SlideShare a Scribd company logo
1 of 75
Download to read offline
Solution Architecture And
Solution Security
Alan McSweeney
http://ie.linkedin.com/in/alanmcsweeney
https://www.amazon.com/dp/1797567616
Introduction, Purpose And Scope
• These notes describe an approach to embedding security
within the technology solution landscape
• They describe a security model that encompasses the
range of individual solution components up to the entire
solution landscape
March 8, 2022 2
Topics
• Core And Extended Solution Security Model
• Solution And Technology Risks
• Solution Zone Types and Zones
• Solution Component Types And Components
• Security Standards And Controls
• Operational Solution Entity Types And Solution Zones
• Operational Solution Entities And Security Controls
March 8, 2022 3
Proposed Core Solution Security Model
March 8, 2022 4
Solution
Component
Types
Solution
Components
Solution
Solution Zones
Solution
Zone Types
Solution
Topology
Security
Standards
And Controls
Solution Consists Of
Multiple Components
Each Solution
Component
Has A Type
Solution Exists
Within A
Topology Of
Many Solutions
Solution Components
Are Located In Solution
Zones
Each Solution
Zone Has A Type
Different Solution
Standards And
Controls Apply To
Solution Zones
Solution
Operational
Entity
Solution
Operational
Entity Type
Deployed
Solution
Consists Of
Multiple
Operational
Entities
Each Solution
Operational
Entity Has A Type
Solution Operational Entities
Are Located In Solution Zones
Security
Controls Apply
To Solution
Components
Security Controls Apply To
Solution Operational Entities
Some Solution
Components
Become
Deployed
Operational
Entities
Proposed Core Solution Security Model
• Proposed solution security model allows the security status of a
solution and its constituent delivery and operational components to
be tracked wherever those components are located
• Core solution security model is essential a static record
• Provides an integrated approach to solution security across all
solution components and across the entire organisation topology of
solutions
• Model is a balance between simplicity, ease of use, level of detail and
utility
• Allows solution security to be analysed and reported on
• Enables the solution architect to validate the security of an individual
solution
• Enables the security status of the entire solution landscape to be
assessed and recorded
March 8, 2022 5
Proposed Extended Solution Security Model
March 8, 2022 6
Solution
Component
Types
Solution
Components
Solution
Solution Zones
Solution
Zone Types
Solution
Topology
Security
Standards
And Controls
Solution Consists Of
Multiple Components
Each Solution
Component
Has A Type
Solution Exists
Within A
Topology Of
Many Solutions
Solution Components
Are Located In Solution
Zones
Each Solution
Zone Has A Type
Different Solution
Standards And
Controls Apply To
Solution Zones
Solution
Operational
Entity
Solution
Operational
Entity Type
Deployed
Solution
Consists Of
Multiple
Operational
Entities
Each Solution
Operational
Entity Has A Type
Solution Operational Entities
Are Located In Solution Zones
Security
Controls Apply
To Solution
Components
Security Controls Apply To
Solution Operational Entities
Some Solution
Components
Become
Deployed
Operational
Entities
Security Control
Activities
And Events
Security Control
Activity
Implementation
Status
Security
Control
Activity Type
Security
Control
Activities
Security
Controls Have
Activities
Security
Controls
Activities
Have A
Type
Security Controls Activities
Have An Implementation
Status
There Can Be Events Linked
To Security Controls Activities
Proposed Extended Solution Security Model
• Model can be extended to hold the activities defined for
each security control and to hold information on events
relating to security controls and activities
• Extended solution security model introduces some
dynamic data
March 8, 2022 7
What Are We Protecting Against?
• Unauthorised access to solution functionality and its data
involves some or all of:
March 8, 2022 8
• Getting the solution to do something it
should not
• Stopping the solution from working as it
should or enabling it to be bypassed
• Getting consumers of the solution to perform
actions they should not
• Gaining unauthorised access to the solution
as a solution consumer
• Getting the data held in the solution
• Damaging the solution to prevent its use
• Denying access to the solution
• Using the solution as a gateway to other
organisation solution and data assets
• Stealing data to sell
or holding for
ransom
• Collecting ransom
before application or
data restored
• Using the application
to steal money
• Causing reputational
damage
• Stealing intellectual
property
• Putting the company
out of business
With
The
Aims Of
New Technology And New Risks
March 8, 2022 9
Solution
Security
Dispersed
Operational
Solution
Landscape
New
Unfamiliar
Technologies
Error Prone
Technology
Deployment
And Operation
No Single
Pane Of
Glass Showing
Security
Status
Increasing
Number
Of Threats
Reduced
Skills
More Solution
Entry Points
Greater
Complexity
And
Fragility
New Technology And New Risks
• New solution security concerns are continually arising, adding to the
threat landscape
− New solution design, deployment and operating models
− Distributed solution components, distributed solution consumer base,
distributed access with many interfaces, integration points and data flows
− Greater involvement of third-parties and their platforms whose operational
security models and practices are being inherited
− Complexity with multiple handoffs gives rise to gaps in end-to-end view and
knowledge leading to risks
• New technologies introduce new risks, direct and indirect
− Lack of familiarity with technology increases the likelihood of exploitable
mistakes and errors
− New technology is less proven and contains more exploitable errors
− Greater range of solution entry points increases risk
− Exposure of solutions to consumers outside the organisation increases risk
− Human risk factors weaken overall security
• Solution risk and security status is becoming harder to track
March 8, 2022 10
From …
March 8, 2022 11
Solution
Central Data
Store
Solution
Central
Application
Component
Solution API
Solution
Central
Infrastructure
Solution
Hosted
Infrastructure
Solution
Internal
Consumers
Solution
External
Private
Consumers
Solution
Hosted Data
Store
Solution
Hosted
Application
Component
Solution
Hosted
Analytics
Access and
Security
Infrastructure
Central To
Hosting
Facility
Connectivity
Solution
External Public
Consumers
Solution
Mobile App
To …
• Increasing solution landscape complexity and diversity gives rise to implicit and
explicit risks
March 8, 2022 12
Solution
Central Data
Store
Solution
Central
Application
Component
Solution API
Solution
Central
Infrastructure
Solution
Hosted
Infrastructure
Solution
Internal
Consumers
Solution
External
Private
Consumers
Solution
Hosted Data
Store
Solution
Hosted
Application
Component
Solution
Hosted
Analytics
Access and
Security
Infrastructure
Central To
Hosting
Facility
Connectivity
Solution
External Public
Consumers
Solution
Mobile App
Illusion Of The Solution Cocoon
• Solutions do not always exist in
a security cocoon provided by a
range of infrastructural
components, protected from all
malicious actors and actions
that repel all attempts to
penetrate the solution
• Individual solutions must be
aware of their security
requirements and ensure they
are in place
− Take individual solution
responsibility
− Do not make any assumptions on
what security is available
− Perform due diligence on
available and operational security
infrastructure
− Identify and address solution-
specific security needs
March 8, 2022 13
Solution
And Its
Components
Illusion Of The Solution Cocoon
• Operational solution components can reside in multiple
locations subject to different sets of security infrastructure,
making the problem of solution security all the greater
March 8, 2022 14
Solution Security Is A “Wicked Problem*”
• Solution security is a wicked problem because there is no
certainly about when the problem has been resolved and a
state of security has been achieved
• The security state of a solution can just be expressed along
a subjective spectrum of better or worse rather than a
binary true or false
March 8, 2022 15
* Dilemmas in a General Theory of Planning, Horst Wittel and Melvin Webber
https://urbanpolicy.net/wp-content/uploads/2012/11/Rittel+Webber_1973_PolicySciences4-
2.pdf
Wicked Problem Characteristics And Solution
Security
March 8, 2022 16
Characteristics of Wicked Problems Application to Solution Security
There is no definite formulation of wicked problems.There is no certainly about when security has been fully achieved.
Wicked problems have no stopping rule. There is no stopping rule that states security has been fully achieved if a
defined set of activities and controls have been performed and
implemented.
Solutions to wicked problems are not true or false,
but good or bad
The security state of a solution can just be expressed along a spectrum of
better or worse rather than a binary true or false.
There is no immediate or ultimate test for solutions. The security of a solution is difficult, if not impossible, to establish.
Proving the certainty of a negative can be unachievable.
All attempts to solutions have effects that may not
be reversible.
Implementing solution security impacts the operation and use of the
solutions themselves.
Wicked problems have no clear solution, and
perhaps not even a set of possible solutions.
There is no one security solution but a combination of interrelated and
layers security components.
Every wicked problem is essentially unique. There is no one standard solution template to security.
Every wicked problem may be a symptom of
another problem.
Solution security is only a subset of wider organisation security. Lack of
security is a potential problem that has to be exploited for the problem
to become real. It is difficult for individual solutions to be secure if an
organisation security foundation and framework are not in place.
There are multiple explanations for the wicked
problem.
Solution security can be defined in many ways.
The planner (or policy-maker) has no right to be
wrong.
Failure to implement effective solution security can lead to very serious
negative consequences to getting it wrong leads to blame but getting it
right does not lead to any praise.
Solution Security Negative Outcomes
• Solution security can have negative consequences:
prevents types of access, limits availability in different
ways, restricts functionality provided, makes solution
harder to use, lengthens solution delivery times, increases
costs along the entire solution lifecycle, leads to loss of
usability, utility and rate of use
• Security requirements and standards may discourage
security, leading to bypass and circumvention actions
• Complex security arrangements may give the illusion of
security that does not exist in reality
March 8, 2022 17
Solution Inheritance Of Security Infrastructure
• Individual solutions must be able to inherit security controls, facilities and
standards from common enterprise-level controls, standards, toolsets and
frameworks.
• Individual solutions must not be forced to implement individual
infrastructural security facilities and controls
− This is wasteful of solution implementation resources, results in multiple non-
standard approaches to security and represents a security risk to the organisation
• Solution architects must be aware of the need for solution security and of
the need to have enterprise-level controls that solutions can adopt.
• The extended solution landscape potentially consists of a large number of
interacting components and entities located in different zones, each with
different security profiles, requirements and concerns
− Different security concerns and therefore controls apply to each of these
components
• Solution security is not covered by a single control
− It involves multiple overlapping sets of controls providing layers of security
March 8, 2022 18
Security Model And Inheritance Of Security Controls
• Defining a security model and set of solution zone and
operational entity controls allows the existence of and the
solution inheritance of security controls to be validated
and potential security gaps to be identified
March 8, 2022 19
Solution Architecture And Interfaces With Other IT
Architecture Disciplines
• The solution architecture discipline must work with other IT architecture disciplines,
including security architecture
• Enterprise architecture needs to embed security into the organisation’s overall IT
architecture
March 8, 2022 20
Enterprise Architecture
Information and Data Architecture
Application
Architecture
Business
Architecture
Technical
Architecture
Solution
Architecture Service
Architecture
Security
Architecture
Overall Architecture Framework Security
Standards
Service Operation
and Support
Data
Architecture
Infrastructure
Architecture
Business
Context
Business
Process,
Products
Solution Zone Types and Zones
March 8, 2022 21
Solution
Component
Types
Solution
Components
Solution
Solution Zones
Solution
Zone Types
Solution
Topology
Security
Standards
And Controls
Solution Consists Of
Multiple Components
Each Solution
Component
Has A Type
Solution Exists
Within A
Topology Of
Many Solutions
Solution Components
Are Located In Solution
Zones
Each Solution
Zone Has A Type
Different Solution
Standards And
Controls Apply To
Solution Zones
Solution
Operational
Entity
Solution
Operational
Entity Type
Deployed
Solution
Consists Of
Multiple
Operational
Entities
Each Solution
Operational
Entity Has A Type
Solution Operational Entities
Are Located In Solution Zones
Security
Controls Apply
To Solution
Components
Security Controls Apply To
Solution Operational Entities
Some Solution
Components
Become
Deployed
Operational
Entities
Solution Zones
• Solution zones are locations where groups of closely related solution
components reside
• They represent containers for solution components
• Zones are located within the wider physical solution landscape
• Each zone and the components it holds have different security
requirements
• Not all solutions will have components in all zone and not all
organisations will have all the zone types
