Enterprise Security Architecture Prentice Kinser, CISSP-ISSAP caveat emptor : This material is furnished as-is. The author makes no warranties of any kind, including, but not limited to fitness for purpose, merchantability, exclusivity, or freedom from patent, trademark, or copyright infringement. The findings, interpretations, and conclusions expressed herein are those of the author and do not necessarily reflect the views of any employers, past or present. Use of any product names, images, or trademarks in this material is not intended in any way to infringe on the rights of the trademark holder, nor is it intended to positively or negatively endorse any product or solution. Permission is granted for free usage of all or portions of this document, including derived works, provided proper acknowledgement is given.
Source: Gartner IT Security Summit, Tom Scholtz, 4-6 June 2007, Washington, D.C., “Advanced Security Architecture Practice”
Enterprise Architecture vs. Enterprise Security Architecture
Goal stated as … what?
Enterprise Security Architecture Goal = TRUST Source: Gartner IT Security Summit, Jeffrey Wheatman and Paul E. Proctor, 4-6 June 2007, Washington, D.C., “How to Conduct a Risk Assessment: A Play in Three Acts”
Begin decomposition into individual Target Architecture domains:
Access Control enables an enterprise to manage WHO has access to WHAT , it is supported with a collection of administration tools for defining the whos, the whats, and the circumstances under which access is granted or denied, and it allows the enterprise to delegate and exercise fiduciary responsibilities, such as substantiating access approvals, demonstrating access enforcement, and detecting cross-functional impacts of policy exceptions.
Access Control Target Architecture domain further decomposed into three parts:
Identity Management (the ability to centrally provision and de-provision identities and credentials through workflow and automated processes)
Example: Vetting the documentation a person uses to prove their identity, and issuing appropriately configured badges, account ID’s, and access credentials (passwords, tokens, smart cards, etc.).
Authentication (the process of validating a claimed identity)
Example: Presenting picture ID badge to security guard who validates ID badge against the presenter.
Authorization (the set of permissions afforded to an identity)
Example: Granting the person access to a building based on a predetermined policy.
Drill down into Tactical and Strategic goals, and include timeframe recommendations:
Strategic Goal: All Employees use FIPS201 compliant or compatible smart-cards:
2008: detailed design completed and modifications to policies and procedures finalized
2009: infrastructure build-out completed and new HR procedures implemented
2010: all new employees and a majority of existing employees are issued FIPS compatible identity cards
2011: rollout of FIPS compatible identity cards is complete, and rollout of FIPS compatible PACS is complete
Tactical Alternative: two-factor authentication utilizing one-time-password token technology conforming with the NIST SP800-63 standard for Level-3 Assurance (this is primarily to enable rapid elimination of single-factor authentication on platforms that are unable to support cryptographic smart-cards)
Strategic Goal: All users of enterprise resources (irrespective of employer) are tracked using a Universally Unique Identifier (UUID). Each individual person gets one and only one UUID, irrespective of the number of user ID’s, federated identities, or roles held by that individual over their lifetime.
End game: Consolidation of Identity Management Systems and Processes will occur, organically and via integration with ITIL and CMDB practices. The new Identity Management paradigm is that everyone is external .
