SlideShare a Scribd company logo
1 of 5
Download to read offline
What is Enterprise Security Architecture (ESA)?
Introduction
Enterprise Security Architecture (ESA) is a specialized type of Enterprise Architecture that focuses
upon the entire scope of Security and the following Security Capabilities:
• Threat Risk Analysis (TRA) / Privacy Impact Analysis (PIA)
• Threat Modeling
• Security Controls
• Risk Assessment
• Security (Technical) Debt
• Security Governance
ESA is used for Cybersecurity, Mobile Security, Cloud Security, IoT Security, Data Centre Security and
Vendor Supplier Security (3rd
Party).
ESA is delivered using the international standards of: TOGAF, FAIR, Archimate, and COSMIC FFP; to
manage the lifecycle of security (Strategy, Development, Implementation, Governance).
ESA is also used to help organizations create their Security Department, and/or improve their Security
Architecture and Risk Assessments.
Finally, ESA can be used to implement individual Security Capabilities, thereby allowing organizations
to focus upon those abilities that are most critical.
Enterprise Security Architecture (ESA)
This section provides a brief overview of each component of Enterprise Security Architecture (ESA):
TRA/PIA, Threat Modeling, Security Controls, Risk Assessment and Security Debt.
Please Note: the innovations developed by JVG Consulting to improve ESA are presented at the end of
this topic.
TRA/PIA
Threat Risk Analysis and Privacy Impact Analysis are used to scope the potential Threats and Risks of
all IT Assets (Apps, Data, Systems).
It consists of a high-level model of the IT Assets under review and identifies where Vulnerabilities may
exist within and across those IT Assets.
What is Enterprise Security Architecture (ESA)?
The key focus is upon the Data Flows across all IT Assets and a determination of the Asset Risk, Data
Risk and Privacy Impact for exposed Data.
In most cases, the TRA/PIA is performed at the conceptual level and is used for scoping purposes.
When stakeholders and projects need more details, they will progress to Threat Modeling. In some
cases, Threat Modeling is undertaken in lieu of TRA/PIA.
Threat Modeling
Threat Modeling is the next step in Enterprise Security Architecture, after a TRA/PIA has been
completed. It is performed at the logical and physical levels and is used to identify potential Threats to
IT Assets and Data.
There are a number of approaches to Threat Modeling that hold sway in the marketplace today:
• Data Flow Diagrams (DFD)
• Process Flow Diagrams (PFD)
• Threat Centric
• Risk Centric
The most common approach to Threat Modeling is the use of Data Flow Diagrams, which focus upon
the flow of corporate Data across IT Assets. Microsoft’s Threat Modeling Tool uses this approach.
Process Flow Diagrams, used by commercial tools like ThreatModeler, focus upon the processes that
operate across IT Assets. Further, a repository of common Process Flows are available for use when
you perform Threat Modeling of your project or application portfolio.
Both DFD’s and PFD’s have their proponents, and are typically used to analyze/design Applications.
A Threat Centric approach to Threat Modeling focuses upon potential Threats to IT Assets and Data,
and is used to document Vulnerabilities.
A Risk Centric approach to Threat Modeling focuses upon those IT Assets and Data that have the
greatest Risk if they are compromised, which in turn is used to determine the scope of the Threat
Modeling.
The biggest criticism of typical Threat Modeling, is that it is focused upon Applications and not the
entire Technology Stack. Hence, potential threats at the infrastructure and platform layers are often
overlooked, thereby creating opportunities for attack.
Finally, the use of Attack Trees and Kill Chains can be used during Threat Modeling. However, their
use tends to occur after a Breach.
What is Enterprise Security Architecture (ESA)?
Security Controls
When most people think of security, they tend to think of specific security controls, such as Anti-Virus
software.
Security Controls exist at all layers of the Technology Stack (Infrastructure, Platform, and Application)
and Environments (Cloud, ASP, Mobile, Hybrid, Public, Private and On-Premise).
There will typically be three (3) major categories for Security Controls:
• Intrusion Detection System (IDS)
• Intrusion Prevention System (IPS)
• Security Incident and Event Management (SIEM)
Each layer of the Technology Stack and the IT Assets and Data contained within each layer, will have
its own Intrusion Detection System (IDS). As the name implies, an IDS monitors the IT Asset