• The solution and its constituent components can span multiple
different zones of the same type
• The zone approach is useful way of representing the entirety of a
solution, its constituent components, their connectivity, linkages and
interactions
• You will have different levels of control over different solution zones
(including no control)
March 8, 2022 22
Sample Solution Zone Types
March 8, 2022 23
Sample Solution Zone Types
March 8, 2022 24
Sample Solution Zone Types
Zone Description
Insecure External Organisation
Presentation And Access
Where publicly accessible or accessing entities reside. These entities are
regarded as insecure and/or untrusted.
Secure External Organisation
Participation and Collaboration
Outside the physical organisation boundary where entities that are provided by
or to trusted external parties reside
Secure External Organisation Access Contain entities that enable secure access or are securely accessible from
outside the organisation
Organisation Contain the entities within the organisation boundary and contains all the
locations, business units and functions within it
Central Solutions and Access Contains the solution entities and their data
Solution Zone Contains the solution entities
Data Zone Zone within the organisation where data is segregated for security
Remote Business Unit Solutions and
Access
Remotely located organisation business unit or location and the entities it
contains
Workstation Zone Zone within the organisation where users accessing data and solutions are
segregated for security
Outsourced Service Provider Solutions
and Access
Contains solutions provided by and located in facilities provided by outsourced
partners
Cloud Service Provider Solutions and
Access
Contains solutions - platform, infrastructure and service - provided by and
located in cloud service providers
Co-Located Solutions and Access Contains solutions the organisation has located in facilities provided by co-
location providers
March 8, 2022 25
Solution Component Types And Components Solution
Component
Types
Solution
Components
Solution
Solution Zones
Solution
Zone Types
Solution
Topology
Security
Standards
And Controls
Solution Consists Of
Multiple Components
Each Solution
Component
Has A Type
Solution Exists
Within A
Topology Of
Many Solutions
Solution Components
Are Located In Solution
Zones
Each Solution
Zone Has A Type
Different Solution
Standards And
Controls Apply To
Solution Zones
Solution
Operational
Entity
Solution
Operational
Entity Type
Deployed
Solution
Consists Of
Multiple
Operational
Entities
Each Solution
Operational
Entity Has A Type
Solution Operational Entities
Are Located In Solution Zones
Security
Controls Apply
To Solution
Components
Security Controls Apply To
Solution Operational Entities
Some Solution
Components
Become
Deployed
Operational
Entities
March 8, 2022 26
Solution Components
• The functional and operational design of any solution and
therefore its security will include many of these components,
including those inherited by the solution or common
components used by the solution
• When creating the end-to-end solution design the solution
architect should identify all the required solution components
• The complete solution security view should refer explicitly to
the components and their controls
• While each individual solution should be able to inherit the
security controls provided by these components, the solution
design should include explicit reference to them for
completeness and to avoid unvalidated assumptions
• There is a common and generalised set of components, many of
which are shared, within the wider solution topology that
should be considered when assessing overall solution security
March 8, 2022 27
Solution Is The Sum Of Its Components
• The solution is a window to its constituent components
• Solution consumers experience the totality of the solutions
March 8, 2022 28
Solution Components Classes
• Time-Bounded Delivery Entity Types
− Time-bounded sets of work required to get the solution fully
operational
• Enduring Operational Technology Entity Types
− Operational instrumentation and tool components required for
the solution to operate
• Enduring Process, Procedure and Structural Entity Types
− Organisation and process changes required to use the solution
optimally
March 8, 2022 29
Solution Components Classes And Types
March 8, 2022 30
Solution Components
Time-Bounded Delivery Entity
Types
Sets of Installation and
Implementation Services
Existing Data Conversions/
Migrations
New Data Loads
Parallel Runs
Enhanced Support/ Hypercare
Enduring Operational
Technology Entity Types
Changes to Existing Systems
New Custom Developed
Applications
Acquired and Customised Software
Products
System Integrations/ Data
Transfers/ Exchanges
Reporting and Analysis Facilities
Information Storage Facilities
Central, Distributed and
Communications Infrastructure
Application Hosting and
Management Services
Enduring Process, Procedure
and Structural Entity Types
Cutover/ Transfer to Production And
Support
Operational Functions and
Processes
Sets of Maintenance, Service
Management and Support Services
Changes to Existing Business
Processes
New Business Processes
Organisational Changes, Knowledge
Management
Training and Documentation
Solution With Consist Of Multiple Instances Of Solution
Component Types
March 8, 2022 31
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Changes to Existing Systems
New Custom Developed
Applications
Acquired and Customised Software
Products
System Integrations/ Data
Transfers/ Exchanges
Reporting and Analysis Facilities
Sets of Installation and
Implementation Services
Information Storage Facilities
Existing Data Conversions/
Migrations
New Data Loads
Central, Distributed and
Communications Infrastructure
Cutover/ Transfer to Production And
Support
Operational Functions and
Processes
Parallel Runs
Enhanced Support/ Hypercare
Sets of Maintenance, Service
Management and Support Services
Application Hosting and
Management Services
Changes to Existing Business
Processes
New Business Processes
Organisational Changes, Knowledge
Management
Training and Documentation
Solution Topography
• Irrespective of whether the solution is hosted inside or outside the organisation, it
will still need to operate in a solution topography consisting of a number of logical
layers
• This topography is important as its implicitly or explicitly delineates borders to what
is feasible
March 8, 2022 32
Common Service Management
Processes and Standards – solution
support, service level management
Common Financial
Management Processes and
Standards – solution cost and
asset management
Common Enterprise Architecture
Standards – compliance with
organisation technology standards
and principles
Common Security and
Regulatory Compliance
Architecture – integration of
solution into overall security
standards and operations
Common Data Architecture –
integration of solution data into the
organisation data model and access
to solution data, compliance with
data regulations and standards
Business Process and
Organisation Structure –
business processes and
organisation functions that use
the solution
Extended Solution Landscape With
Integration With Other Solutions –
solution support, service level
management, integration, data
exchange
Individual Solution
Landscape – set of
components that comprise
the overall solution
Solution Topography
• Individual solutions do not exist in isolation even through
they may be acquired or implemented separately
• The organisation’s operation solution landscape consists of
many individual solutions located across many different
solution zones
March 8, 2022 33
Solution Topography
March 8, 2022 34
Extended Solution Landscape With
Integration With Other Solutions
Individual Solution Landscape
Business Process and Organisation Structure
Common Data Architecture
Common Security and Regulatory Compliance Architecture
Common Enterprise Architecture Standards
Common Financial Management Processes and Standards
Common
Service
Management
Processes
and
Standards
Security Standards And Controls Solution
Component
Types
Solution
Components
Solution
Solution Zones
Solution
Zone Types
Solution
Topology
Security
Standards
And Controls
Solution Consists Of
Multiple Components
Each Solution
Component
Has A Type
Solution Exists
Within A
Topology Of
Many Solutions
Solution Components
Are Located In Solution
Zones
Each Solution
Zone Has A Type
Different Solution
Standards And
Controls Apply To
Solution Zones
Solution
Operational
Entity
Solution
Operational
Entity Type
Deployed
Solution
Consists Of
Multiple
Operational
Entities
Each Solution
Operational
Entity Has A Type
Solution Operational Entities
Are Located In Solution Zones
Security
Controls Apply
To Solution
Components
Security Controls Apply To
Solution Operational Entities
Some Solution
Components
Become
Deployed
Operational
Entities
Operational Security Controls
• Security controls represent a set of infrastructural facilities
and associated processes designed to provide a
comprehensive and overlapping set of security protection
and defence
− Security is not achieved by one control but by layers of controls
• Security controls can be used as a checklist during solution
design prior to operational acceptance testing to ensure
that the solution and its operating environment is security
compliant
• Security controls must be realistic and achievable to assess,
implement and operate
− Complexity is the enemy of effectiveness and usefulness
March 8, 2022 36
Operational Security Controls
March 8, 2022 37
Operational Security Controls
March 8, 2022 38
Security Control Control Scope
Asset Security Design, implement and operate tools and processes to ensure the security of infrastructure and software assets through active asset inventory
management
Network Monitoring Design, implement and operate tools and processes to monitor network infrastructure, ensuring only authorised software can be installed and
run, and provide defence against security threats and attacks
Penetration Testing Design, implement and operate tools and processes to test solutions and their infrastructure to identify and resolve vulnerabilities and
weaknesses in their design, implementation and operation through the simulation of attacks
Browser Protection Design, implement and operate tools and processes to monitor, analyse, detect and act-on browser-based attacks and browser vulnerabilities
Solution Availability, Resilience,
Fault Tolerance and Recovery
Design, implement and operate infrastructure, facilities and processes to ensure the availability of the solution, resilience against component
failure and recovery in the event of failure
Access Control Management Design, implement and operate tools and processes for the creation, assignment, management and revocation of access credentials and
privileges for solution and data access to administrator, user and service accounts
Account Management Design, implement and operate tools and processes to assign and manage authorisation to credentials for service, administrator and user
accounts, including administrator accounts
Email Protection Design, implement and operate tools and processes to monitor, analyse, detect and act-on email-based attacks and email vulnerabilities
Application Solution Security Design, implement and operate tools and processes to manage the security aspects of developed, acquired or externally hosted solutions to
identify, prevent, detect and resolve security weaknesses and vulnerabilities
Malware Defence Design, implement and operate tools and processes to prevent the installation, spread, and execution of malicious applications, code or scripts
Solution Monitoring Design, implement and operate tools and processes to monitor, analyse and report on the usage of a solution and its constituent components
including resource consumption and performance
Audit Log Management Design, implement and operate tools and processes to collect, store, analyse, alert, review audit logs of solution activity events that to facilitate
the detection, understanding and recovery from an attack
Inventory and Control of Assets Design, implement and operate tools and processes to manage the infrastructure and software assets that comprise the totality of solutions in
order to actively manage those assets
Data Management, Backup and
Recovery
Design, implement and operate tools and processes to manage solution data and establish data backup and recovery including integrity of
backup data
Supplier and Service Provider
Management
Design, implement and operate tools and processes to initially assess and continually monitor the security arrangements of solution component
suppliers and service providers and the components and services they provide
Network Management Design, implement and operate tools and processes to design, implement, operate and manage the security of network infrastructure and
facilities including their vulnerability
Continuous Vulnerability
Management
Design, implement and operate tools and processes to continuously assess and track vulnerabilities on all solution components in order to
identify, response to, remediate and minimise attacks
Data Protection Design, implement and operate tools and processes to identify, classify, securely handle, manage access to, manage regulatory compliance,
appropriately retain and dispose of solution data
Operational Security Controls Activities
Operate processes and procedures to
analyse collected data to identify
potential security breaches and
vulnerabilities
Identify any potential control
breaches or deviations
Assess the potential control breaches
or deviations
Escalate as appropriate
Respond to potential control
breaches or deviations
Identify actions
Track performance of actions
Report on actions
Improve based on analysis
Detect
Identify
Respond
Establish and configure the security
control
Define and implement the
operational processes
Allocate resources and budget
Define control operation/usage data
collection framework
Define control data model
Define management and reporting
procedures
Establish
March 8, 2022 39
Security Controls Activities – Asset Security
• Breakdown of activities for the Asset Security control area
March 8, 2022 40
Establish Detect Identify Respond
• Implement tools and processes to
