic Separation of Supplier Management Security Incident Application Resilience Environments Management Info. Access Generic App. & DB Data Centre Resilience System Plan.& Technical State Restrictions Security Acceptance Compliance Identify & Access Business App. Security Security & Penetration Management Testing Workstation & Mob. Devices Hardening Foundation Asset Ownership Information Asset IT-Architecture Configuration Op. Procedures & Compliance with ING Security Awareness Classification Management Responsibilities Policies 8
  9. 9. Define - Step 3 Risk Area, Building Blocks and Components Platform Security y OS Hardening Business Applications Security Network Hardening Critical Impact Assets Generic App. & DB Security Business App. High Impact Security S it Assets Workstation & Mob. Devices Hardening Medium Impact Assets Low Impact Assets 9
  10. 10. Building Block, Components and Controls Critical Impact Assets Business Applications Platform Security Controls overview Security No Control criteria Dependency Critical Impact 1 Asset Ownership Assets 2 Information Asset Classification 1 3 Manufacturer Supported Asset 1+2 High Impact 4 OSG Documented & Approved 1+2 Assets 5 OSG Implemented 1+2 6 Application of Security Patches 1+2 7 Tech. Vulnerability Management 1+2 Medium Impact Assets 8 Manufacturer Support Tooling 1+2 9 Security A S it Assessment & Risk A l i t Ri k Analysis 1+2 1 2 10 Data Protection 1+2 Low Impact Assets 10
  11. 11. Capabilities Matrix Current State 11
  12. 12. Security Architecture Roadmap Business Goals Market Trends Security Architecture Information Security Roadmap Management Business Goals The future state of the enterprise security program Capabilities Matrix Security P tt S it Patterns 12
  13. 13. Security Patterns A Security Pattern is a well-understood solution to a rec rring information sec rit problem recurring security Time to Value ∗ Easy ∗ Build Once, Use Many Cookbooks are a collection of related security patterns l t d it tt 13
  14. 14. Security Pattern Framework Open Security Architecture • Security Patterns Catalog • Based on Capabilities and ISM • Prioritize - security projects and operational needs 14
  15. 15. Data Protection Security Pattern Example Controls • Media Labeling • Information Leakage • Continuous Monitoring • Use of Cryptography • Etc. 15
  16. 16. Data Protection Security Pattern Example • Guidance on data protection • Repeatable and Consumable steps for end users • Maps to industry standards and enterprise capabilities 16
  17. 17. Security Architecture Roadmap Business Goals Market Trends Security Architecture Information Security Roadmap Management Business Goals The future state of the enterprise security program Capabilities Matrix Security P tt S it Patterns 17
  18. 18. References • Open Security Architecture www.opensecurityarchitecture.org • Security Patterns http://www.securitypatterns.org/ • The Open Group http://www.opengroup.org/security/gsp.htm • A Survey on Security Patterns http://www.nii.ac.jp/pi/n5/5_35.pdf • Data Security Pattern from OSA http://www.opensecurityarchitecture.org/cms/library/patte rnlandscape/259-pattern-data-security p p y 18

×