Security models for security architecture
Upcoming SlideShare
Loading in...5
×
 

Security models for security architecture

on

  • 7,497 views

The presentations should help security professionals create security architecture that supports business objectives, covers all areas of security technology, and allows for effective measurement of ...

The presentations should help security professionals create security architecture that supports business objectives, covers all areas of security technology, and allows for effective measurement of security value.
The presentation was given at BrighTalk

Statistics

Views

Total Views
7,497
Views on SlideShare
7,316
Embed Views
181

Actions

Likes
2
Downloads
319
Comments
1

2 Embeds 181

http://www.jirasekonsecurity.com 180
https://twitter.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • Very informative. Thanks for sharing.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • This model is used to link security technologies reference model and blueprints to business requirementsAll security technology must support at least one information security process otherwise should be deployedBy linking requirements to policies to processes and to technologies we can be assured that technologies we deploy are justifiable and, at the same time, we know there should be no gapsInformation Security is a journey not a project and needs to be treated accordinglyInformation Security Policy is driven by business, legal and regulatory requirements which then mandates what security processes must and should be implementedIT Security policy is based on ISF Standard of Good Practice (SoGP) which maps to major regulatory and international standardsSecurity processes are run by People using Technology and report to Information Security Centre where data is correlated, normalised and available for management decisions, all in appropriate level of detail for audienceThe effectiveness of security processes is measured by Internal security metrics that are based on accepted best practice metrics, hence Nokia’s information security status can be compared with other companies
  • Why infosec policy and then IT sec policy, IT sec policy is for CIO/CTOArchitecture repository -
  • Examples of business objectives – increase market share by adopting e-commerce, increase output in factories by 20%Examples of security processes, security controls can span more than one security process, and security processes typically cover multiple controls,
  • Areas support each other, all feed into SIEM and GRC
  • Network firewalls – ideally application sessions aware, audit the configurationVPN gateways – linked to IAEM platform, Network Access Control, Application streamingNetwork Intrusion Detection/Prevention – physical and virtual, linked to CMDB, vulnerability data and loggingDDoS – protecting against flooding but also application specific DoS

Security models for security architecture Security models for security architecture Presentation Transcript