(network, server, database, application, web portal, mobile device, etc.) for suspicious activity, which is
flagged if it occurs. An example would be Anti-Virus software that monitors your system and identifies
a Virus.
An Intrusion Prevention System (IPS), which also operates across the entire Technology Stack, will
automatically take action to stop an attack, or suspicious activity. An example would be Anti-Virus
software the removes a Virus that is found on your system.
All organizations, even small businesses, should have a Security Incident and Event Management
(SIEM) system, or tool. The SIEM tool monitors the logs of all IT Assets and Data throughout the
entire Technology Stack and will create an Alert, when suspicious activity or an attack is found.
Newer SIEM Tools will monitor in real-time, rather than just reading the logs of all IT Assets and Data.
The SIEM Tool is the central console that manages the security for an organization and is used for
Incident Response and Event Management. An example of a SIEM Tool is Splunk, or OSSEC.
Risk Assessment
The Open Group’s Factor Analysis of Information Risk (FAIR) defines risk as the probable frequency
and magnitude of future loss. Risk is derived from the combination of Threat Event Frequency,
Vulnerability, Asset Value and Liability characteristics.
To be successful at Risk Assessement, a full Taxonomy of all IT Assets, Data and Security Controls is
required so that an accurate evaluation can be performed. A missing, or incomplete, Taxonomy is
known as Security (Technical) Debt, and will result in higher costs to perform a Risk Assessment.
What is Enterprise Security Architecture (ESA)?
Most organizations place the emphasis upon Security Controls for their IT Assets and Data when
performing a Risk Assessment. However, what happens when a Security Control is breached and
Customer Information is stolen? Focusing upon Security Controls provides an incomplete Risk
Assessment.
A proper Risk Assessment, leverages a Taxonomy of IT Assets, Data and Security Controls, and then
evaluates the Economic Loss Magnitude and the Loss Event Frequency to determine Risk.
The Economic Loss Magnitude is the Value of the IT Asset affected, and/or the Liability it introduces to
an organization.
The Loss Event Frequency is the probability of occurance within a specific time-frame. There are also
several sub-components of this Risk Factor, that are used to determine the probability of occurance.
Security (Technical) Debt
Technical Debt is the Cost of missing, incomplete or inaccurate documentation, design, code /
configuration and rework of code / configuration for the entire Technology Stack of an organization.
Security Debt is the Technical Debt of Security and relates to Security Controls, Threat Models, Assets,
Data and Risk (as described above). Security Debt occurs at the project, program, portfolio, operations
and organization levels.
However, the Cost of Security Debt is compounded by the Economic Loss Magnitude for the Assets
and Data that are breached, or have a high probability of being breached.
One can approach resolving Security Debt by taking a Risk-based Approach: focus upon those IT
Assets and Data that are most critical to the organization and build a Security Taxonomy for those
Resources. To further accelerate the recovery from Security Debt, use a consistent, simple method for
documenting all elements of the Security Taxonomy (Assets, Data, Controls, and Threat Models).
What is Enterprise Security Architecture (ESA)?
Innovations by JVG Consulting
Organizations that undertake Enterprise Security Architecture, as defined in the abovemention article,
will find the cost to be prohibitive. Consequently, these organizations will create more Security Debt
and Risk for themselves.
At JVG Consulting, we have taken the international standards used for Enterprise Security Architecture
(ESA) and have applied Lean Principles, Techniques and Tools to reduce the cost and increase the
speed of delivery for Enterprise Security Architecture (ESA).
Consequently, our re-factored and lean approach implements Enterprise Security Architecture (ESA)
using the following components:
• Threat Use Case Modeling© – TRA/PIA and Threat Modeling
• Threat Costing© – Asset Valuation and Economic Loss Magnitude
• Threat Debt© – Risk-Based Recovery of Security Debt
• Threat Risk© - Risk Assessment of Projects, Programs and Portfolios
• Threat Control© - Security Controls for IT Assets and Data
• Continuous Security© - pluggable Security Capability: Standalone or part of DevOps

