Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Upcoming SlideShare
TOGAF 9 - Security Architecture Ver1 0



Enterprise Security Architecture for Cyber Security

Cyber Security is one of the major challenges facing organisations within all industries. This presentation will examine the integration of an Enterprise Architecture approach with an Enterprise Security Architecture approach (TOGAF and SABSA) and propose a generic framework.
Download this presentation at

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

Enterprise Security Architecture for Cyber Security

  1. 1. The South African EA Forum Signup form for The Open Group – South Africa Twitter: @EAforumSA #ogza Chat to Stuart if you are keen to present or would like to join The Open Group Follow the EA Forum on Twitter… Our upcoming events Join the forum’s subscriber list
  2. 2. Leading the development of open, vendor-neutral IT standards and certifications
  3. 3. EMMM Forum publishes a new exploration and mining capability map
  4. 4. Cyber Security is one of the major challenges facing organisations within all industries. Maganathin Veeraragaloo, Solutions Architect - Security at T-Systems, will examine the integration of an Enterprise Architecture approach with an Enterprise Security Architecture approach (TOGAF and SABSA) with the aim of creating an overall architectural view of the organisation, mitigating cyber security risks using Enterprise Security Architecture, and maintaining a secure business environment. Maganathin Veeraragaloo is an Enterprise Security Architect with over seventeen years IT experience across various industries. He is TOGAF 8 certified and holds a BSc Honours degree in Computer Science from the University of KwaZulu Natal. Enterprise Security Architecture for Cyber Security
  5. 5. Enterprise Security Architecture for Cyber Security Maganathin Marcus Veeraragaloo 5th September 2013
  6. 6. Outline • Cyber Security • TOGAF and SABSA • Enterprise Security Architecture Framework
  7. 7. Cyber Security What is Cyber Security? How is Cyber Security related to information security? How do I protect my company from hackers? The Four Types of Security Incidents 1. Natural Disaster 2. Malicious Attack (External Source) 3. Internal Attack 4. Malfunction and Unintentional Human Error Information security - the "preservation of • confidentiality, • integrity and • availability of information" (ISO/IEC 27001:2005); "Cyber Security is to be free from danger or damage caused by disruption or fall-out of ICT or abuse of ICT. The danger or the damage due to abuse, disruption or fall-out can be comprised of a limitation of the availability and reliability of the ICT, breach of the confidentiality of information stored in ICT or damage to the integrity of that information.” (The National Cyber Security Strategy 2011, Dutch Ministry of Security and Justice)
  8. 8. Cyber Security (ISO/IEC 27000:2009) (BS 25999-2:2007). (ISO/IEC 27001:2005); Managing Risk, including policies, procedures, guidelines, practices or organizational structures, which can be administrative, technical, management, or legal in nature
  9. 9. Cyber Security in South Africa Source: SA-2012-cyber-threat (Wolf Pack) [ 2012/2013 The South African Cyber Threat Barometer]
  11. 11. SABSA Meta Model
  12. 12. SABSA Matrix
  13. 13. SABSA Life Cycle In the SABSA Lifecycle, the development of the contextual and conceptual layers is grouped into an activity called Strategy & Planning. This is followed by an activity called Design, which embraces the design of the logical, physical, component, and service management architectures. The third activity is Implement, followed by Manage & Measure. The significance of the Manage & Measure activity is that once the system is operational, it is essential to measure actual performance against targets, to manage any deviations observed, and to feed back operational experience into the iterative architectural development process.
  14. 14. SABSA Business Attribute
  15. 15. SABSA Operational Risk Model
  16. 16. A Central Role for Requirements Management Linking the Business Requirements (Needs) to the Security Services – which TOGAF does in the “Requirements Management” Phase and SABSA does via the Business Attributes Profile. These Artefacts needs to be linked to ensure traceability from Business Needs to Security Services.
  17. 17. Requirements Management in TOGAF using SABSA Business Attribute Profiling Business Attribute Profiling: This describes the level of protection required for each business capability (see Business Attribute Profiling earlier in this paper). • Requirements Catalog: This stores the architecture requirements of which security requirements form an integral part. The Business Attribute Profile can form the basis for all quality requirements (including security requirements) and therefore has significant potential to fully transform the current TOGAF requirements management approach. •Business and Information System Service Catalogs: TOGAF defines a business service catalog (in Phase B: Business Architecture) and an information system service catalog (Phase C: Information Systems Architecture). The creation of the information system services in addition to the core concept of business services is intended to allow more sophisticated modelling of the service portfolio. • The Security Service Catalog: As defined by the SABSA Logical Layer, this will form an integral part of the TOGAF Information System Service Catalogs.
  18. 18. The Business Attribute Profile Mapped onto the TOGAF Content Metamodel
  19. 19. SABSA Lifecycle and TOGAF ADM
  20. 20. Mapping TOGAF and SABSA Abstraction Layers
  21. 21. Mapping of TOGAF to SABSA Strategy & Planning Phase As the SABSA phases extend beyond the core phases of the TOGAF ADM, the scoping provided by the SABSA Domain Model extends beyond these core phases of TOGAF, both in terms of solution design and system and process management during the operational lifecycle.
  22. 22. Overview of Security-Related Artifacts in the TOGAF ADM
  23. 23. Preliminary Phase – Security Artifacts
  24. 24. Phase A – Architecture Vision – Security Artifacts
  25. 25. Phase B – Business Architecture– Security Artifacts
  26. 26. Phase C – Information Systems Architecture– Security Artifacts
  27. 27. Phase D – Technology Architecture– Security Artifacts
  28. 28. Phase G – Implementation Governance– Security Artifacts
  29. 29. Phase H – Architecture Change Management– Security Artifacts
  31. 31. Service models  Cloud (XaaS)  Hosting  Managed Service  Monitoring Frameworks  ISO 27002  NIST  ISF Requirements  national/intern. law  industries  SOX, PCI DSS…  customers Service types  Desktop  Communication  Collaboration  Computing LogonLogonLogon Service Provider ICT service providers must consider the whole market. Four dimensions to put in one line.
