Information Security By Design


Published on

Information Security is becoming a focus for the entire enterprise, not just IT. This need to align both business and technology is forcing IT to move Information Security from afterthought to forethought. Architects now ponder how Information Security can be integrated into the broader topic of Enterprise Architecture. This session shows how to make the integration happen. You will learn how to integrate assets and define trusts and threat models as a part of your overall EA plan. You will also understand how Information Security is traced all the way from business architecture to the technology implementation. Participants will understand the components of an Integrated EA and Information Security framework and ensuring the traceability between business goals and IT security solutions delivered from the framework.

Key Issues:
-Understand the need to think early about Information Security
-Learn to incorporate Information Security into your EA blueprint and roadmap
-Integrate Informatoin Security Goals, objectives and capabilities with your EA view of strategy
-Integrate security policies, services and mechanisms with your EA view of solutions
-Integrate security mechanisms, standards, and guidelines into your implementations

Published in: Technology
1 Comment
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Information Security By Design

  1. 1. Information Security by Design Nalneesh Gaur, CISSP Diamond Management and Technology Consultants, April 10, 2008
  2. 2. By the end of this course, you should be able to…  Understand the need to think early about Information Security  Learn how to align Information Security and business  Capture Information Security capabilities  Define security services and mechanisms  Apply an integrated Information Security EA framework to your practice Page 1
  3. 3. Businesses are transforming to address information risks Management Pressure Points Transformational Change Numerous regulations Establishment of Chief and control standards Information Security Office (CISO) Distributed operations organization and and relationships governance structures Implementation of risk-based Development of risk intelligence Information Increased accountability Security roadmap Fragmented information Raise Awareness Establishment of security organization of the importance Information structure of information Security security and best Increased globalization, architecture practices crime and cyber terrorism Implementation of Heightened privacy controls and Purchase of Cyber- awareness among insurance reporting consumers automation Today’s topic Board-level visibility Page 2
  4. 4. Information Security bridges the gap between Operational Risk and IT Security Operational Risk Areas Overarching framework for addressing risk Business Operations & Employee & Physical Business Financial Legal Regulatory Vendor External Process Culture Asset Continuity Reporting Information Security Areas Focuses on risk to information in all of the operational risk areas Systems Incident/Business Policy, Org & Asset Personnel Physical Security Development Comm. & Ops Compliance Continuity Governance Management Security /Access Control Life Management Cycle Examples of issues addressed - Financial Integrity, Trust, Fraud, Access Management, Intellectual Property, Privacy Technology IT Security Focuses on Information technology risks alone in all of the Information Security areas IT Threats Audits & Assessments Security Operations Controls e.g. Virus and Spyware, e.g. Penetration testing, e.g. Patch Applications, e.g. System Hardening, Hackers Security Assessments Provision User/Access Firewalls, Anti-virus Page 3
  5. 5. To address information risks, the Enterprise Architect must align business, operational risk and technology CISO/CRO Business wants to wants to know know Enterprise Architect Are our assets protected? What is our exposure? How do we prevent the next attack? How do we comply with regulations? How much does it cost? Which controls do I prioritize? How do we improve security? How do I automate controls reporting? How do I gain executive buy-in? Technical Staff wants to know How do I prioritize between IT and Security? How do I integrate Security into the Infrastructure? How do I ensure consistency? Page 4
  6. 6. But, roadblocks often thwart alignment  Information Security does not engage the business – Technology driven solutions “offered” to the business – Solutions looking for problems to solve – Organizational anomalies  Business strategy is too vague – Mission, vision, goals exist – Then what?  Complexity of the business – Do we plan for the whole enterprise?  Enterprise Architecture considered “too complexquot; and “too costly” Page 5