More Related Content

What's hot

Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterMichael Nickle
 
What is a secure enterprise architecture roadmap?
What is a secure enterprise architecture roadmap?What is a secure enterprise architecture roadmap?
What is a secure enterprise architecture roadmap?Ulf Mattsson
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)Ahmad Haghighi
 
Cyber security awareness
Cyber security awarenessCyber security awareness
Cyber security awarenessJason Murray
 
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...Craig Martin
 
The Future of Security Architecture Certification
The Future of Security Architecture CertificationThe Future of Security Architecture Certification
The Future of Security Architecture Certificationdanb02
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتReZa AdineH
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023PECB
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)Ahmed Ayman
 
Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?rbrockway
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation CenterS.E. CTS CERT-GOV-MD
 
2 Security Architecture+Design
2 Security Architecture+Design2 Security Architecture+Design
2 Security Architecture+DesignAlfred Ouyang
 
IT-Security "Must Have": Hardening as Part of a holistic Security Strategy
IT-Security "Must Have": Hardening as Part of a holistic Security StrategyIT-Security "Must Have": Hardening as Part of a holistic Security Strategy
IT-Security "Must Have": Hardening as Part of a holistic Security StrategyNoCodeHardening
 
SABSA vs. TOGAF in a RMF NIST 800-30 context
SABSA vs. TOGAF in a RMF NIST 800-30 contextSABSA vs. TOGAF in a RMF NIST 800-30 context
SABSA vs. TOGAF in a RMF NIST 800-30 contextDavid Sweigert
 
Practical Enterprise Security Architecture
Practical Enterprise Security Architecture  Practical Enterprise Security Architecture
Practical Enterprise Security Architecture Priyanka Aash
 
Combating Cyber Security Using Artificial Intelligence
Combating Cyber Security Using Artificial IntelligenceCombating Cyber Security Using Artificial Intelligence
Combating Cyber Security Using Artificial IntelligenceInderjeet Singh
 
Security Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMESecurity Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMEAlienVault
 

What's hot (20)

Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations Center
 
What is a secure enterprise architecture roadmap?
What is a secure enterprise architecture roadmap?What is a secure enterprise architecture roadmap?
What is a secure enterprise architecture roadmap?
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)
 
Cyber security awareness
Cyber security awarenessCyber security awareness
Cyber security awareness
 
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
 
The Future of Security Architecture Certification
The Future of Security Architecture CertificationThe Future of Security Architecture Certification
The Future of Security Architecture Certification
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
 
Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation Center
 
2 Security Architecture+Design
2 Security Architecture+Design2 Security Architecture+Design
2 Security Architecture+Design
 
IBM Security Strategy
IBM Security StrategyIBM Security Strategy
IBM Security Strategy
 
IT-Security "Must Have": Hardening as Part of a holistic Security Strategy
IT-Security "Must Have": Hardening as Part of a holistic Security StrategyIT-Security "Must Have": Hardening as Part of a holistic Security Strategy
IT-Security "Must Have": Hardening as Part of a holistic Security Strategy
 
SABSA vs. TOGAF in a RMF NIST 800-30 context
SABSA vs. TOGAF in a RMF NIST 800-30 contextSABSA vs. TOGAF in a RMF NIST 800-30 context
SABSA vs. TOGAF in a RMF NIST 800-30 context
 
Practical Enterprise Security Architecture
Practical Enterprise Security Architecture  Practical Enterprise Security Architecture
Practical Enterprise Security Architecture
 
Combating Cyber Security Using Artificial Intelligence
Combating Cyber Security Using Artificial IntelligenceCombating Cyber Security Using Artificial Intelligence
Combating Cyber Security Using Artificial Intelligence
 
Security Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMESecurity Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SME
 
Data security
Data securityData security
Data security
 

Similar to What is Enterprise Security Architecture (ESA)?

The Fundamentals and Significance of Security Orchestration Tools
The Fundamentals and Significance of Security Orchestration ToolsThe Fundamentals and Significance of Security Orchestration Tools
The Fundamentals and Significance of Security Orchestration Toolssecuraa
 
Prezentare_ANSSI.pptx gfdsry crsru drdrsy
Prezentare_ANSSI.pptx gfdsry crsru drdrsyPrezentare_ANSSI.pptx gfdsry crsru drdrsy
Prezentare_ANSSI.pptx gfdsry crsru drdrsyAzim191210
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessSirius
 
Soar cybersecurity
Soar cybersecuritySoar cybersecurity
Soar cybersecuritySecuraa
 
Take back your security infrastructure
Take back your security infrastructureTake back your security infrastructure
Take back your security infrastructureAnton Chuvakin
 
Application Security Maturity Model
Application Security Maturity ModelApplication Security Maturity Model
Application Security Maturity ModelSecurity Innovation
 
CompTIA CySA Domain 1 Threat and Vulnerability Management.pptx
CompTIA CySA Domain 1 Threat and Vulnerability Management.pptxCompTIA CySA Domain 1 Threat and Vulnerability Management.pptx
CompTIA CySA Domain 1 Threat and Vulnerability Management.pptxInfosectrain3
 