  32. 32. ICT service providers must consider the whole market. Four elements of our “architecture”. 4) mapping model to demonstrate fulfillment of all types of security requirements 3) hierarchy of security standards delivering information on each level of detail 2) modular and structured approach that serves all possible models and offerings 1) produce standardized security measures for industrialized ICT production Enterprise Security Architecture » shaping the security of ICT service provisioning « deliver assurance to customers and provide directions for production
  33. 33. requirements identification requirements consolidation conception, integration operations, maintenance Corporate Governance, Risk, & Compliance customer requirements (Automotive, Finance, Public, …) partially overlap standard options full custom no-go industrialized services (established platforms and processes) customer-specific services From requirements to ICT services. Standardization is key.
  34. 34. Framework for Enterprise Security Architecture impact analysis for non-framework requirements Framework for ESARIS Enablement (ISMS)  security management process and reference model (mainly ISO 27001) Enforcement (Practices)  controls / techniques (mainly ISO 27002)  specific standards Requirements (corporate and customer) Enterprise Security Architecture industrialized ESA Services  processes including roles for new business, changes and operational services  technology platform  evidence (monitoring, analytics and reporting) custom services (specific service and realization for a customer)
  35. 35. Framework for ESARIS. The Enablement Framework with ISMS activities. Define scope and ISMS policy Define risk assessment approach Identify risks, derive control obj. & controls Approve residual risks Draw up statement of applicability (SoA) Implement risk handling plan & controls Define process for monitoring the effectiveness of controls Develop security awareness Monitoring & review security incidents Review risk assessment approach Implement appropriate corrective and preventative controls Communicate activities & improvements Ensure improvements achieve targets P1 P2 P3 P4 P5 D1 D2 D3 Lead ISMS and steer fundsD4 Implement methods to identify / handle security incidentsD5 C1 Evaluate effectiveness of the controls implemented C2 C3 Perform and document ISMS audits C4 Carry out management evaluations C5 Implement identified improvements in ISMS A1 A2 A3 A4 Activities of the Enablement Framework
  36. 36. Considering: plan – build – run. Sales, Service, Production, (SI).  Bid, Transition, Transformation  Set-up for operations  Major Changes New Business & Major Changes (Project Business)  Service Delivery Management  Provide industrialized and customer specific ICT Services  Evidence Operations (Daily Business)  Define Offering and SDEs  Initial set-up of ESA (creation and extension)  Maintenance of ESA (improvements) ESA Platform EnterpriseSecurityArchitecture forICTServices ESA reflects three types of business: Customer Projects – Operations – Platform Preparation
  37. 37. ESA Dimensions. How?Standards 3 Who?Rolesetc. 2  Define Offering and Service Delivery Elements  Initial set-up of ESA  Maintenance ESA Technology Platform  Bid, Transition, Transformation  Set-up for operations  Major Changes New Business & Change (Project Business)  Service Delivery Management  Provide ICT Services  Evidence Operations (Daily Business) What?Workareas 1
  38. 38. Cooperation: implementation of roles. Customer projects, portfolio, and operations. Security Manager Customer ICT SRC Manager Security Architects and Experts (engineering) Customer Security Manager Operations Manager Operations Personnel step-by-step transfer of business Project (bid, transition, transformation) Operations (CMO+FMO) requirements requirements governance Offering Manager
  39. 39. Corporate and product security incorporated in one hierarchy. Corporate Security Rule Base Corporate Security Policy ICT Security Standards ICT Security Principles ICT Security Baselines Refinement Pyramid of Standards Requirements for ICT Service Provisioning (“product security”) ISO 27001 Certificate Detailed customer inquiry Software settings, configuration Examples Certification and Audit Security Measures Security Implementation
  40. 40. Customer Requirements R1 R2 R3 R4 R5 C1 C2 C3 C4 C5 C6 C7 Set of Controls (contractual ) Requirements are met (Suitability) Controls of ESA and its ICT Security Standards Demonstrating that customer requirements are met. Service type:  Desktop  Communication  Collaboration  Computing
  41. 41. Evidenceand CustomerRelation ServiceManagement Wide Area Network Security Customer and users Data center User LAN Periphery Remote User Access User Identity Management Mobile Work- place Security Office Work- place Security Corporate Provider Access Gateway and Central Services Provider Identity Management Data Center Security Data Center Networks Computer Systems Security Application and AM Security VM and S/W Image Mngt. Database and Storage Security Operations Support Security Networks Asset and Configu- ration Management Business Continuity Management Security Patch Management Hardening, Provisio- ning & Maintenance Change and Problem Management Customer Communi- cation and Security System Development Life-Cycle Systems Acquisition and Contracting Risk Management Logging, Monitoring & Security Reporting Incident Handling and Forensics Vulnerability Assessment, Mitigation Plan Release Mngt. and Acceptance Testing Certification and 3rd Party Assurance Administration Network Security Security Taxonomy.
  42. 42. Meta Model Queries, Analysis, Portfolios, etc. Meta-Model Overview Stakeholder Views “Model World” Architecture Repository “Real World” Enterprise applications teams & information Industry Glossaries Industry Reference Models Application Models Application Glossaries “Meta-Model” Common Language “Standardized” Content, e.g. business processes, applications etc. “Integrated and consistent Views” Stakeholder specific views & reports
  43. 43. ICT Security Services and Solutions. Enterprise Security Management Identity and Access Management ICT Infrastructure Security  Architecture and Processes  Applications, Risk and Compliance  Security and Vulnerability Management  Users and Identities  Smart Cards  Trust Centers Business Enablement Enabling the managed use of ICT resources and IT applications with digital identities, roles and rights. Business Integration Embedding security in processes, defining goals and responsibilities, ensuring good governance and compliance.  Workplace, Host and Storage Security  Network Security  Physical Security Business Protection Defending from hostile action: protecting networks, IT applications, data and building security
  44. 44. Security measures. How do we adjust the appropriate security level. Risk management and business case Incidents, care and compliance: “do more!” Business and economies: “do less!” + I Experience and lessons learnt from customer projects
  45. 45. If you have one last breath use it to say...
  • short_tounge