scan, collect, store and provide access
to infrastructure and software asset
data and their configuration
• Implement processes to identify
changes
• Implement processes to subscribe to
vulnerability updates
• Implement processes to monitor
vulnerabilities and manage updates
• Implement processes to disable assets
• Implement processes to authorise
changes to assets
• Implement infrastructure device
management including patching and
software update distribution
• Establish business function and
allocate resources to operate asset
management
• Define asset security roles and
responsibilities
• Implement reporting and information
access processes
• Operate asset security management
data collection processes
• Detect asset changes
• Analyse collected asset data to detect
potential asset security breaches
• Operate escalation processes
• Operate asset security incident
management processes
• Operate asset security problem
management processes
•
• Identify and evaluate asset security
breaches and vulnerabilities
• Create asset security breaches and
vulnerabilities handling action plans
and activity schedules including
interim and long-term actions
• Handle security breaches and
vulnerabilities
• Assign actions and activities
• Work through action plan and report
on progress
• Finalise action plan
Security Controls Activities – Network Monitoring
• Breakdown of activities for the Network Monitoring
control area
March 8, 2022 41
Establish Detect Identify Respond
• Acquire and implement tools and
processes to monitor the network
infrastructure, perform intrusion
detection, traffic filtering, anti-
malware, collect data on network
operations and use, generate alerts
and manage events
• Implement processes to handle alerts
and events and identify and manage
network issues raised
• Implement processes to subscribe to
network security updates
• Implement processes to authorise
changes to network configuration
• Establish business function and
allocate resources to operate network
monitoring
• Define network monitoring roles and
responsibilities
• Implement network monitoring
reporting and information access
processes
• Operate network monitoring alerting
and event management
• Operate network data collection
processes
• Operate escalation processes
• Operate network monitoring alerting
and event incident management
processes
• Operate network monitoring alerting
and event problem management
processes
• Manage network monitoring alerting
and event management infrastructure
and apply patches and updates
•
• Identify, evaluate and prioritise
network breaches and vulnerabilities
• Create network monitoring alerting
and event management breaches and
vulnerabilities handling action plans
and activity schedules including
interim and long-term actions
• Handle network monitoring alerting
and event management breaches and
vulnerabilities
• Assign actions and activities
• Work through action plan and report
on progress
• Finalise action plan
Security Controls Activities
• The control activities represent a general set of actions
relating to each control
• The specific detail for each control is different
March 8, 2022 42
Security Standards
• There are many security standards including:
− AICPA Trust Services Criteria -
https://us.aicpa.org/interestareas/frc/assuranceadvisoryservices/trustdataintegritytaskforce
− CIS Critical Security Controls - https://learn.cisecurity.org/cis-controls-download
− Cloud Security Alliance (CSA)Cloud Controls Matrix (CCM) -
https://cloudsecurityalliance.org/research/cloud-controls-matrix/
− Control Objectives for Information Technologies - https://www.isaca.org/resources/cobit
− COSO - https://www.coso.org/Documents/COSO-Deloitte-Managing-Cyber-Risk-in-a-Digital-Age.pdf
− Cybersecurity Maturity Model Certification (CMMC) -
https://www.acq.osd.mil/cmmc/documentation.html
− FS.31 GSMA Baseline Security Controls - https://www.gsma.com/security/resources/fs-31-gsma-baseline-
security-controls/
− ISO 27000 Series - https://www.iso.org/isoiec-27001-information-security.html
− NIST CSF (Cyber Security Framework) - https://www.nist.gov/cyberframework
− NIST Framework for Improving Critical Infrastructure Cybersecurity -
http://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
− NIST SP 1800 Series - https://csrc.nist.gov/publications/sp1800
− NIST SP 800-53, Revision 5 Controls CURRENT VERSION 5.1 -
https://csrc.nist.gov/CSRC/media/Projects/risk-management/800-53%20Downloads/800-53r5/NIST_SP-
800-53_rev5-derived-OSCAL.xlsx
− NIST: Cybersecurity Framework, 800-53, 800-171 – https://csrc.nist.gov/Projects/risk-management/sp800-
53-controls/downloads
− US FedRAMP (Federal Risk and Authorization Management Program) - https://tailored.fedramp.gov/
March 8, 2022 43
Security Standards
• Security standards exist at various levels with varying levels
of detail and complexity
− Some are very detailed with hundreds of controls
• There needs to be a balance between complexity and level
of detail and the ease of implementation, operation and
use
• There are no specific solution-oriented security standards
across all solution components types and operational
deployment patterns
March 8, 2022 44
Operational Solution Entities And Solution Zones
March 8, 2022 45
Solution
Component
Types
Solution
Components
Solution
Solution Zones
Solution
Zone Types
Solution
Topology
Security
Standards
And Controls
Solution Consists Of
Multiple Components
Each Solution
Component
Has A Type
Solution Exists
Within A
Topology Of
Many Solutions
Solution Components
Are Located In Solution
Zones
Each Solution
Zone Has A Type
Different Solution
Standards And
Controls Apply To
Solution Zones
Solution
Operational
Entity
Solution
Operational
Entity Type
Deployed
Solution
Consists Of
Multiple
Operational
Entities
Each Solution
Operational
Entity Has A Type
Solution Operational Entities
Are Located In Solution Zones
Security
Controls Apply
To Solution
Components
Security Controls Apply To
Solution Operational Entities
Some Solution
Components
Become
Deployed
Operational
Entities
Operational Solution Entities
March 8, 2022 46
Solution Components
Time-Bounded Delivery Entity
Types
Sets of Installation and
Implementation Services
Existing Data Conversions/
Migrations
New Data Loads
Parallel Runs
Enhanced Support/ Hypercare
Enduring Operational
Technology Entity Types
Changes to Existing Systems
New Custom Developed
Applications
Acquired and Customised Software
Products
System Integrations/ Data
Transfers/ Exchanges
Reporting and Analysis Facilities
Information Storage Facilities
Central, Distributed and
Communications Infrastructure
Application Hosting and
Management Services
Enduring Process, Procedure
and Structural Entity Types
Cutover/ Transfer to Production And
Support
Operational Functions and
Processes
Sets of Maintenance, Service
Management and Support Services
Changes to Existing Business
Processes
New Business Processes
Organisational Changes, Knowledge
Management
Training and Documentation
Operational Solution Entities
• The designed, deployed and operational solution
components become solution operational entities
• Solution security starts with the solution design process
• These physical entities reside in the solution zones
• As with solution component types and solution
components, there are operational entity types and
instances of those types that are the actual solution
operational entities
• Operational security controls and protection activities need
to focus on these entities – they are the main points of
solution vulnerability
March 8, 2022 47
Operational Solution Entities
March 8, 2022 48
Operation Entity
Operation Entity
Operation Entity
Operation Entity
Operation Entity
Operation Entity
Operation Entity
Operation Entity
Operation Entity
Operation Entity
Operation Entity
Operation Entity
Operation Entity
Operation Entity
Operation Entity
Operation Entity
Operation Entity
Operation Entity
Operation Entity
Operation Entity
Operation Entity
Operation Entity
Operation Entity
Operation Entity
Operation Entity
Operation Entity
Operation Entity
Operation Entity
Operation Entity
Operation Entity
Operation Entity
Operation Entity
Operation Entity
Operation Entity
Operation Entity
Operation Entity
Operation Entity
Operation Entity
Operation Entity
Changes to Existing Systems
New Custom Developed
Applications
Acquired and Customised Software
Products
System Integrations/ Data
Transfers/ Exchanges
Reporting and Analysis Facilities
Sets of Installation and
Implementation Services
Information Storage Facilities
Existing Data Conversions/
Migrations
New Data Loads
Central, Distributed and
Communications Infrastructure
Cutover/ Transfer to Production And
Support
Operational Functions and
Processes
Parallel Runs
Enhanced Support/ Hypercare
Sets of Maintenance, Service
Management and Support Services
Application Hosting and
Management Services
Changes to Existing Business
Processes
New Business Processes
Organisational Changes, Knowledge
Management
Training and Documentation
Operational Solution Entity Types And Solution
Zones
March 8, 2022 49
Operational Solution Entity Types – 1
March 8, 2022 50
Operational Entity Type Description
External Data Sources Data sources outside the organisation boundary providing data to the organisation
External Public Interacting Parties Public solution consumers outside the organisation and outside the control of the organisation
External Data Telemetry Devices Devices owned by the organisation in public locations and from which solutions receive data
External Telecommand Devices Devices owned by the organisation in public locations and to which solutions send commands
External Private Interacting Parties Solution consumers external to the organisation and with whom the organisation has a relationship and who may have authenticated
access
Externally Located Employees Employees accessing organisation solutions from outside the organisation’s security boundary
Mobile Employees Employees accessing organisation solutions outside the organisation but within the organisation’s extended security boundary
Private Access Groups Interaction areas for secure collaboration with third-parties with authenticated access
Publicly Accessible Solutions Solutions hosted on organisation on-premises infrastructure that are publicly accessible without authentication
Externally Accessible Solutions Solutions hosted on organisation on-premises infrastructure that are publicly accessible with authentication
Data Access, Exchange and Service Gateway Facility to allow the access to organisation data and services and to enable the exchange and transfer of data
Secure Communications Access Component that provides common secure communications facilities to solutions
Identity, Access and Authentication Component providing common facilities for identity and access management and consumer authorisation and authentication
Access and Activity Logging Component that provides facilities to log resource accesses, activities and events
Anti-Virus, Malware Defence Provides protection against viruses and other malware
Network Monitoring Provides facilities to monitor network access, usage and performance
Threat Protection and Vulnerability Checking Provides protection against vulnerabilities contained in solutions and any components they use or incorporate
Business Continuity and Disaster Recovery Component that provides common secure business continuity and disaster recovery facilities to solutions
Mail Organisation email facility
Identity, Access and Authentication Component that provides common secure identity, authentication and access control facilities to solutions
Backup and Recovery Organisation data backup and recovery facility
Internally Accessible Solutions Solutions deployed on on-premises infrastructure designed to be used by internal solution consumers
Solution Structured Data Stores Database-oriented data stores for solutions deployed on on-premises infrastructure
Solution Unstructured Data Stores Database-oriented data stores for solutions deployed on on-premises infrastructure
Business Unit Solution Access Group Set of solution consumers located within a separately located business unit
Solution Access Groups Set of solution consumers located within the central organisation
Outsourced Service Provider Connectivity and Access Component within outsourced service provider for secure connectivity and access to outsourced solutions and data
Outsourced Service Provider Access and
Authentication
Facility within outsourced service provider for identity and access management and consumer authorisation and authentication
Operational Solution Entity Types – 2
March 8, 2022 51
Operational Entity Type Description
Hosted Shared Solutions Solutions on a shared platform hosted by within outsourced service provider
Hosted Shared Solution Data Stores Data stores for solutions on a shared platform deployed within outsourced service provider
Hosted Dedicated Solutions Solutions on a dedicated platform hosted by within outsourced service provider
Hosted Dedicated Solution Data Stores Data stores for solutions on a dedicated platform deployed within outsourced service provider
Cloud Service Provider Connectivity and Access Component within cloud service provider for secure connectivity and access to cloud-located solutions and data
Cloud Service Provider Access and Authentication Component within cloud service providing facilities for identity and access management and consumer authorisation and
authentication
Internally Accessible Infrastructure Deployed Solutions Solutions deployed in an IaaS pattern designed for use within the organisation
Externally Accessible Infrastructure Deployed
Solutions
Solutions deployed in an IaaS pattern designed for use outside the organisation
Internally Accessible Infrastructure Deployed Solutions
Data Stores
Data stores for solutions deployed in an IaaS pattern designed for use within the organisation
Internally Accessible Platform Deployed Solutions Solutions deployed in a PaaS pattern designed for use within the organisation
Externally Accessible Infrastructure Deployed
Solutions Data Stores
Data stores for solutions deployed in an IaaS pattern designed for use outside the organisation by designated external
consumers