Threat Modelling and managed risks for medical devices
Threat Modelling and managed risks for medical devicesThreat Modelling and managed risks for medical devices
Threat Modelling and managed risks for medical devicesFrédéric Sagez
 
The future of cyber security
The future of cyber securityThe future of cyber security
The future of cyber securitySandip Juthani
 
Security Considerations in Process Control and SCADA Environments
Security Considerations in Process Control and SCADA EnvironmentsSecurity Considerations in Process Control and SCADA Environments
Security Considerations in Process Control and SCADA Environmentsamiable_indian
 
SEIM-Microsoft Sentinel.pptx
SEIM-Microsoft Sentinel.pptxSEIM-Microsoft Sentinel.pptx
SEIM-Microsoft Sentinel.pptxAmrMousa51
 
Top Cyber Threat Intelligence Tools in 2021.pdf
Top Cyber Threat Intelligence Tools in 2021.pdfTop Cyber Threat Intelligence Tools in 2021.pdf
Top Cyber Threat Intelligence Tools in 2021.pdfinfosec train
 
iDEAFest Enteprise InfoSec Program Lessons Learned
iDEAFest Enteprise InfoSec Program Lessons LearnediDEAFest Enteprise InfoSec Program Lessons Learned
iDEAFest Enteprise InfoSec Program Lessons LearnedMichael King
 
Conceptual integration of enterprise architecture management and security ris...
Conceptual integration of enterprise architecture management and security ris...Conceptual integration of enterprise architecture management and security ris...
Conceptual integration of enterprise architecture management and security ris...christophefeltus
 
Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)MetroStar
 
Open group spc rosenthal v3
Open group   spc rosenthal v3Open group   spc rosenthal v3
Open group spc rosenthal v3City of Toronto
 

Similar to What is Enterprise Security Architecture (ESA)? (20)

The Fundamentals and Significance of Security Orchestration Tools
The Fundamentals and Significance of Security Orchestration ToolsThe Fundamentals and Significance of Security Orchestration Tools
The Fundamentals and Significance of Security Orchestration Tools
 
Prezentare_ANSSI.pptx gfdsry crsru drdrsy
Prezentare_ANSSI.pptx gfdsry crsru drdrsyPrezentare_ANSSI.pptx gfdsry crsru drdrsy
Prezentare_ANSSI.pptx gfdsry crsru drdrsy
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to Success
 
Soar cybersecurity
Soar cybersecuritySoar cybersecurity
Soar cybersecurity
 
Ijetr042329
Ijetr042329Ijetr042329
Ijetr042329
 
SecOps.pdf
SecOps.pdfSecOps.pdf
SecOps.pdf
 
Take back your security infrastructure
Take back your security infrastructureTake back your security infrastructure
Take back your security infrastructure
 
Application Security Maturity Model
Application Security Maturity ModelApplication Security Maturity Model
Application Security Maturity Model
 
CompTIA CySA Domain 1 Threat and Vulnerability Management.pptx
CompTIA CySA Domain 1 Threat and Vulnerability Management.pptxCompTIA CySA Domain 1 Threat and Vulnerability Management.pptx
CompTIA CySA Domain 1 Threat and Vulnerability Management.pptx
 
Threat Modelling and managed risks for medical devices
Threat Modelling and managed risks for medical devicesThreat Modelling and managed risks for medical devices
Threat Modelling and managed risks for medical devices
 
The future of cyber security
The future of cyber securityThe future of cyber security
The future of cyber security
 
Security Considerations in Process Control and SCADA Environments
Security Considerations in Process Control and SCADA EnvironmentsSecurity Considerations in Process Control and SCADA Environments
Security Considerations in Process Control and SCADA Environments
 
SEIM-Microsoft Sentinel.pptx
SEIM-Microsoft Sentinel.pptxSEIM-Microsoft Sentinel.pptx
SEIM-Microsoft Sentinel.pptx
 
Top Cyber Threat Intelligence Tools in 2021.pdf
Top Cyber Threat Intelligence Tools in 2021.pdfTop Cyber Threat Intelligence Tools in 2021.pdf
Top Cyber Threat Intelligence Tools in 2021.pdf
 
iDEAFest Enteprise InfoSec Program Lessons Learned
iDEAFest Enteprise InfoSec Program Lessons LearnediDEAFest Enteprise InfoSec Program Lessons Learned
iDEAFest Enteprise InfoSec Program Lessons Learned
 
Conceptual integration of enterprise architecture management and security ris...
Conceptual integration of enterprise architecture management and security ris...Conceptual integration of enterprise architecture management and security ris...
Conceptual integration of enterprise architecture management and security ris...
 