The architecture is typically modeled at four levels or domains:
1. Business (or business process) architecture which defines the business strategy, governance, organization, and key business processes of the organization
2. Applications architecture which provides a blueprint for the individual application systems to be deployed, the interactions between the application systems, and their relationships to the core business processes of the organization
3. Data architecture which describes the structure of an organization's logical and physical data assets and the associated data management resources
4. Technical architecture or Technology architecture which describes the hardware, software and network infrastructure needed to support the deployment of core, mission-critical applications
http://www.whitehouse.gov/omb/egov/documents/FTF_Metamodel_Reference_Pilot_Final_December_2006.pdf This is the layer where policies, laws, regulations, etc. impinge via the creation of Business Requirements FEA Metamodel Strategy and Performance Layer
http://www.whitehouse.gov/omb/egov/documents/FTF_Metamodel_Reference_Pilot_Final_December_2006.pdf FEA Metamodel Strategy and Performance Layer
http://www.whitehouse.gov/omb/egov/documents/FTF_Metamodel_Reference_Pilot_Final_December_2006.pdf FEA Metamodel Business Layer (business processes in each LOB are deconstructed into sub-functions, which are responsible for executing strategic requirements enumerated in the previous layer)
http://www.whitehouse.gov/omb/egov/documents/FTF_Metamodel_Reference_Pilot_Final_December_2006.pdf FEA Metamodel Data Layer
http://www.whitehouse.gov/omb/egov/documents/FTF_Metamodel_Reference_Pilot_Final_December_2006.pdf FEA Metamodel Services and Components Layer
http://www.whitehouse.gov/omb/egov/documents/FTF_Metamodel_Reference_Pilot_Final_December_2006.pdf This is where Technology Standards impinge via use of existing (or creation of new) Services and Components FEA Metamodel Technology Layer
http://www.whitehouse.gov/omb/egov/documents/FTF_Metamodel_Reference_Pilot_Final_December_2006.pdf Policies Standards FEA - interface with Policies and Standards
“ Informal and ad-hoc EA processes . Some inventories of information for a given architecture layer may exist, but it is not linked to other layers of the architecture and is incomplete.” Federal EA Maturity Level 1: Initial http://www.whitehouse.gov/omb/egov/documents/OMB_EA_Assessment_Framework_v22_Final.pdf
Confusion regarding who to consult and who makes decisions
Federal EA Maturity Level 2: Baseline “ The agency has developed a baseline architecture . The architecture has an enterprise-wide scope and communicates a clear line of sight between EA layers.” http://www.whitehouse.gov/omb/egov/documents/OMB_EA_Assessment_Framework_v22_Final.pdf Mandates ( , etc.) Business Requirements
Federal EA Maturity Level 3: Target “ The agency has developed target architecture . Architecture elements are aligned to agency programs and lines of business . The target architecture addresses priorities and performance objectives identified in the agency’s strategic plan. Architecture has an enterprise-wide scope and communicates a clear line of sight between EA layers.” http://www.whitehouse.gov/omb/egov/documents/OMB_EA_Assessment_Framework_v22_Final.pdf
Federal EA Maturity Level 4: Integrated “ The agency has developed at least one segment architecture for a core mission line of business, business service or enterprise service . The relevant business owner has approved the segment architecture in writing. The agency’s transition strategy shows migration to the target architecture.” http://www.whitehouse.gov/omb/egov/documents/OMB_EA_Assessment_Framework_v22_Final.pdf
Federal EA Maturity Level 5: Optimized “ The agency has developed multiple segment architectures to support core mission lines of business, business services or enterprise services . The segment architectures are incorporated into the overall agency EA. The relevant business owners have approved segment architectures in writing.” http://www.whitehouse.gov/omb/egov/documents/OMB_EA_Assessment_Framework_v22_Final.pdf Enterprise Transition Strategy
Roadmap (FEAF: “Transition Plan”) Current State (FEAF: “Baseline”) Mature Enterprise Architecture Practice Desired Future State (FEAF: “Target”) Policies Standards Policies Standards Architecture Deliverables
Governance and FEA Program Management • “ Description: The agency must govern and manage the implementation and use of EA policies and processes. This includes the appointment of a Chief Architect (CA), allocation of resources and the sponsorship of EA at the executive level. The agency’s EA Program Management Office governs the development, implementation and maintenance of the EA.” • “ Rationale: Effective governance and program management assures agency compliance with EA processes and procedures and facilitates executive support.” http://www.whitehouse.gov/omb/egov/documents/OMB_EA_Assessment_Framework_v22_Final.pdf
FEA artifacts typically used to satisfy a specific maturity level: … SDLC Guide “A System Development Life Cycle (SDLC) guide describes the agency’s approved policies and methodology for software development projects. Subjects covered by an SDLC guide may include relevant industry or government standards , approved software development tools and languages, policies on reuse of existing components, and a methodology or framework for software development .” … Transition Strategy “The Transition Strategy is a critical component of an effective EA practice. It describes the overall plan for an organization to achieve its target “to-be” EA within a specified timeframe. It clearly links proposed agency investments to the target architecture . Also, the Transition Strategy helps to define logical dependencies between transition activities (programs and projects) and helps to define the relative priority of these activities (for investment purposes).” [we call this Road Mapping ] http://www.whitehouse.gov/omb/egov/documents/OMB_EA_Assessment_Framework_v22_Final.pdf