Externally Accessible Platform Deployed Solutions Solutions deployed in a PaaS pattern designed for use outside the organisation by designated external consumers
Publicly Accessible Platform Deployed Solutions Solutions deployed in a PaaS pattern designed for use outside the organisation by public consumers
Publicly Accessible Infrastructure Deployed Solutions Solutions deployed in an IaaS pattern designed for use outside the organisation by public consumers
Publicly Accessible Infrastructure Deployed Solutions
Data Stores
Data stores for solutions deployed in an IaaS pattern designed for use outside the organisation by public consumers
Platform Deployed Solutions Data Stores Data stores for solutions deployed in a PaaS pattern
Externally Accessible Service Deployed Solutions Solutions deployed in a SaaS pattern designed for use outside the organisation by designated external consumers
Publicly Accessible Service Deployed Solutions Solutions deployed in a SaaS pattern designed for use outside the organisation by public consumers
Internally Accessible Service Deployed Solutions Solutions deployed in a SaaS pattern designed for use within the organisation
Service Deployed Solutions Data Stores Data stores for solutions deployed in a SaaS pattern
Co-Location Provider Connectivity and Access Component within a co-location service provider for secure connectivity and access to co-located solutions and data
Co-Location Identity, Access and Authentication Facility within a co-location service provider for identity and access management and consumer authorisation and
authentication
Co-Located Solutions Facility within a co-location service provider for identity and access management and consumer authorisation and
authentication
Co-Located Solution Data Stores Solutions hosted by within a co-location service provider
Operational Solution Entity Types And Solution Zone
Type – 1
March 8, 2022 52
Zone Operational Entity
Insecure External Organisation Presentation
And Access
External Data Sources
External Public Interacting Parties
External Data Telemetry Devices
External Telecommand Devices
Secure External Organisation Participation and
Collaboration
External Private Interacting Parties
Externally Located Employees
Mobile Employees
Private Access Groups
Secure External Organisation Access Publicly Accessible Solutions
Externally Accessible Solutions
Data Access, Exchange and Service Gateway
Secure Communications Access
Identity, Access and Authentication
Organisation Access and Activity Logging
Anti-Virus, Malware Defence
Network Monitoring
Threat Protection and Vulnerability Checking
Business Continuity and Disaster Recovery
Central Solutions and Access Mail
Identity, Access and Authentication
Backup and Recovery
Solution Zone Internally Accessible Solutions
Data Zone Solution Structured Data Stores
Solution Unstructured Data Stores
Operational Solution Entity Types And Solution Zone
Type – 2
March 8, 2022 53
Zone Operational Entity
Outsourced Service Provider Solutions and
Access
Outsourced Service Provider Connectivity and Access
Outsourced Service Provider Access and Authentication
Hosted Shared Solutions
Hosted Shared Solution Data St3ores
Hosted Dedicated Solutions
Hosted Dedicated Solution Data Stores
Cloud Service Provider Solutions and Access Cloud Service Provider Connectivity and Access
Cloud Service Provider Access and Authentication
Internally Accessible Infrastru9cture Deployed Solutions3
Externally Accessible Infrastructure Deployed Solutions
Internally Accessible Infrastructure Deployed Solutions Data Stores
Internally Accessible Platform Deployed Solutions
Externally Accessible Infrastructure Deployed Solutions Data Stores
Externally Accessible Platform Deployed Solutions
Publicly Accessible Platform Deployed Solutions
Publicly Accessible Infrastructure Deployed Solutions
Publicly Accessible Infrastructure Deployed Solutions Data Stores
Platform Deployed Solutions Data Stores
Externally Accessible Service Deployed Solutions
Publicly Accessible Service Deployed Solutions
Internally Accessible Service Deployed Solutions
Service Deployed Solutions Data Stores
Co-Located Solutions and Access Co-Location Provider Connectivity and Access
Co-Location Identity, Access and Authentication
Co-Located Solutions
Co-Located Solution Data Stores
Operational Solution Entity Types And Security
Controls
• Security controls apply to
operational solution entity types
• Each operational entity type will
have different security control
requirements depending on what
the entity does and in what zone
it is located
March 8, 2022 54
Operational Entity
Asset
Security
Account
Management
Access Control
Management
Solution
Availability,
Resilience,
Fault
Tolerance and
Recovery
Solution
Monitoring
Inventory and
Control of
Assets
Data
Protection
Audit Log
Management
Application
Solution
Security
Browser
Protection
Email
Protection
Malware
Defense
Data
Management
and Backup
and Recovery
Network
Monitoring
Penetration
Testing
Continuous
Vulnerability
Management
Network
Management
Supplier and
Service
Provider
Management
External Data Sources External Public Interacting Parties External Data Telemetry Devices
Data sources outside the
organisation boundary
providing data to the
organisation
Public solution consumers
outside the organisation and
outside the control of the
organisation
Devices owned by the
organisation in public locations
and from which solutions
receive data
Security Controls And Operational Solution Entity
Types
March 8, 2022 55
External Telecommand Devices External Private Interacting Parties Mobile Employees
Devices owned by the
organisation in public locations
and to which solutions send
commands
Solution consumers external to
the organisation and with
whom the organisation has a
relationship and who may have
authenticated access
Employees accessing
organisation solutions from
outside the organisation’s
security boundary
Security Controls And Operational Solution Entity
Types
March 8, 2022 56
External
Telecommand
Devices
Account
Management
Access Control
Management
Inventory and
Control of
Assets
Data
Protection
Audit Log
Management
Application
Solution
Security
Malware
Defense
Data
Management
and Backup
and Recovery
Network
Monitoring
Penetration
Testing
Continuous
Vulnerability
Management
Network
Management
Private Access Groups Publicly Accessible Solutions Externally Accessible Solutions
Interaction areas for secure
collaboration with third-parties
with authenticated access
Solutions hosted on
organisation on-premises
infrastructure that are publicly
accessible without
authentication
Solutions hosted on
organisation on-premises
infrastructure that are publicly
accessible with authentication
Security Controls And Operational Solution Entity
Types
March 8, 2022 57
Data Access, Exchange and Service
Gateway
Secure Communications Access Identity, Access and Authentication
Facility to allow the access to
organisation data and services
and to enable the exchange
and transfer of data
Component that provides
common secure
communications facilities to
solutions
Component providing common
facilities for identity and access
management and consumer
authorisation and
authentication
Security Controls And Operational Solution Entity
Types
March 8, 2022 58
Access and Activity Logging Anti-Virus, Malware Defence Network Monitoring
Component that provides
facilities to log resource
accesses, activities and events
Provides protection against
viruses and other malware
Provides protection against
viruses and other malware
Security Controls And Operational Solution Entity
Types
March 8, 2022 59
Threat Protection and Vulnerability
Checking
Business Continuity and Disaster
Recovery
Mail
Provides protection against
vulnerabilities contained in
solutions and any components
they use or incorporate
Component that provides
common secure business
continuity and disaster
recovery facilities to solutions
Component that provides
common secure business
continuity and disaster
recovery facilities to solutions
Security Controls And Operational Solution Entity
Types
March 8, 2022 60
Identity, Access and Authentication Backup and Recovery Internally Accessible Solutions
Component that provides
common secure identity,
authentication and access
control facilities to solutions
Organisation data backup and
recovery facility
Solutions deployed on on-
premises infrastructure
designed to be used by internal
solution consumers
Security Controls And Operational Solution Entity
Types
March 8, 2022 61
Solution Structured Data Stores Solution Unstructured Data Stores Business Unit Solution Access Group
Database-oriented data stores
for solutions deployed on on-
premises infrastructure
Database-oriented data stores
for solutions deployed on on-
premises infrastructure
Set of solution consumers
located within a separately
located business unit
Security Controls And Operational Solution Entity
Types
March 8, 2022 62
Solution Access Groups Outsourced Service Provider
Connectivity and Access
Outsourced Service Provider Access
and Authentication
Set of solution consumers
located within the central
organisation
Component within outsourced
service provider for secure
connectivity and access to
outsourced solutions and data
Facility within outsourced
service provider for identity
and access management and
consumer authorisation and
authentication
Security Controls And Operational Solution Entity
Types
March 8, 2022 63
Hosted Shared Solutions Hosted Shared Solution Data Stores Hosted Dedicated Solutions
Solutions on a shared platform
hosted by within outsourced
service provider
Data stores for solutions on a
shared platform deployed
within outsourced service
provider
Solutions on a dedicated
platform hosted by within
outsourced service provider
Security Controls And Operational Solution Entity
Types
March 8, 2022 64
Hosted Dedicated Solution Data
Stores
Cloud Service Provider Connectivity
and Access
Cloud Service Provider Access and
Authentication
Data stores for solutions on a
dedicated platform deployed
within outsourced service
provider
Component within cloud
service provider for secure
connectivity and access to
cloud-located solutions and
data
Component within cloud
service providing facilities for
identity and access
management and consumer
authorisation and
authentication
Security Controls And Operational Solution Entity
Types
March 8, 2022 65
Internally Accessible Infrastructure
Deployed Solutions
Internally Accessible Infrastructure
Deployed Solutions Data Stores
Internally Accessible Platform
Deployed Solutions
Solutions deployed in an IaaS
pattern designed for use within
the organisation
Data stores for solutions
deployed in an IaaS pattern
designed for use within the
organisation
Data stores for solutions
deployed in an IaaS pattern
designed for use within the
organisation
Security Controls And Operational Solution Entity
Types
March 8, 2022 66
Internally Accessible Service
Deployed Solutions
Externally Accessible Infrastructure
Deployed Solutions
Externally Accessible Infrastructure
Deployed Solutions Data Stores
Solutions deployed in a SaaS
pattern designed for use within
the organisation
Solutions deployed in an IaaS
pattern designed for use
outside the organisation
Data stores for solutions
deployed in an IaaS pattern
designed for use outside the
organisation by designated
external consumers
Security Controls And Operational Solution Entity
Types
March 8, 2022 67
Externally Accessible Platform
Deployed Solutions
Externally Accessible Service
Deployed Solutions
Publicly Accessible Infrastructure
Deployed Solutions
Solutions deployed in a PaaS
pattern designed for use
outside the organisation by
designated external consumers
Solutions deployed in a SaaS
pattern designed for use
outside the organisation by
designated external consumers
Solutions deployed in a SaaS
pattern designed for use
outside the organisation by
public consumers
Security Controls And Operational Solution Entity
Types
March 8, 2022 68
Publicly Accessible Infrastructure
Deployed Solutions Data Stores
Publicly Accessible Platform
Deployed Solutions
Platform Deployed Solutions Data
Stores
Data stores for solutions
deployed in an IaaS pattern
designed for use outside the
organisation by public
consumers
Solutions deployed in a PaaS
pattern designed for use
outside the organisation by
public consumers
Data stores for solutions
deployed in a PaaS pattern
Security Controls And Operational Solution Entity
Types
March 8, 2022 69
Service Deployed Solutions Data
Stores
Co-Location Provider Connectivity
and Access
Co-Location Identity, Access and
Authentication
Data stores for solutions
deployed in a SaaS pattern
Component within a co-
location service provider for
secure connectivity and access
to co-located solutions and
data
Facility within a co-location
service provider for identity
and access management and
consumer authorisation and
authentication
Security Controls And Operational Solution Entity
Types
March 8, 2022 70
Security Controls And Operational Solution Entity
Types
March 8, 2022 71
Co-Located Solutions Co-Located Solution Data Stores
Facility within a co-location
service provider for identity
and access management and
consumer authorisation and
authentication
Solutions hosted by within a co-
location service provider
Sample Solution Security Data Model
• The sample core and extended conceptual solution security
data models described earlier can be translated into a
more tangible and usable data model
• The data model can be implemented easily
March 8, 2022 72
Sample Solution Security Data Model
March 8, 2022 73
Summary
• These notes have proposed a solution-oriented security
approach that can be applied across the entire set of solutions
that comprise the organisation solution landscape
• It describes a model for collecting, structuring and analysing
solution security across the entire organisation solution
topology
• The proposed model can be applied to solution design and
implementation process to create an inventory of required and
implemented and operational security controls across all
operation components
• It can be used as part of solution design and operation due
diligence
− Use at stage gates during solution delivery to validate solution security
March 8, 2022 74
More Information
Alan McSweeney
http://ie.linkedin.com/in/alanmcsweeney
https://www.amazon.com/dp/1797567616
8 March 2022 75