Conceptual integration of enterprise architecture management and security ris...
Conceptual integration of enterprise architecture management and security ris...Conceptual integration of enterprise architecture management and security ris...
Conceptual integration of enterprise architecture management and security ris...
 
Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)
 
SIEM vs EDR
SIEM vs EDRSIEM vs EDR
SIEM vs EDR
 
Open group spc rosenthal v3
Open group   spc rosenthal v3Open group   spc rosenthal v3
Open group spc rosenthal v3
 

Recently uploaded

Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Karmanjay Verma
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsYoss Cohen
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 

Recently uploaded (20)

Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platforms
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 

What is Enterprise Security Architecture (ESA)?

  • 1. What is Enterprise Security Architecture (ESA)? Introduction Enterprise Security Architecture (ESA) is a specialized type of Enterprise Architecture that focuses upon the entire scope of Security and the following Security Capabilities: • Threat Risk Analysis (TRA) / Privacy Impact Analysis (PIA) • Threat Modeling • Security Controls • Risk Assessment • Security (Technical) Debt • Security Governance ESA is used for Cybersecurity, Mobile Security, Cloud Security, IoT Security, Data Centre Security and Vendor Supplier Security (3rd Party). ESA is delivered using the international standards of: TOGAF, FAIR, Archimate, and COSMIC FFP; to manage the lifecycle of security (Strategy, Development, Implementation, Governance). ESA is also used to help organizations create their Security Department, and/or improve their Security Architecture and Risk Assessments. Finally, ESA can be used to implement individual Security Capabilities, thereby allowing organizations to focus upon those abilities that are most critical. Enterprise Security Architecture (ESA) This section provides a brief overview of each component of Enterprise Security Architecture (ESA): TRA/PIA, Threat Modeling, Security Controls, Risk Assessment and Security Debt. Please Note: the innovations developed by JVG Consulting to improve ESA are presented at the end of this topic. TRA/PIA Threat Risk Analysis and Privacy Impact Analysis are used to scope the potential Threats and Risks of all IT Assets (Apps, Data, Systems). It consists of a high-level model of the IT Assets under review and identifies where Vulnerabilities may exist within and across those IT Assets.
  • 2. What is Enterprise Security Architecture (ESA)? The key focus is upon the Data Flows across all IT Assets and a determination of the Asset Risk, Data Risk and Privacy Impact for exposed Data. In most cases, the TRA/PIA is performed at the conceptual level and is used for scoping purposes. When stakeholders and projects need more details, they will progress to Threat Modeling. In some cases, Threat Modeling is undertaken in lieu of TRA/PIA. Threat Modeling Threat Modeling is the next step in Enterprise Security Architecture, after a TRA/PIA has been completed. It is performed at the logical and physical levels and is used to identify potential Threats to IT Assets and Data. There are a number of approaches to Threat Modeling that hold sway in the marketplace today: • Data Flow Diagrams (DFD) • Process Flow Diagrams (PFD) • Threat Centric • Risk Centric The most common approach to Threat Modeling is the use of Data Flow Diagrams, which focus upon the flow of corporate Data across IT Assets. Microsoft’s Threat Modeling Tool uses this approach. Process Flow Diagrams, used by commercial tools like ThreatModeler, focus upon the processes that operate across IT Assets. Further, a repository of common Process Flows are available for use when you perform Threat Modeling of your project or application portfolio. Both DFD’s and PFD’s have their proponents, and are typically used to analyze/design Applications. A Threat Centric approach to Threat Modeling focuses upon potential Threats to IT Assets and Data, and is used to document Vulnerabilities. A Risk Centric approach to Threat Modeling focuses upon those IT Assets and Data that have the greatest Risk if they are compromised, which in turn is used to determine the scope of the Threat Modeling. The biggest criticism of typical Threat Modeling, is that it is focused upon Applications and not the entire Technology Stack. Hence, potential threats at the infrastructure and platform layers are often overlooked, thereby creating opportunities for attack. Finally, the use of Attack Trees and Kill Chains can be used during Threat Modeling. However, their use tends to occur after a Breach.