  7. 7. Alignment can be achieved through collaboration on a business-driven plan  Business owns Business Architecture – Leadership (strategy & operations) – Business SMEs  Infosec Facilitates  Infosec owns  Business approves Solution Architecture (platform independent)  IT Security owns  Governed by Business and Technical Architecture Solution Architecture (infrastructure & processes) Suggested Approach Page 6
  8. 8. The result is a business-capability driven blueprint that integrates business strategy, operational risks and Information Security solutions Components of a Security Blueprint Business Architecture Strategic Business Architecture (SBA) Security Specific Goals, Objectives and Capabilities Blueprint & Operational Business Architecture (OBA) Key Functions, Control Objectives, Trust Model Roadmap Solutions Architecture Security Privilege Security Policies Associations Services Technical Architecture Security Reference Security Standards Mechanisms Architecture and Guidelines Page 7
  9. 9. Start by understanding the environment and security drivers  Understand the environment enablers and constraints  Understand the Security drivers – regulations, policies, business strategy, recent incidents, mergers and acquisitions  Determine the organizations appetite for Security – Sr. Mgmt commitment to security – Available resources: people, money – Management expectations  Involve business to develop guiding principles – A collection of position statements used to assist decision making – Positions unlikely to change over the next two to three years – Filters for decision-making . . . guidelines, not hard and fast rules Page 8
  10. 10. Engage the business by documenting and driving additional detail into the business strategy Strategic Business Architecture (SBA)  A comprehensive statement covering the major functions and operations MISSION that the program addresses ENVIRONMENT, SECURITY DRIVERS &  An inspirational, forward-thinking view of what the program wants to VISION GUIDING PRINCIPLES achieve  The top priorities that would achieve the vision GOAL GOAL GOAL GOAL  A set of realistic outcomes tracked by performance indicators that PERFORMANCE OBJECTIVE collectively support goal attainment INDICATORS  A description of how the business CAPABILITIES plans to achieve the objectives  A description of what should be REQUIREMENTS implemented Page 9
  11. 11. Engage the business by documenting and developing the details of the business operations Operational Business Architecture (OBA)  Entities  Trust Hierarchy Trust  Trust Domains Model Organization  Level 0/1 Functions  Capabilities Key Business Functions Mapping Context  Gap Analysis  Stakeholders  Information Risks Control  Likelihood and  Locations Impact Objectives  Control Standards Page 10
  12. 12. Starting with the business context view, identify the organizational aspects and then the respective functions Level 0/1 Functions Capability Mapping Gap Analysis What it is Top-down description of level 0 and level 1 LOB functions. Each level has 5- 10 steps. Use it to assess any gap with detailed processes. These functional maps serve as inputs in understanding/defining trust relationships and control objectives. Trust Model Sample Deliverable How to do it Organization  Use IDEF-0 to develop Key Business Functions Context functional maps and relationships. IDEF-0 allows simple visualization of Input, Control Objectives Output, Controls and Mechanisms.  Define best-in-class, end-to- end IDEF-0 maps and definitions for relevant level 0 and level 1 business functions Level 0/1 Functions Page 11
  13. 13. For each function map the SBA capabilities Level 0/1 Functions Capability Mapping Gap Analysis What it is Detailed mapping of SBA business capabilities to their supporting level 1 functions. Mapping assists in identifying capability gaps Trust Model Sample Deliverable How to do it Organization  Use a spreadsheet to organize Key Business Functions Context capabilities and then match functions to capabilities. Control  Examine the level 1 functions Objectives and identify the characteristics that enable the business capabilities (already captured from the SBA) Capabilities Mapping Page 12
  14. 14. Identify gaps in capabilities by comparing the current and future capabilities Level 0/1 Functions Capability Mapping Gap Analysis What it is Observations, risks, implications and planned resolutions for capability gaps in functions Trust Model Sample Deliverable How to do it  Compare the high-level Organization Key Business functions with the current state Functions Context detailed functions  Identify new capabilities and Control Objectives the functions required to support them Gap Analysis Page 13