More Related Content

What's hot

Digital Transformation And Solution Architecture
Digital Transformation And Solution ArchitectureDigital Transformation And Solution Architecture
Digital Transformation And Solution Architecture
Alan McSweeney
 
Solution Architecture and Solution Acquisition
Solution Architecture and Solution AcquisitionSolution Architecture and Solution Acquisition
Solution Architecture and Solution Acquisition
Alan McSweeney
 
Essentials of enterprise architecture tools
Essentials of enterprise architecture toolsEssentials of enterprise architecture tools
Essentials of enterprise architecture tools
iasaglobal
 
Solution Architecture Concept Workshop
Solution Architecture Concept WorkshopSolution Architecture Concept Workshop
Solution Architecture Concept Workshop
Alan McSweeney
 
Stopping Analysis Paralysis And Decision Avoidance In Business Analysis And S...
Stopping Analysis Paralysis And Decision Avoidance In Business Analysis And S...Stopping Analysis Paralysis And Decision Avoidance In Business Analysis And S...
Stopping Analysis Paralysis And Decision Avoidance In Business Analysis And S...
Alan McSweeney
 
Data Architecture for Solutions.pdf
Data Architecture for Solutions.pdfData Architecture for Solutions.pdf
Data Architecture for Solutions.pdf
Alan McSweeney
 

What's hot (20)

Structured Approach to Solution Architecture
Structured Approach to Solution ArchitectureStructured Approach to Solution Architecture
Structured Approach to Solution Architecture
 
Design Science and Solution Architecture
Design Science and Solution ArchitectureDesign Science and Solution Architecture
Design Science and Solution Architecture
 
Digital Transformation And Solution Architecture
Digital Transformation And Solution ArchitectureDigital Transformation And Solution Architecture
Digital Transformation And Solution Architecture
 
So You Think You Need A Digital Strategy
So You Think You Need A Digital StrategySo You Think You Need A Digital Strategy
So You Think You Need A Digital Strategy
 
Solution Architecture and Solution Acquisition
Solution Architecture and Solution AcquisitionSolution Architecture and Solution Acquisition
Solution Architecture and Solution Acquisition
 
Maximising The Value and Benefits of Enterprise Architecture
Maximising The Value and Benefits of Enterprise ArchitectureMaximising The Value and Benefits of Enterprise Architecture
Maximising The Value and Benefits of Enterprise Architecture
 
Managed Services Overview
Managed Services OverviewManaged Services Overview
Managed Services Overview
 
Incorporating A DesignOps Approach Into Solution Architecture
Incorporating A DesignOps Approach Into Solution ArchitectureIncorporating A DesignOps Approach Into Solution Architecture
Incorporating A DesignOps Approach Into Solution Architecture
 
Enterprise Architecture vs. Data Architecture
Enterprise Architecture vs. Data ArchitectureEnterprise Architecture vs. Data Architecture
Enterprise Architecture vs. Data Architecture
 
Implementing Effective Enterprise Architecture
Implementing Effective Enterprise ArchitectureImplementing Effective Enterprise Architecture
Implementing Effective Enterprise Architecture
 
ValueFlowIT: A new IT Operating Model Emerges
ValueFlowIT: A new IT Operating Model EmergesValueFlowIT: A new IT Operating Model Emerges
ValueFlowIT: A new IT Operating Model Emerges
 
Essentials of enterprise architecture tools
Essentials of enterprise architecture toolsEssentials of enterprise architecture tools
Essentials of enterprise architecture tools
 
Azure Sentinel Jan 2021 overview deck
Azure Sentinel Jan 2021 overview deck Azure Sentinel Jan 2021 overview deck
Azure Sentinel Jan 2021 overview deck
 
Enterprise Security Architecture Design
Enterprise Security Architecture DesignEnterprise Security Architecture Design
Enterprise Security Architecture Design
 
Introduction to Enterprise architecture and the steps to perform an Enterpris...
Introduction to Enterprise architecture and the steps to perform an Enterpris...Introduction to Enterprise architecture and the steps to perform an Enterpris...
Introduction to Enterprise architecture and the steps to perform an Enterpris...
 
Solution Architecture Concept Workshop
Solution Architecture Concept WorkshopSolution Architecture Concept Workshop
Solution Architecture Concept Workshop
 
A tailored enterprise architecture maturity model
A tailored enterprise architecture maturity modelA tailored enterprise architecture maturity model
A tailored enterprise architecture maturity model
 
Enterprise Data Architecture Deliverables
Enterprise Data Architecture DeliverablesEnterprise Data Architecture Deliverables
Enterprise Data Architecture Deliverables
 
Stopping Analysis Paralysis And Decision Avoidance In Business Analysis And S...
Stopping Analysis Paralysis And Decision Avoidance In Business Analysis And S...Stopping Analysis Paralysis And Decision Avoidance In Business Analysis And S...
Stopping Analysis Paralysis And Decision Avoidance In Business Analysis And S...
 