  • SECURITY MODELS FORIMPROVING YOURORGANIZATION’S DEFENCEPOSTURE AND STRATEGYVladimir JirasekBlog: JirasekOnSecurity.comBio: About.me/jirasek9th Nov 2011
  • About me• Security professional (11 years)• Founding member and steering group member of (Common Assurance Maturity Model) CAMM (common- assurance.com)• Director, CSA UK & Ireland• I love reading books: thrillers (Clive Cussler) and business management (Jo Owen)
  • I will cover topics today• Security model for information security• Security policy structure• Security processes• Security technology stack• Security metrics for organisations
  • Security model – business drives security Security management Correction of security processesInternational CEO & Board security standards Process Governance Policy framework Metrics framework framework Information Information Information Line Security Security Security Management Laws & policies Processes MetricsRegulations objectives Product Information Technology Define Management Drivers Security Rules People Measure Security Inform standards Metrics Portal Compliance Programrequirements Management Information Security Artefacts Risk & Compliance Business Execute security Measure security Define security objectives controls controls maturity controls Auditors Security Security Security threats intelligence Professionals External security metrics
  • Information Security Policy framework CIS Business and O Information Security Policy Security objectives Data classification Employee Acceptable policy Use Policy CIO Security Information Technology Security Policy objectives ITSecurity IT security standards [reuse Architecture internationally accepted controls] Technology Controls and Technical Security processes teams architecture repository Security Processes guidelines
  • Relationship between business objectives and securityprocesses Provides response to “Do we have all business risks covered?” International standards Control C1 Control C2 Security Security Objective SO1 Control C3 Process P1Businessobjective Security Control C4 BO1 Objective SO2 Control C5 Business process B3 Business process B1 Security Business process B2Businessobjective Security Control C6 Process P2 BO2 Objective SO3 Control C7Business Security Control C8objective BO3 Objective SO4 Control C9 Security Security Control C10 Process P3 Objective SO5 Control C11 Security Process P4 Provides response to “Why are we doing this?”
  • Sources of security controls• ISO 27000 series• ISF Standard of Good Practice 2011• PCI DSS• NIST SP 800-53• CObIT 4• SANS 20 critical controls
  • Security technology stack GRC Organise security reporting around the stack Information & Event Mgmt Identity, Entitlement, Access For each prepare current, Data Security target state analysis and Cryptography roadmap Application Security Host Security Network Security Physical Security
  • GRC Information & EventSecurity stack::Network Mgmt Identity, Entitlement, Data Security Cryptography Access Application Security• Network firewalls Host Security Network Security• VPN gateways Physical Security• Network Intrusion Detection/Prevention• DDoS• WiFi security• Network Access Control• DNS Security• Web, Email & IM filtering
  • GRC Information & Event Identity, Entitlement, AccNetwork security relationships Mgmt Data Security Cryptography ess Application Security Host Security Network Security Physical Security Data security Host security Monitor and control data Interconnect hosts on flow s on netw ork netw ork Use identity Establish secure channel Retrieve access control Control hosts onIdentity and Access Netw ork security netw ork Monitor and control Send security logs applications Detect security incidents running on netw ork Key management Security event management Crypto offload Application security Cryptography
  • GRC Information & Event Identity, Entitlement, AccSecurity stack::Host Mgmt Data Security Cryptography ess Application Security• Configuration compliance Host Security Network Security• Patch management Physical Security• Vulnerability scanning• Anti-malware• Application control• Location awareness• Device control• Trusted execution protection
  • GRC Information & Event Identity, Entitlement, AccHost security relationships Mgmt Data Security Cryptography ess Application Security Host Security Network Security Physical Security Netw ork security Data security Application security Monitor and filter restricted data Protects data at rest Protect integrity of applications Host security Use identity Send security logs Retrieve access control Detect security incidents Identity and Access domain Key management Security even management Cryptography domain
  • GRC Information & EventSecurity stack::Application Mgmt Identity, Entitlement, Data Security Cryptography Access Application Security• Code reviews/scanning – binary and source Host Security Network Security• Security sensors (AppSensor) Physical Security• Web application scanning• Penetration testing• Web protection (WAF) Application Security Services throughout a lifecycle Num ber of flaw s and vulnerabilities o o C st t iat e d rem e E1 E2 E3 E4 E5 EOL Binary Code Analysis IT Security Assessm ent Web Application Scanning Web Application Protection Company Confidential
  • GRC Information & Event Identity, Entitlement, AccApplication security relationships Mgmt Data Security Cryptography ess Application Security Host Security Network Security Physical Security
  • GRC Information & Event Identity, Entitlement, AccSecurity stack::Data Mgmt Data Security Cryptography ess Application Security• Data classification Host Security Network Security• Email encryption Physical Security• File encryption• Document Rights Management• Data Leakage protection• Watermarking• End point encryption• Database security
  • GRC Information & Event Identity, Entitlement, AccData security relationships Mgmt Data Security Cryptography ess Application Security Host Security Network Security Physical Security
  • GRC Information & EventSecurity stack::IAEM Mgmt Identity, Entitlement, Data Security Cryptography Access Application Security• Principal management Host Security Network Security• Account provisioning Physical Security• Rights management• Directories• Single sign on and Federation• Authorisation• Role and rights auditing• 2nd factor authentication
  • GRC Information & Event Identity, Entitlement, AccIAEM relationships Mgmt Data Security Cryptography ess Application Security Host Security Network Security Physical Security Netw ork security Security event management Provides authentication and authorisation services Send security logs Host security Detect security incidents Identity and Access Data security Key management Application security Cryptography domain
  • GRC Information & Event Identity, Entitlement, AccSecurity stack::Cryptography Mgmt Data Security Cryptography ess Application Security• Key generation Host Security Network Security• Key escrow Physical Security• Host and Network HSM• Certificate management & PKI
  • GRC Information & Event Identity, Entitlement, AccCryptography relationships Mgmt Data Security Cryptography ess Application Security Host Security Network Security Physical Security Data security Host security Store encryption keys Email certificates Disk encryption Certificates for authentication Identity and Access Cryptography Digital signatures of log files Application signing Encryption of sensitive logs Encrypted and signed Application communication Security event management IPSec VPN SSL VPN, SSL split tunnel Application security Netw ork Security
  • GRC Information & EventSecurity stack::SIEM Mgmt Identity, Entitlement, Data Security Cryptography Access Application Security• Collection of security relevant logs Host Security Network Security• Archiving – retention Physical Security• Correlation with other data sources• Acting on security information• Ideal to use MSSP
  • GRC Information & EventSIEM relationships Mgmt Identity, Entitlement, Data Security Cryptography Access Application Security Host Security Network Security Physical Security CMDB Security event management Collect security Collect, analyse and configuration react on security events I dentity and Access Security even management Data security Netw ork security Cryptography Application security
  • Security metrics characteristics• Measurable• Objective• Quantitative (ideally)• Meaningful• With KPIs attached – know what is good and bad• Linked to business objectives – money speaks
  • Metrics for CIO – Policy compliance and controlmaturity Policy IT Unit A IT Unit B IT Unit C Overall IT statement Governance 3  3.5  2  3  Awareness 3  4  3  3.5  Development N/A 2  1  1.5  Hardening 4  N/A 2  3  Network N/A N/A 3  3  End devices 2  2  3  2  2 (£10m) 3 (£13.1m) Overall 3 (£3m)  3 (100k)   
  • Metrics for CIO – Maturity of controls for businessprocesses/services Invest in IT service to lower the VaRIT Maturity VaR for VaR for VaR for VaR for ITServiceBusi Process A Process B Process C servicenessprocessIT Service 1 2 £1m £2m £1m £4mInfrastructure 3 £1m £3m £10m £14mIT Service 2 3 £0.5m N/A £20m £20.5mIT Service 3 4 N/A £100k £500k £600kOverall £2.5m £5.1k £31.5m £39.1m
  • Summary• Business drives security• Reuse good content from information security community• Security policy framework – target audience, think of implementation• Link security metrics to policy which is linked to business objectives• All rounded security controls – good prevention against cyber threats