  15. 15. Employ the knowledge of key functions to document and define the Trust Model – start by identifying the entities Entities Trust Hierarchy Trust Domains What it is An entity is a subject that takes an action in a business environment. Entities can be external (e.g. vendors, partners, customers) or internal (e.g. business units, employees). Trust Model Sample Deliverable How to do it Organization Use the key functions and Key Business Functions Context identify the subjects involved in those functions Control Objectives Entities Page 14
  16. 16. Once the entities are known, identify the relationships and the specifics such as information exchanged between them Entities Trust Hierarchy Trust Domains What it is Trust Hierarchies are relationships and may be represented as One-Way vs. Two-Way, Transitive, External vs. Internal. Business involvement in identifying the relationship is critical. The trust hierarchy allows for discrimination between relationships Trust Model Sample Deliverable How to do it Organization  Identify the relationships Key Business Functions Context between the entities.  Document the type of Control information being exchanged Objectives across each relationship. Trust Hierarchy Page 15
  17. 17. Develop trust domains by identifying common security themes Entities Trust Hierarchy Trust Domains What it is Trust Domains consist of entities and relationships that share a common security theme. Trust Domains are not a rigid construct, they are designed to make it easy to enforce security policies and may allow grouping of policies by domains. Trust Model Sample Deliverable How to do it Organization  Identify the unique security Key Business Functions Context characteristics of each entity and other entities that it interacts with to exchange Control Objectives information.  Group entities that share common security themes and depict the relationships between them to form the Trust domains. Trust Domains Page 16
  18. 18. Develop Control Objectives by identifying the enterprise assets, threats and vulnerabilities Likelihood and Information Risks Control Standards Impact What it is Document Information risks (assets, threats and vulnerabilities) to prioritize protection measures. Use interviews to gather risk information across the business and from the interviewee’s vantage point. Trust Model Sample Deliverable How to do it Organization  Develop a model to score Key Business Functions Context assets based on plausible impact Control  Use interviews and key Objectives functions to identify assets, threats and vulnerabilities  Prioritize information assets to focus on the most valuable assets.  Identify the vulnerabilities, threats Information Risks Page 17
  19. 19. Assess the impact and likelihood of the threat on assets to determine the greatest risks to the enterprise assets Likelihood and Information Risks Control Standards Impact What it is All risks are not created equal, assess the likelihood and impact of each risk. Prioritize the risks and then map capabilities to identify the capabilities that address the greatest risks first. Trust Model Sample Deliverable How to do it Organization  Identify the impacts and Key Business Functions Context likelihood of the threat to exploit the vulnerability. Control  Rank the assets, threats and Objectives vulnerabilities.  Focus on the greatest risks by plotting the assets, threats and vulnerabilities against likelihood and impact Likelihood and Impact Page 18
  20. 20. Prioritize information risks and for each risk identify control standards Likelihood and Information Risks Control Standards Impact What it is Identify Control standards to address the greatest risks. Control Standards specify a desired end state and are platform agnostic. Control standards may be selected from ISO 270001, COBIT etc. Trust Model Sample Deliverable How to do it Organization  Identify the control standard Key Business Functions Context you wish to use  For each of the prioritized Control risks, identify applicable Objectives control standards  Consolidate risks that yield the exact same control objectives  Identify the frequently occurring standards to identify the priority control standards Control Standards Page 19
  21. 21. The Strategic and Operational Business Architectures provide the necessary input for the Solution Architecture The Security Policies The Security are based on the OBA. Solution Architecture Mechanisms are Defines roles and profiles Policies are hierarchical mapped to Security within the organization. in nature and cross Services. They reference other policies Security represent different ways Policies of implementing the Technical Architecture services. Once Security Business Privilege Security Mechanisms are defined Architecture Model Mechanisms then a set of reference architecture can be built for each mechanism. The Security Reference reference architecture Services Architectures defines the organizations • The Security Services best practices for is a logical construct, implementing a given Security used as a stepping Security Mechanism. These are the platform Standards and stone to achieve specific technology Guidelines capabilities. standards and guidelines. Standards are linked to specific Security Policies. Page 20
