Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security architecture

177 views

Published on

A comprehensive enterprise security architecture for IT systems: threat&risk modelling, processes, monitoring, data, governance.

Published in: Services
  • Be the first to comment

  • Be the first to like this

Security architecture

  1. 1. A security enterprise architecture for SOA George Georgovassilis
  2. 2. 2 What is SOA? - Applications expose functionality as services - Services are composable - Services implement APIs, are discoverable, consume and modify resources and have a runtime behaviour - Service APIs and resources are subject to security considerations: who is allowed to do what?
  3. 3. 3 A SOA platform - Runtime environment for deploying, configuring, monitoring and operating IT services - Operational quality - Security quality - Out of scope: build process (dependency management, pen- test, static code analysis of deployment artefacts)
  4. 4. 4 Applicable security practices - TOGAF 21.3 Guidance on Security for the Architecture Domains - ISO/IEC 17799:2005 establishing security practices - OWASP
  5. 5. 5 SOA platform aspects People & processes Business continuity Technology Services Governance
  6. 6. 6 Security aspects: business continuity - Policies must be enforceable - Cost and complexity manageable - Risk management - Contingency plans - Availability, scalability - Graceful service degradation - Low MTTR - DR class
  7. 7. 7 Security aspects: people & proccesses - HR and operational policies and processes documented, maintained - Personnel training, vetting - Monitoring access, interactions, auditing - Change management - IAM (identity, roles, ownership, channels) - ISO, security architect
  8. 8. 8 Security aspects: technology - Facility management - Certification chain for hardware, OS, middleware - Monitoring - Change management, patch management - Access control
  9. 9. 9 Security aspects: services - SDLC: deployment and configuration validation - Certification chain for dependencies, build tools - Monitoring - Change management, patch management - Access control
  10. 10. 10 Security aspects: governance - Audits, assurance - Security drills - Penetration tests - Post mortems - Actionable recommendations - Risk management
  11. 11. 11 Deliverables - Security policy, roles, asset ownership, data classification, system criticality classification - Risk/threat analysis & mitigation - Acknowledgement of laws & regulations - Operational procedures, change management, data lifecycle - Roadmap - Signoff
  12. 12. 12 management network application network Deployment context Computing hardware OS Virtualisation Container middleware Services Monitoring Fulfillment CIMDB IAM Service discovery API gateway WAF Antivirus external network Clients Clients Storage Ephemeral storage Gateway Gateway VPN 2FA Backup Management Storage
  13. 13. 13 Example: provisioning VM Requester Standard Change Issue tracking FulfillmentClient IAM Virtualization CIMDB

×