  • 3. What is Enterprise Security Architecture (ESA)? Security Controls When most people think of security, they tend to think of specific security controls, such as Anti-Virus software. Security Controls exist at all layers of the Technology Stack (Infrastructure, Platform, and Application) and Environments (Cloud, ASP, Mobile, Hybrid, Public, Private and On-Premise). There will typically be three (3) major categories for Security Controls: • Intrusion Detection System (IDS) • Intrusion Prevention System (IPS) • Security Incident and Event Management (SIEM) Each layer of the Technology Stack and the IT Assets and Data contained within each layer, will have its own Intrusion Detection System (IDS). As the name implies, an IDS monitors the IT Asset (network, server, database, application, web portal, mobile device, etc.) for suspicious activity, which is flagged if it occurs. An example would be Anti-Virus software that monitors your system and identifies a Virus. An Intrusion Prevention System (IPS), which also operates across the entire Technology Stack, will automatically take action to stop an attack, or suspicious activity. An example would be Anti-Virus software the removes a Virus that is found on your system. All organizations, even small businesses, should have a Security Incident and Event Management (SIEM) system, or tool. The SIEM tool monitors the logs of all IT Assets and Data throughout the entire Technology Stack and will create an Alert, when suspicious activity or an attack is found. Newer SIEM Tools will monitor in real-time, rather than just reading the logs of all IT Assets and Data. The SIEM Tool is the central console that manages the security for an organization and is used for Incident Response and Event Management. An example of a SIEM Tool is Splunk, or OSSEC. Risk Assessment The Open Group’s Factor Analysis of Information Risk (FAIR) defines risk as the probable frequency and magnitude of future loss. Risk is derived from the combination of Threat Event Frequency, Vulnerability, Asset Value and Liability characteristics. To be successful at Risk Assessement, a full Taxonomy of all IT Assets, Data and Security Controls is required so that an accurate evaluation can be performed. A missing, or incomplete, Taxonomy is known as Security (Technical) Debt, and will result in higher costs to perform a Risk Assessment.
  • 4. What is Enterprise Security Architecture (ESA)? Most organizations place the emphasis upon Security Controls for their IT Assets and Data when performing a Risk Assessment. However, what happens when a Security Control is breached and Customer Information is stolen? Focusing upon Security Controls provides an incomplete Risk Assessment. A proper Risk Assessment, leverages a Taxonomy of IT Assets, Data and Security Controls, and then evaluates the Economic Loss Magnitude and the Loss Event Frequency to determine Risk. The Economic Loss Magnitude is the Value of the IT Asset affected, and/or the Liability it introduces to an organization. The Loss Event Frequency is the probability of occurance within a specific time-frame. There are also several sub-components of this Risk Factor, that are used to determine the probability of occurance. Security (Technical) Debt Technical Debt is the Cost of missing, incomplete or inaccurate documentation, design, code / configuration and rework of code / configuration for the entire Technology Stack of an organization. Security Debt is the Technical Debt of Security and relates to Security Controls, Threat Models, Assets, Data and Risk (as described above). Security Debt occurs at the project, program, portfolio, operations and organization levels. However, the Cost of Security Debt is compounded by the Economic Loss Magnitude for the Assets and Data that are breached, or have a high probability of being breached. One can approach resolving Security Debt by taking a Risk-based Approach: focus upon those IT Assets and Data that are most critical to the organization and build a Security Taxonomy for those Resources. To further accelerate the recovery from Security Debt, use a consistent, simple method for documenting all elements of the Security Taxonomy (Assets, Data, Controls, and Threat Models).
  • 5. What is Enterprise Security Architecture (ESA)? Innovations by JVG Consulting Organizations that undertake Enterprise Security Architecture, as defined in the abovemention article, will find the cost to be prohibitive. Consequently, these organizations will create more Security Debt and Risk for themselves. At JVG Consulting, we have taken the international standards used for Enterprise Security Architecture (ESA) and have applied Lean Principles, Techniques and Tools to reduce the cost and increase the speed of delivery for Enterprise Security Architecture (ESA). Consequently, our re-factored and lean approach implements Enterprise Security Architecture (ESA) using the following components: • Threat Use Case Modeling© – TRA/PIA and Threat Modeling • Threat Costing© – Asset Valuation and Economic Loss Magnitude • Threat Debt© – Risk-Based Recovery of Security Debt • Threat Risk© - Risk Assessment of Projects, Programs and Portfolios • Threat Control© - Security Controls for IT Assets and Data • Continuous Security© - pluggable Security Capability: Standalone or part of DevOps