Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security architecture

Security Architecture as part of Enterprise Architecture. A talk to AISA Brisbane 27 February 2013

Security architecture

  1. 1. Security Architecture ⊆ Enterprise ArchitectureAn exploration of how Security Architecture fitswithin Enterprise ArchitectureDuncan UnwinBrisbane, 27th February 2013 Sponsors
  2. 2. Put your hand up if In your work …. — You conduct risk assessments? — You write security policies? — You developed an information security management system? — Set up a information security governance mechanism e.g. a steering committee or user group? — Design security controls for systems?A Fresh Perspective 2
  3. 3. Keep you hand up if… — You use a formal security architecture Hi, I’m Obi Wan and I’ll be your framework Security Architect today — Your job title includes the word ‘Architect’ — You work within the Enterprise Architecture Team — Your work is tightly integrated with the organisation’s enterprise architecture practices — Your work drives the information security teams prioritiesA Fresh Perspective 3
  4. 4. The dilemma of Information Security — Most people in your organisation do not understand your infosec risks – The Availability Heuristic (Tversky and Kahneman, 1971) —I have not been hacked so I will not be hacked —I have been hacked so I will be hacked again soon —Hacking is something that happens to others – Other cognitive biases —Security risks are hard to rate even for experts – Confusing consequences with threats —‘If my data is lost I will suffer’ is not the same as ‘someone wants to steal my data’A Fresh Perspective 4
  5. 5. The dilemma of information securityA Fresh Perspective 5
  6. 6. The dilemma of Information Security — Information Security practices are not well understood by IT The Department of NO! Wielders of arcane magic Out-of-date conspiracy theorists Compliance Droids Hackers on company payrollA Fresh Perspective 6
  7. 7. The dilemma of Security Architecture — Most people in Infosec do not understand Architecture – “I’m the Security Architect” “So youre writing the security policy, right?” – “We will need a TRA for the new system to get through the CAB” – “Our team lead said you’re looking after PCI” – “So are you an architect or in Security?” – “After we go live we will need you to document the firewall”A Fresh Perspective 7
  8. 8. The Security Guy (or Gal) in ArchitectureA Fresh Perspective 8
  9. 9. What an EA thinks of Security - an exampleA Fresh Perspective 9
  10. 10. Lets talk about Architecture….Shall we?A Fresh Perspective 10
  11. 11. Architecture – What is it? Enterprise architecture is the organizing logic for business processes and IT infrastructure reflecting the integration and standardization requirements of the companys operating model. The operating model is the desired state of business process integration and business process standardization for delivering goods and services to customers. - MIT Center for Information Systems Research All... must be built with due reference to durability, convenience, and beauty. Durability will be assured when foundations are carried down to the solid ground and materials wisely and liberally selected; convenience, when the arrangement of the apartments is faultless and presents no hindrance to use, and when each class of building is assigned to its suitable and appropriate exposure; and beauty, when the appearance of the work is pleasing and in good taste, and when its members are in due proportion according to correct principles of symmetry. - Vitruvius, De Achitectura (~ 15 BC), Chapter IIIA Fresh Perspective 11
  12. 12. Lots of frameworksA Fresh Perspective 12
  13. 13. Enterprise Architecture Frameworks — Taxonomy – Zachman — Process – TOGAF — Unified – FEA — Methodology-specific – ARIS, ArchiMate — Practice-based – Gartner Choosing between Zachman and TOGAF .. is like choosing between spinach and hammers. - Roger Sessions , 2007A Fresh Perspective 13
  14. 14. Architecture – What is it?A Fresh Perspective 14
  15. 15. TOGAFA Fresh Perspective 15
  16. 16. TOGAF Business Requirements Business Governance Transition Information Applications TechnologyA Fresh Perspective 16
  17. 17. And another thing….A Fresh Perspective 17
  18. 18. Security Architecture It is the common experience of many corporate organisations that information security solutions are often designed, acquired and installed on a tactical basis. The result is that the organisation builds up a mixture of technical solutions on an ad hoc basis, each independently designed and specified and with no guarantee that they will be compatible and interoperable. Security architecture is business-driven and .. describes a structured inter-relationship between the technical and procedural security solutions to support the long-term needs of the business. John Sherwood, Andrew Clark & David Lynas – SABSA.ORGA Fresh Perspective 18
  19. 19. Security Architecture SABSAA Fresh Perspective 19
  20. 20. Mid-way summary — Security Architecture is hard and often misunderstood — Security Architecture often struggle to find meaning within Enterprise Architecture for this reason — Architecture is about high-level design — Lots of frameworks – Taxonomies, Processes & Methods — TOGAF – Process to do EA with candidate taxonomy (BIAT)A Fresh Perspective 20
  21. 21. Explaining Information Security Architecture to Architects — What is it — Why it matters — Their roleA Fresh Perspective 21
  22. 22. Business Requirements — Enterprise Architecture – Goals – Rules “Ask the business” – Requirements — Security Architecture – Laws and Regulations “Ask the business” – Compliance standards + – – Contracts Explicit mandates “Ask the World” – Risk-based control requirementsA Fresh Perspective 22
  23. 23. Business Requirements — Enterprise Architecture – Capabilities – Services — Security Architecture – Attributes – Control ObjectivesA Fresh Perspective 23