    May. 4, 2021
  • FaheemFah

    Dec. 20, 2020
  • TahirJamil28

    Dec. 19, 2020
  • shaq123

    Dec. 17, 2020
  • NarendraSalvankar

    Jul. 31, 2020
  • amr_said77

    Jul. 22, 2020
  • RaoYrk

    May. 15, 2020
  • dcomrpc

    Mar. 9, 2020

    Jan. 14, 2020
  • DaveDhar1

    Dec. 7, 2019
  • EmilyBarr

    Oct. 18, 2019
  • psingh254

    Sep. 4, 2019
  • opexxx

    Aug. 30, 2019
  • akil2224

    Jul. 9, 2019
  • AnbunarthanarajanSel

    Jul. 6, 2019
  • JasonAboudPMP

    Apr. 30, 2019
  • 060481

    Mar. 28, 2019
  • PatMcCarthy1

    Mar. 18, 2019
  • RonnyStavem

    Dec. 11, 2018
  • samis

    Oct. 24, 2018

Cyber Security is one of the major challenges facing organisations within all industries. This presentation will examine the integration of an Enterprise Architecture approach with an Enterprise Security Architecture approach (TOGAF and SABSA) and propose a generic framework. Download this presentation at


Total views


On Slideshare


From embeds


Number of embeds