Data Architecture for Solutions.pdf
Data Architecture for Solutions.pdfData Architecture for Solutions.pdf
Data Architecture for Solutions.pdf
 

Similar to Solution Architecture And Solution Security

Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares the
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares theCriterion 1A - 4 - MasteryPros and Cons Thoroughly compares the
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares the
CruzIbarra161
 
Service-Oriented Security Engineering
Service-Oriented Security EngineeringService-Oriented Security Engineering
Service-Oriented Security Engineering
Richard Veryard
 
2015 03-04 presentation1
2015 03-04 presentation12015 03-04 presentation1
2015 03-04 presentation1
ifi8106tlu
 
The Open Group - ZT Commandments and Reference Model.pptx
The Open Group - ZT Commandments and Reference Model.pptxThe Open Group - ZT Commandments and Reference Model.pptx
The Open Group - ZT Commandments and Reference Model.pptx
Mark Simos
 
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
gealehegn
 

Similar to Solution Architecture And Solution Security (20)

Applicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit ProgramApplicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit Program
 
Implementing AppSec Policies with TeamMentor
Implementing AppSec Policies with TeamMentorImplementing AppSec Policies with TeamMentor
Implementing AppSec Policies with TeamMentor
 
Agile security
Agile securityAgile security
Agile security
 
Designing NextGen Threat Identification Solutions
Designing NextGen Threat Identification SolutionsDesigning NextGen Threat Identification Solutions
Designing NextGen Threat Identification Solutions
 
A New Security Management Approach for Agile Environments
A New Security Management Approach for Agile EnvironmentsA New Security Management Approach for Agile Environments
A New Security Management Approach for Agile Environments
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...
 
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares the
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares theCriterion 1A - 4 - MasteryPros and Cons Thoroughly compares the
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares the
 
Service-Oriented Security Engineering
Service-Oriented Security EngineeringService-Oriented Security Engineering
Service-Oriented Security Engineering
 
2015 03-04 presentation1
2015 03-04 presentation12015 03-04 presentation1
2015 03-04 presentation1
 
The Open Group - ZT Commandments and Reference Model.pptx
The Open Group - ZT Commandments and Reference Model.pptxThe Open Group - ZT Commandments and Reference Model.pptx
The Open Group - ZT Commandments and Reference Model.pptx
 
2022 DOI SKILup Days_Your Developers Decide Your Security Posture_Not Your Se...
2022 DOI SKILup Days_Your Developers Decide Your Security Posture_Not Your Se...2022 DOI SKILup Days_Your Developers Decide Your Security Posture_Not Your Se...
2022 DOI SKILup Days_Your Developers Decide Your Security Posture_Not Your Se...
 
Connection can help keep your business secure!
Connection can help keep your business secure!Connection can help keep your business secure!
Connection can help keep your business secure!
 
Application Hackers Have A Handbook. Why Shouldn't You?
Application Hackers Have A Handbook. Why Shouldn't You?Application Hackers Have A Handbook. Why Shouldn't You?
Application Hackers Have A Handbook. Why Shouldn't You?
 
A journey into Application Security
A journey into Application SecurityA journey into Application Security
A journey into Application Security
 
Risk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection PowerpointRisk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection Powerpoint
 
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
 
How to Secure your Fintech Solution - A Whitepaper by RapidValue
How to Secure your Fintech Solution - A Whitepaper by RapidValueHow to Secure your Fintech Solution - A Whitepaper by RapidValue
How to Secure your Fintech Solution - A Whitepaper by RapidValue
 
An integrated security testing framework and tool
An integrated security testing framework  and toolAn integrated security testing framework  and tool
An integrated security testing framework and tool
 
Null application security in an agile world
Null application security in an agile worldNull application security in an agile world
Null application security in an agile world
 
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
 

More from Alan McSweeney

Solution Architecture and Solution Estimation.pdf
Solution Architecture and Solution Estimation.pdfSolution Architecture and Solution Estimation.pdf
Solution Architecture and Solution Estimation.pdf
Alan McSweeney
 
Data Privatisation, Data Anonymisation, Data Pseudonymisation and Differentia...
Data Privatisation, Data Anonymisation, Data Pseudonymisation and Differentia...Data Privatisation, Data Anonymisation, Data Pseudonymisation and Differentia...
Data Privatisation, Data Anonymisation, Data Pseudonymisation and Differentia...
Alan McSweeney
 
Solution Architecture And (Robotic) Process Automation Solutions
Solution Architecture And (Robotic) Process Automation SolutionsSolution Architecture And (Robotic) Process Automation Solutions
Solution Architecture And (Robotic) Process Automation Solutions
Alan McSweeney
 
Comparison of COVID-19 Mortality Data and Deaths for Ireland March 2020 – Mar...
Comparison of COVID-19 Mortality Data and Deaths for Ireland March 2020 – Mar...Comparison of COVID-19 Mortality Data and Deaths for Ireland March 2020 – Mar...
Comparison of COVID-19 Mortality Data and Deaths for Ireland March 2020 – Mar...
Alan McSweeney
 
Data Integration, Access, Flow, Exchange, Transfer, Load And Extract Architec...
Data Integration, Access, Flow, Exchange, Transfer, Load And Extract Architec...Data Integration, Access, Flow, Exchange, Transfer, Load And Extract Architec...
Data Integration, Access, Flow, Exchange, Transfer, Load And Extract Architec...
Alan McSweeney
 
Review of Information Technology Function Critical Capability Models
Review of Information Technology Function Critical Capability ModelsReview of Information Technology Function Critical Capability Models
Review of Information Technology Function Critical Capability Models
Alan McSweeney
 
Critical Review of Open Group IT4IT Reference Architecture
Critical Review of Open Group IT4IT Reference ArchitectureCritical Review of Open Group IT4IT Reference Architecture
Critical Review of Open Group IT4IT Reference Architecture
Alan McSweeney
 
Analysis of Possible Excess COVID-19 Deaths in Ireland From Jan 2020 to Jun 2020
Analysis of Possible Excess COVID-19 Deaths in Ireland From Jan 2020 to Jun 2020Analysis of Possible Excess COVID-19 Deaths in Ireland From Jan 2020 to Jun 2020
Analysis of Possible Excess COVID-19 Deaths in Ireland From Jan 2020 to Jun 2020
Alan McSweeney
 

More from Alan McSweeney (20)

Solution Architecture and Solution Estimation.pdf
Solution Architecture and Solution Estimation.pdfSolution Architecture and Solution Estimation.pdf
Solution Architecture and Solution Estimation.pdf
 
Validating COVID-19 Mortality Data and Deaths for Ireland March 2020 – March ...
Validating COVID-19 Mortality Data and Deaths for Ireland March 2020 – March ...Validating COVID-19 Mortality Data and Deaths for Ireland March 2020 – March ...
Validating COVID-19 Mortality Data and Deaths for Ireland March 2020 – March ...
 
Analysis of the Numbers of Catholic Clergy and Members of Religious in Irelan...
Analysis of the Numbers of Catholic Clergy and Members of Religious in Irelan...Analysis of the Numbers of Catholic Clergy and Members of Religious in Irelan...
Analysis of the Numbers of Catholic Clergy and Members of Religious in Irelan...
 
Data Privatisation, Data Anonymisation, Data Pseudonymisation and Differentia...
Data Privatisation, Data Anonymisation, Data Pseudonymisation and Differentia...Data Privatisation, Data Anonymisation, Data Pseudonymisation and Differentia...
Data Privatisation, Data Anonymisation, Data Pseudonymisation and Differentia...
 
Data Privatisation, Data Anonymisation, Data Pseudonymisation and Differentia...
Data Privatisation, Data Anonymisation, Data Pseudonymisation and Differentia...Data Privatisation, Data Anonymisation, Data Pseudonymisation and Differentia...
Data Privatisation, Data Anonymisation, Data Pseudonymisation and Differentia...
 
Solution Architecture And (Robotic) Process Automation Solutions
Solution Architecture And (Robotic) Process Automation SolutionsSolution Architecture And (Robotic) Process Automation Solutions
Solution Architecture And (Robotic) Process Automation Solutions
 
Data Profiling, Data Catalogs and Metadata Harmonisation
Data Profiling, Data Catalogs and Metadata HarmonisationData Profiling, Data Catalogs and Metadata Harmonisation
Data Profiling, Data Catalogs and Metadata Harmonisation
 
Comparison of COVID-19 Mortality Data and Deaths for Ireland March 2020 – Mar...
Comparison of COVID-19 Mortality Data and Deaths for Ireland March 2020 – Mar...Comparison of COVID-19 Mortality Data and Deaths for Ireland March 2020 – Mar...
Comparison of COVID-19 Mortality Data and Deaths for Ireland March 2020 – Mar...
 
Analysis of Decentralised, Distributed Decision-Making For Optimising Domesti...
Analysis of Decentralised, Distributed Decision-Making For Optimising Domesti...Analysis of Decentralised, Distributed Decision-Making For Optimising Domesti...
Analysis of Decentralised, Distributed Decision-Making For Optimising Domesti...
 
Operational Risk Management Data Validation Architecture
Operational Risk Management Data Validation ArchitectureOperational Risk Management Data Validation Architecture
Operational Risk Management Data Validation Architecture
 
Data Integration, Access, Flow, Exchange, Transfer, Load And Extract Architec...
Data Integration, Access, Flow, Exchange, Transfer, Load And Extract Architec...Data Integration, Access, Flow, Exchange, Transfer, Load And Extract Architec...
Data Integration, Access, Flow, Exchange, Transfer, Load And Extract Architec...
 