  22. 22. Engage policy, business and application owners to develop the solution architectures  Establish the policy catalog based on the SBA, OBA and the control objectives: – Local vs. global versions of policies – Driven by local regulations as well as unique business needs – Trust domain specific policies Solution  EA participates in policy development Architecture but does not own it. Security  Include clauses that can be enforced Policies immediately or in the near term Business Privilege Architecture Model  Privilege management forms the basis PRIVILEGE Security for any sophisticated Identity & Access ASSOCIATIONS Services Management solution. Asset Asset  Inventory existing roles and map Privilege Privilege individuals to those roles.  Engage business and application Profile Profile owners to develop an abstract construct such as “profiles”; Use profiles to map Roles Roles Roles organization roles. Individual Individual  The profiles can be used to grant access to assets Page 21
  23. 23. Identify Security services and then develop its building blocks – security mechanisms Illustrative Technical Security Service Security Mechanism Architecture • Encryption Data Security • Security Digital Signatures mechanisms • Access Control in Transit • Integrity Verification Business Reference Architecture Architectures Encryption • Security Data Transformation • Standards and Data Security • Data Masking Guidelines at Rest Access Control • Integrity Verification • • Security Policies must be used to Host-Based Intrusion Protection • develop Security services Anti-Virus • Platform • The Security services vocabulary Platform Security Updates • should suggest a solution to a problem Security • Security services should be vetted Patch Management • with business and application owners to ensure they are usable Anti-Spam • • Security mechanisms must be Anti-Spyware • Messaging enhanced on a periodic basis to adapt Anti-Malware • to evolving risks Security Anti-Virus • • Security mechanisms may be reused Digital Signatures • across services and form the building blocks for services Page 22
  24. 24. Complete the technical architecture by defining the remaining components Technical Architecture Security mechanisms Business Reference Architecture Architectures Security Standards and Guidelines • Reference Architectures are built for each • Standards are specific to a technology platform, security mechanism and define the specifics of a service, device or application. vendor solution, applicability, pros and cons • Temporary exception to the Standards must be • Reference Architectures must be periodically governed through the architecture governance updated to adapt to the evolving solutions process. landscape. Security Mechanisms Reference Architecture 1 Data Masking Reference Architecture n Page 23
  25. 25. Use the Business and Solution Architectures to derive a roadmap of business capabilities Operational Business Architecture Strategic Business Architecture Solution Architecture 1H06 2H06 1H07 2H07 Capability 01 Theme 1 Capability 12 Capability 04 Capability 07 Roadmap of when Theme 2 each capability is Capability 09 delivered Capability 02 Capability 03 Theme 3 Capability 05 Capability 08 Business Capabilities Requiring Infosec ad IT Support Page 24
  26. 26. Avoid some common pitfalls when building an Information Security Blueprint  Do not start with requirements, start with capabilities – Requirements are good for implementation but bog down the planning process – Capabilities provide a manageable level of detail for prioritization and release planning  Recognize Information Security as a key component of Operational Risk, work towards getting the OBA right – Start with key functions not processes for developing the OBA – Understand what you want to protect before deciding how you want to protect  Differentiate between IT security and Information Security, do not focus on technology alone – Hold off on tools until reference architecture Page 25
  27. 27. Key Takeaways  Understand the significance of Information Security as a business enabler by identifying the drivers and appetite for Information Security early in the planning process  Information Security must engage the business by developing the – guiding principles – Strategic Business Architecture (SBA) – Operational Business Architecture (OBA)  Getting the Security Services right is the first step before developing the technical architecture artifacts  Develop Security Mechanisms and corresponding Reference Architectures for the highest priority Security services Page 26
  28. 28. Thank You Questions? Page 27