Agencies Included in the FEA Assessment Process: U.S. Army Corps of Engineers (USACE) Department of Commerce (DOC) Department of Defense (DoD) Department of Education (ED) Department of Energy (DOE) Department of Health and Human Services (HHS) Department of Homeland Security (DHS) Department of Housing and Urban Development (HUD) Department of Interior (DOI) Department of Justice (DOJ) Department of Labor (DOL) Department of State (State) and US Agency for International Development (USAID) Joint Enterprise Architecture Department of Transportation (DOT) Department of Treasury (Treasury) Department of Veterans Affairs (VA) Environmental Protection Agency (EPA) General Services Administration (GSA) National Aeronautics and Space Administration (NASA) National Science Foundation (NSF) Office of Management and Budget (OMB) Office of Personnel Management (OPM) Social Security Administration (SSA) Small Business Administration (SBA) Smithsonian Institution (Smithsonian) U.S. Department of Agriculture (USDA) (http://www.whitehouse.gov/omb/egov/documents/OMB_EA_Assessment_Framework_v22_Final.pdf)
Business Reference Model 103: Enterprise Architecture 112: Policy and Guidance Development 136: System Development 137: Lifecycle/Change Management 139: IT Infrastructure Maintenance 140: Information Security 263: System and Network Monitoring 302: Internal Risk Mgmt and Mitigation Technical Reference Model 858: Virtual Private Network 859: Legislative / Compliance 860: Authentication / Single Sign-on 862: Supporting Network Services (eg. LDAP, DNS, etc.) 863: Service Transport (https, ipsec, etc.) 867: Integrated Development Env. (IDE) 868: Software Configuration Management 869: Test Management 884: Certificates / Digital Signatures 885: Supporting Security Services (eg. s/MIME, TLS, SAML, etc.) 896: Enterprise Application Integration (BPM) 901: Service Description / Interface (SOA) Performance Reference Model 445: Security 446: Privacy 471: Availability 472: Reliability Service Component Reference Model 542: Risk Management 543: Workgroup / Groupware 582: Digital Rights Management 640: Instrumentation and Testing 641: Software Development 648: Identification and Authentication 649: Access Control 650: Cryptography 651: Digital Signature Management/PKI 652: Intrusion Prevention 653: Intrusion Detection 654: Incident Response 655: Audit Trail and Capture Analysis 656: Certification and Accreditation 657: FISMA Management and Reporting 658: Virus Protection 659: Email 673: Community Management FEA SECURITY ARCHITECTURE Organized by Federal Enterprise Architecture Layers http://www.whitehouse.gov/omb/egov/documents/FEA_CRM_v23_Final_Oct_2007.pdf
Take the time to talk to all the stakeholders – stress that your goal is to providing air-cover for them to do what they already know needs to be done, and even invite the more talented/invested of your participants to write sections of the architecture documents.
Make sure everyone understands that “security architecture” is not static. It is a cascading hierarchy of evolving models and living artifacts -- a continuous process that flexes to accommodate new business requirements and rapidly evolving threat and regulatory landscapes.
Include a vision of the “target” or “end-game”, and include intermediate steps (“roadmap”) as well. Without this, the architecture can sound “ivory tower”.
Don’t fixate on structure or format; promote action. Be opportunistic: elevate the priority of architecture deliverables that will have an immediate positive impact on key projects. Security architecture is a means to an end, not an end in itself.
Intertwine Technology and Business viewpoints (non-trivial). Onus is on Security Architect to learn business principles, terminology, etc.
Align with Enterprise Architecture (non-trivial). Onus is on Security Architect to learn enterprise architecture principles, terminology, etc.
Provide enough abstraction to reduce complicating factors (technology religious wars, organizational boundaries, etc.). Note this may just delay the inevitable political battles, but it will at least keep them at bay until buyoff can be obtained on the higher level objectives.
Include multiple options; avoid one-size-fits-all. Reference architectures must allow some leeway for choice.
Dive deep as often as possible and appropriate (strive to provide immediate value wherever feasible – see appendix)
Pictures are your friend, especially if they can be used to tell stories
Governance is your friend. Review and approval of Security Architectures allows SA to be prioritized and enforced, and helps overcome any organizational isolation of the SA function.
Time constraints prevent us from getting into:
rigorous taxonomy, ontology, nomenclature, etc. – this is important
a process that begins with pure business strategy (the process above assumes ISO/IEC 17799 is a reasonable starting point. FISMA, HIPAA, COBIT, etc. can also serve as reasonable staring points.)
metrics for measuring the maturity of a security architecture function
Humility – don’t believe your own PR. Always be open minded.