Ireland 2019 and 2020 Compared - Individual Charts
Ireland   2019 and 2020 Compared - Individual ChartsIreland   2019 and 2020 Compared - Individual Charts
Ireland 2019 and 2020 Compared - Individual Charts
 
Analysis of Irish Mortality Using Public Data Sources 2014-2020
Analysis of Irish Mortality Using Public Data Sources 2014-2020Analysis of Irish Mortality Using Public Data Sources 2014-2020
Analysis of Irish Mortality Using Public Data Sources 2014-2020
 
Ireland – 2019 And 2020 Compared In Data
Ireland – 2019 And 2020 Compared In DataIreland – 2019 And 2020 Compared In Data
Ireland – 2019 And 2020 Compared In Data
 
Review of Information Technology Function Critical Capability Models
Review of Information Technology Function Critical Capability ModelsReview of Information Technology Function Critical Capability Models
Review of Information Technology Function Critical Capability Models
 
Critical Review of Open Group IT4IT Reference Architecture
Critical Review of Open Group IT4IT Reference ArchitectureCritical Review of Open Group IT4IT Reference Architecture
Critical Review of Open Group IT4IT Reference Architecture
 
Analysis of Possible Excess COVID-19 Deaths in Ireland From Jan 2020 to Jun 2020
Analysis of Possible Excess COVID-19 Deaths in Ireland From Jan 2020 to Jun 2020Analysis of Possible Excess COVID-19 Deaths in Ireland From Jan 2020 to Jun 2020
Analysis of Possible Excess COVID-19 Deaths in Ireland From Jan 2020 to Jun 2020
 
Creating A Business Focussed Information Technology Strategy
Creating A Business Focussed Information Technology StrategyCreating A Business Focussed Information Technology Strategy
Creating A Business Focussed Information Technology Strategy
 
Describing the Organisation Data Landscape
Describing the Organisation Data LandscapeDescribing the Organisation Data Landscape
Describing the Organisation Data Landscape
 
Solution Architecture Centre Of Excellence
Solution Architecture Centre Of ExcellenceSolution Architecture Centre Of Excellence
Solution Architecture Centre Of Excellence
 

Recently uploaded

Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
UXDXConf
 

Recently uploaded (20)

Intro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджераIntro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджера
 
Powerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaPowerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara Laskowska
 
UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
 
ECS 2024 Teams Premium - Pretty Secure
ECS 2024   Teams Premium - Pretty SecureECS 2024   Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty Secure
 
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
 
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeFree and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
 
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
 
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfHow Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
 
The Metaverse: Are We There Yet?
The  Metaverse:    Are   We  There  Yet?The  Metaverse:    Are   We  There  Yet?
The Metaverse: Are We There Yet?
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
 
Designing for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at ComcastDesigning for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at Comcast
 
IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
 
Strategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering TeamsStrategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering Teams
 
PLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsPLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. Startups
 