  24. 24. Business Architecture — Two Common Focus – Information Security Processes and Organisation —Developing the capability to be secure —Think ITIL Security —Think ISMS – Security within general business processes —What assets to be protected? —How, who and what will protect them? —How, who and what will address incidents? —What security governance is required?A Fresh Perspective 24
  25. 25. Information Architecture — Enterprise Information Architecture – Subject Area Model – Conceptual Information Model – Logical Information Model – Physical Information Model — Security Architecture – Assets – Information Inventories – Information Classification – Information Usage (CRUD)A Fresh Perspective 25
  26. 26. Application Architecture — Application Architecture – Information Systems – Conceptual App Architecture – Software Architecture – SOA — Security Concerns – Common security services — Identity Management and Access Control — Audit & Logging — Vulnerability management — Etc… – Information flows – Threat modelling – Control design – Operational management concepts – SDLCA Fresh Perspective 26
  27. 27. Technology — Technology Architecture – Standards and Reference Models – Logical & physical topologies – Dependencies – Capacity and Availability — Security Architecture – Approved products / EPL – C.I.A. of design —FMEA —Design and build assurance – Configuration standards – Operational standards – Alignment with ISMS, policies & standardsA Fresh Perspective 27
  28. 28. Transformation & Governance — Program Management Office – Program reporting and governance – Project reporting and governance – Time, Cost, Quality BUT NOT Security — Security Architect – Ensuring Security goals and requirement in the Business Case – Providing tools to measure delivery – Identifying dependencies within the program and project – Helping with prioritisation decisions – Linkage to security governanceA Fresh Perspective 28
  29. 29. TOGAF Security Architecture SECURITY Business Requirements Business Governance Transition Information Applications TechnologyA Fresh Perspective 29
  30. 30. Doing Security Architecture well (or better)… — Understand the EA ProcessA Fresh Perspective 30
  31. 31. Doing Security Architecture well (or better)… — Understand the EA Process — Bond with the teamA Fresh Perspective 31
  32. 32. Doing Security Architecture well (or better)… — Understand the EA Process — Bond with the team — Align your languageA Fresh Perspective 32
  33. 33. Doing Security Architecture well (or better)… — Understand the EA Process — Bond with the team — Align your language — Be pragmaticA Fresh Perspective 33
  34. 34. Doing Security Architecture well (or better)… — Understand the EA Process — Bond with the team — Align your language — Be pragmatic — Use evidenceA Fresh Perspective 34
  35. 35. Doing Security Architecture well (or better)… — Understand the EA Process — Bond with the team — Align your language — Be pragmatic — Use evidence — Be a Boundary RiderA Fresh Perspective 35
  36. 36. The EndA Fresh Perspective 36
  37. 37. About Business Aspect Duncan Unwin Business Aspect assists clients with the execution of their business strategy through either large scale business transformation or through the M: 0407 032 755 addressing of smaller challenges in specific areas of the business. We focus E: on the business first, and then address technology needs as an enabler of required business outcomes. We have skills, experience and expertise in; business and technology strategy, architecture, risk, control, planning, design and governance. In delivering services, we address all layers of the business, including people, organisational change, process change, information management, information and communications technology (ICT) applications and technology infrastructure. We solve complex business problems through the collaborative efforts of our team of highly experienced personnel, and through the application of proven intellectual property. One of our key strengths is the diversity of the background and skills our senior consultants bring to planning initiatives involving people, process and systems. Our ability to extend from business focused domains into architecture and complex program management builds a bond of trust with our clients and fosters more effective relationships. For our clients, we serve as the interpreter between ICT and the demands of individual business units, translating business needs into ICT outcomes. We complement this with our ability to work with all parts of the organisation, therefore maximising the benefits collectively gained from ICT. Brisbane / Sydney / Canberra / Melbourne We believe the use of senior consultants for the delivery of our clients’ projects is the cornerstone of our success. We also hand pick specialists T +61 7 3831 7600 from our extensive network of associates and industry partners to F +61 7 3831 7900 complement our consulting teams. We guarantee senior people with the Head Office - 588 Boundary St right balance of qualifications and real-world industry experience, and our Spring Hill Brisbane QLD 4000 delivery capability extends across Australia.A Fresh Perspective 37

    Be the first to comment

    Login to see the comments

  • oracuk

    Apr. 8, 2013
  • vvajdic

    May. 17, 2014
  • ChristianusSandjaja

    Nov. 12, 2015
  • DarrenArgyle

    Jul. 1, 2016
  • SeetaramPonugupati

    Dec. 14, 2016
  • ssuserf5faf4

    May. 13, 2017
  • mzmindbns

    Sep. 7, 2017
  • mohammadaqeel9

    Jan. 7, 2018
  • thomkozik

    May. 27, 2018
  • BhagirathSingh2

    Jun. 27, 2018
  • ash_sids

    Jul. 21, 2018
  • LineusGreyshiya

    Aug. 12, 2018
  • kinyoka

    Aug. 26, 2018
  • anton_chuvakin

    Sep. 26, 2018

Security Architecture as part of Enterprise Architecture. A talk to AISA Brisbane 27 February 2013


Total views


On Slideshare


From embeds


Number of embeds