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
 

Solution Architecture And Solution Security

  • 1. Solution Architecture And Solution Security Alan McSweeney http://ie.linkedin.com/in/alanmcsweeney https://www.amazon.com/dp/1797567616
  • 2. Introduction, Purpose And Scope • These notes describe an approach to embedding security within the technology solution landscape • They describe a security model that encompasses the range of individual solution components up to the entire solution landscape March 8, 2022 2
  • 3. Topics • Core And Extended Solution Security Model • Solution And Technology Risks • Solution Zone Types and Zones • Solution Component Types And Components • Security Standards And Controls • Operational Solution Entity Types And Solution Zones • Operational Solution Entities And Security Controls March 8, 2022 3
  • 4. Proposed Core Solution Security Model March 8, 2022 4 Solution Component Types Solution Components Solution Solution Zones Solution Zone Types Solution Topology Security Standards And Controls Solution Consists Of Multiple Components Each Solution Component Has A Type Solution Exists Within A Topology Of Many Solutions Solution Components Are Located In Solution Zones Each Solution Zone Has A Type Different Solution Standards And Controls Apply To Solution Zones Solution Operational Entity Solution Operational Entity Type Deployed Solution Consists Of Multiple Operational Entities Each Solution Operational Entity Has A Type Solution Operational Entities Are Located In Solution Zones Security Controls Apply To Solution Components Security Controls Apply To Solution Operational Entities Some Solution Components Become Deployed Operational Entities
  • 5. Proposed Core Solution Security Model • Proposed solution security model allows the security status of a solution and its constituent delivery and operational components to be tracked wherever those components are located • Core solution security model is essential a static record • Provides an integrated approach to solution security across all solution components and across the entire organisation topology of solutions • Model is a balance between simplicity, ease of use, level of detail and utility • Allows solution security to be analysed and reported on • Enables the solution architect to validate the security of an individual solution • Enables the security status of the entire solution landscape to be assessed and recorded March 8, 2022 5
  • 6. Proposed Extended Solution Security Model March 8, 2022 6 Solution Component Types Solution Components Solution Solution Zones Solution Zone Types Solution Topology Security Standards And Controls Solution Consists Of Multiple Components Each Solution Component Has A Type Solution Exists Within A Topology Of Many Solutions Solution Components Are Located In Solution Zones Each Solution Zone Has A Type Different Solution Standards And Controls Apply To Solution Zones Solution Operational Entity Solution Operational Entity Type Deployed Solution Consists Of Multiple Operational Entities Each Solution Operational Entity Has A Type Solution Operational Entities Are Located In Solution Zones Security Controls Apply To Solution Components Security Controls Apply To Solution Operational Entities Some Solution Components Become Deployed Operational Entities Security Control Activities And Events Security Control Activity Implementation Status Security Control Activity Type Security Control Activities Security Controls Have Activities Security Controls Activities Have A Type Security Controls Activities Have An Implementation Status There Can Be Events Linked To Security Controls Activities
  • 7. Proposed Extended Solution Security Model • Model can be extended to hold the activities defined for each security control and to hold information on events relating to security controls and activities • Extended solution security model introduces some dynamic data March 8, 2022 7
  • 8. What Are We Protecting Against? • Unauthorised access to solution functionality and its data involves some or all of: March 8, 2022 8 • Getting the solution to do something it should not • Stopping the solution from working as it should or enabling it to be bypassed • Getting consumers of the solution to perform actions they should not • Gaining unauthorised access to the solution as a solution consumer • Getting the data held in the solution • Damaging the solution to prevent its use • Denying access to the solution • Using the solution as a gateway to other organisation solution and data assets • Stealing data to sell or holding for ransom • Collecting ransom before application or data restored • Using the application to steal money • Causing reputational damage • Stealing intellectual property • Putting the company out of business With The Aims Of
  • 9. New Technology And New Risks March 8, 2022 9 Solution Security Dispersed Operational Solution Landscape New Unfamiliar Technologies Error Prone Technology Deployment And Operation No Single Pane Of Glass Showing Security Status Increasing Number Of Threats Reduced Skills More Solution Entry Points Greater Complexity And Fragility
  • 10. New Technology And New Risks • New solution security concerns are continually arising, adding to the threat landscape − New solution design, deployment and operating models − Distributed solution components, distributed solution consumer base, distributed access with many interfaces, integration points and data flows − Greater involvement of third-parties and their platforms whose operational security models and practices are being inherited − Complexity with multiple handoffs gives rise to gaps in end-to-end view and knowledge leading to risks • New technologies introduce new risks, direct and indirect − Lack of familiarity with technology increases the likelihood of exploitable mistakes and errors − New technology is less proven and contains more exploitable errors − Greater range of solution entry points increases risk − Exposure of solutions to consumers outside the organisation increases risk − Human risk factors weaken overall security • Solution risk and security status is becoming harder to track March 8, 2022 10
  • 11. From … March 8, 2022 11 Solution Central Data Store Solution Central Application Component Solution API Solution Central Infrastructure Solution Hosted Infrastructure Solution Internal Consumers Solution External Private Consumers Solution Hosted Data Store Solution Hosted Application Component Solution Hosted Analytics Access and Security Infrastructure Central To Hosting Facility Connectivity Solution External Public Consumers Solution Mobile App
  • 12. To … • Increasing solution landscape complexity and diversity gives rise to implicit and explicit risks March 8, 2022 12 Solution Central Data Store Solution Central Application Component Solution API Solution Central Infrastructure Solution Hosted Infrastructure Solution Internal Consumers Solution External Private Consumers Solution Hosted Data Store Solution Hosted Application Component Solution Hosted Analytics Access and Security Infrastructure Central To Hosting Facility Connectivity Solution External Public Consumers Solution Mobile App
  • 13. Illusion Of The Solution Cocoon • Solutions do not always exist in a security cocoon provided by a range of infrastructural components, protected from all malicious actors and actions that repel all attempts to penetrate the solution • Individual solutions must be aware of their security requirements and ensure they are in place − Take individual solution responsibility − Do not make any assumptions on what security is available − Perform due diligence on available and operational security infrastructure − Identify and address solution- specific security needs March 8, 2022 13 Solution And Its Components
  • 14. Illusion Of The Solution Cocoon • Operational solution components can reside in multiple locations subject to different sets of security infrastructure, making the problem of solution security all the greater March 8, 2022 14
  • 15. Solution Security Is A “Wicked Problem*” • Solution security is a wicked problem because there is no certainly about when the problem has been resolved and a state of security has been achieved • The security state of a solution can just be expressed along a subjective spectrum of better or worse rather than a binary true or false March 8, 2022 15 * Dilemmas in a General Theory of Planning, Horst Wittel and Melvin Webber https://urbanpolicy.net/wp-content/uploads/2012/11/Rittel+Webber_1973_PolicySciences4- 2.pdf
  • 16. Wicked Problem Characteristics And Solution Security March 8, 2022 16 Characteristics of Wicked Problems Application to Solution Security There is no definite formulation of wicked problems.There is no certainly about when security has been fully achieved. Wicked problems have no stopping rule. There is no stopping rule that states security has been fully achieved if a defined set of activities and controls have been performed and implemented. Solutions to wicked problems are not true or false, but good or bad The security state of a solution can just be expressed along a spectrum of better or worse rather than a binary true or false. There is no immediate or ultimate test for solutions. The security of a solution is difficult, if not impossible, to establish. Proving the certainty of a negative can be unachievable. All attempts to solutions have effects that may not be reversible. Implementing solution security impacts the operation and use of the solutions themselves. Wicked problems have no clear solution, and perhaps not even a set of possible solutions. There is no one security solution but a combination of interrelated and layers security components. Every wicked problem is essentially unique. There is no one standard solution template to security. Every wicked problem may be a symptom of another problem. Solution security is only a subset of wider organisation security. Lack of security is a potential problem that has to be exploited for the problem to become real. It is difficult for individual solutions to be secure if an organisation security foundation and framework are not in place. There are multiple explanations for the wicked problem. Solution security can be defined in many ways. The planner (or policy-maker) has no right to be wrong. Failure to implement effective solution security can lead to very serious negative consequences to getting it wrong leads to blame but getting it right does not lead to any praise.
  • 17. Solution Security Negative Outcomes • Solution security can have negative consequences: prevents types of access, limits availability in different ways, restricts functionality provided, makes solution harder to use, lengthens solution delivery times, increases costs along the entire solution lifecycle, leads to loss of usability, utility and rate of use • Security requirements and standards may discourage security, leading to bypass and circumvention actions • Complex security arrangements may give the illusion of security that does not exist in reality March 8, 2022 17
  • 18. Solution Inheritance Of Security Infrastructure • Individual solutions must be able to inherit security controls, facilities and standards from common enterprise-level controls, standards, toolsets and frameworks. • Individual solutions must not be forced to implement individual infrastructural security facilities and controls − This is wasteful of solution implementation resources, results in multiple non- standard approaches to security and represents a security risk to the organisation • Solution architects must be aware of the need for solution security and of the need to have enterprise-level controls that solutions can adopt. • The extended solution landscape potentially consists of a large number of interacting components and entities located in different zones, each with different security profiles, requirements and concerns − Different security concerns and therefore controls apply to each of these components • Solution security is not covered by a single control − It involves multiple overlapping sets of controls providing layers of security March 8, 2022 18
  • 19. Security Model And Inheritance Of Security Controls • Defining a security model and set of solution zone and operational entity controls allows the existence of and the solution inheritance of security controls to be validated and potential security gaps to be identified March 8, 2022 19
  • 20. Solution Architecture And Interfaces With Other IT Architecture Disciplines • The solution architecture discipline must work with other IT architecture disciplines, including security architecture • Enterprise architecture needs to embed security into the organisation’s overall IT architecture March 8, 2022 20 Enterprise Architecture Information and Data Architecture Application Architecture Business Architecture Technical Architecture Solution Architecture Service Architecture Security Architecture Overall Architecture Framework Security Standards Service Operation and Support Data Architecture Infrastructure Architecture Business Context Business Process, Products
  • 21. Solution Zone Types and Zones March 8, 2022 21 Solution Component Types Solution Components Solution Solution Zones Solution Zone Types Solution Topology Security Standards And Controls Solution Consists Of Multiple Components Each Solution Component Has A Type Solution Exists Within A Topology Of Many Solutions Solution Components Are Located In Solution Zones Each Solution Zone Has A Type Different Solution Standards And Controls Apply To Solution Zones Solution Operational Entity Solution Operational Entity Type Deployed Solution Consists Of Multiple Operational Entities Each Solution Operational Entity Has A Type Solution Operational Entities Are Located In Solution Zones Security Controls Apply To Solution Components Security Controls Apply To Solution Operational Entities Some Solution Components Become Deployed Operational Entities
  • 22. Solution Zones • Solution zones are locations where groups of closely related solution components reside • They represent containers for solution components • Zones are located within the wider physical solution landscape • Each zone and the components it holds have different security requirements • Not all solutions will have components in all zone and not all organisations will have all the zone types • The solution and its constituent components can span multiple different zones of the same type • The zone approach is useful way of representing the entirety of a solution, its constituent components, their connectivity, linkages and interactions • You will have different levels of control over different solution zones (including no control) March 8, 2022 22
  • 23. Sample Solution Zone Types March 8, 2022 23
  • 24. Sample Solution Zone Types March 8, 2022 24
  • 25. Sample Solution Zone Types Zone Description Insecure External Organisation Presentation And Access Where publicly accessible or accessing entities reside. These entities are regarded as insecure and/or untrusted. Secure External Organisation Participation and Collaboration Outside the physical organisation boundary where entities that are provided by or to trusted external parties reside Secure External Organisation Access Contain entities that enable secure access or are securely accessible from outside the organisation Organisation Contain the entities within the organisation boundary and contains all the locations, business units and functions within it Central Solutions and Access Contains the solution entities and their data Solution Zone Contains the solution entities Data Zone Zone within the organisation where data is segregated for security Remote Business Unit Solutions and Access Remotely located organisation business unit or location and the entities it contains Workstation Zone Zone within the organisation where users accessing data and solutions are segregated for security Outsourced Service Provider Solutions and Access Contains solutions provided by and located in facilities provided by outsourced partners Cloud Service Provider Solutions and Access Contains solutions - platform, infrastructure and service - provided by and located in cloud service providers Co-Located Solutions and Access Contains solutions the organisation has located in facilities provided by co- location providers March 8, 2022 25
  • 26. Solution Component Types And Components Solution Component Types Solution Components Solution Solution Zones Solution Zone Types Solution Topology Security Standards And Controls Solution Consists Of Multiple Components Each Solution Component Has A Type Solution Exists Within A Topology Of Many Solutions Solution Components Are Located In Solution Zones Each Solution Zone Has A Type Different Solution Standards And Controls Apply To Solution Zones Solution Operational Entity Solution Operational Entity Type Deployed Solution Consists Of Multiple Operational Entities Each Solution Operational Entity Has A Type Solution Operational Entities Are Located In Solution Zones Security Controls Apply To Solution Components Security Controls Apply To Solution Operational Entities Some Solution Components Become Deployed Operational Entities March 8, 2022 26
  • 27. Solution Components • The functional and operational design of any solution and therefore its security will include many of these components, including those inherited by the solution or common components used by the solution • When creating the end-to-end solution design the solution architect should identify all the required solution components • The complete solution security view should refer explicitly to the components and their controls • While each individual solution should be able to inherit the security controls provided by these components, the solution design should include explicit reference to them for completeness and to avoid unvalidated assumptions • There is a common and generalised set of components, many of which are shared, within the wider solution topology that should be considered when assessing overall solution security March 8, 2022 27
  • 28. Solution Is The Sum Of Its Components • The solution is a window to its constituent components • Solution consumers experience the totality of the solutions March 8, 2022 28
  • 29. Solution Components Classes • Time-Bounded Delivery Entity Types − Time-bounded sets of work required to get the solution fully operational • Enduring Operational Technology Entity Types − Operational instrumentation and tool components required for the solution to operate • Enduring Process, Procedure and Structural Entity Types − Organisation and process changes required to use the solution optimally March 8, 2022 29
  • 30. Solution Components Classes And Types March 8, 2022 30 Solution Components Time-Bounded Delivery Entity Types Sets of Installation and Implementation Services Existing Data Conversions/ Migrations New Data Loads Parallel Runs Enhanced Support/ Hypercare Enduring Operational Technology Entity Types Changes to Existing Systems New Custom Developed Applications Acquired and Customised Software Products System Integrations/ Data Transfers/ Exchanges Reporting and Analysis Facilities Information Storage Facilities Central, Distributed and Communications Infrastructure Application Hosting and Management Services Enduring Process, Procedure and Structural Entity Types Cutover/ Transfer to Production And Support Operational Functions and Processes Sets of Maintenance, Service Management and Support Services Changes to Existing Business Processes New Business Processes Organisational Changes, Knowledge Management Training and Documentation
  • 31. Solution With Consist Of Multiple Instances Of Solution Component Types March 8, 2022 31 Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Changes to Existing Systems New Custom Developed Applications Acquired and Customised Software Products System Integrations/ Data Transfers/ Exchanges Reporting and Analysis Facilities Sets of Installation and Implementation Services Information Storage Facilities Existing Data Conversions/ Migrations New Data Loads Central, Distributed and Communications Infrastructure Cutover/ Transfer to Production And Support Operational Functions and Processes Parallel Runs Enhanced Support/ Hypercare Sets of Maintenance, Service Management and Support Services Application Hosting and Management Services Changes to Existing Business Processes New Business Processes Organisational Changes, Knowledge Management Training and Documentation
  • 32. Solution Topography • Irrespective of whether the solution is hosted inside or outside the organisation, it will still need to operate in a solution topography consisting of a number of logical layers • This topography is important as its implicitly or explicitly delineates borders to what is feasible March 8, 2022 32 Common Service Management Processes and Standards – solution support, service level management Common Financial Management Processes and Standards – solution cost and asset management Common Enterprise Architecture Standards – compliance with organisation technology standards and principles Common Security and Regulatory Compliance Architecture – integration of solution into overall security standards and operations Common Data Architecture – integration of solution data into the organisation data model and access to solution data, compliance with data regulations and standards Business Process and Organisation Structure – business processes and organisation functions that use the solution Extended Solution Landscape With Integration With Other Solutions – solution support, service level management, integration, data exchange Individual Solution Landscape – set of components that comprise the overall solution
  • 33. Solution Topography • Individual solutions do not exist in isolation even through they may be acquired or implemented separately • The organisation’s operation solution landscape consists of many individual solutions located across many different solution zones March 8, 2022 33
  • 34. Solution Topography March 8, 2022 34 Extended Solution Landscape With Integration With Other Solutions Individual Solution Landscape Business Process and Organisation Structure Common Data Architecture Common Security and Regulatory Compliance Architecture Common Enterprise Architecture Standards Common Financial Management Processes and Standards Common Service Management Processes and Standards
  • 35. Security Standards And Controls Solution Component Types Solution Components Solution Solution Zones Solution Zone Types Solution Topology Security Standards And Controls Solution Consists Of Multiple Components Each Solution Component Has A Type Solution Exists Within A Topology Of Many Solutions Solution Components Are Located In Solution Zones Each Solution Zone Has A Type Different Solution Standards And Controls Apply To Solution Zones Solution Operational Entity Solution Operational Entity Type Deployed Solution Consists Of Multiple Operational Entities Each Solution Operational Entity Has A Type Solution Operational Entities Are Located In Solution Zones Security Controls Apply To Solution Components Security Controls Apply To Solution Operational Entities Some Solution Components Become Deployed Operational Entities
  • 36. Operational Security Controls • Security controls represent a set of infrastructural facilities and associated processes designed to provide a comprehensive and overlapping set of security protection and defence − Security is not achieved by one control but by layers of controls • Security controls can be used as a checklist during solution design prior to operational acceptance testing to ensure that the solution and its operating environment is security compliant • Security controls must be realistic and achievable to assess, implement and operate − Complexity is the enemy of effectiveness and usefulness March 8, 2022 36
  • 38. Operational Security Controls March 8, 2022 38 Security Control Control Scope Asset Security Design, implement and operate tools and processes to ensure the security of infrastructure and software assets through active asset inventory management Network Monitoring Design, implement and operate tools and processes to monitor network infrastructure, ensuring only authorised software can be installed and run, and provide defence against security threats and attacks Penetration Testing Design, implement and operate tools and processes to test solutions and their infrastructure to identify and resolve vulnerabilities and weaknesses in their design, implementation and operation through the simulation of attacks Browser Protection Design, implement and operate tools and processes to monitor, analyse, detect and act-on browser-based attacks and browser vulnerabilities Solution Availability, Resilience, Fault Tolerance and Recovery Design, implement and operate infrastructure, facilities and processes to ensure the availability of the solution, resilience against component failure and recovery in the event of failure Access Control Management Design, implement and operate tools and processes for the creation, assignment, management and revocation of access credentials and privileges for solution and data access to administrator, user and service accounts Account Management Design, implement and operate tools and processes to assign and manage authorisation to credentials for service, administrator and user accounts, including administrator accounts Email Protection Design, implement and operate tools and processes to monitor, analyse, detect and act-on email-based attacks and email vulnerabilities Application Solution Security Design, implement and operate tools and processes to manage the security aspects of developed, acquired or externally hosted solutions to identify, prevent, detect and resolve security weaknesses and vulnerabilities Malware Defence Design, implement and operate tools and processes to prevent the installation, spread, and execution of malicious applications, code or scripts Solution Monitoring Design, implement and operate tools and processes to monitor, analyse and report on the usage of a solution and its constituent components including resource consumption and performance Audit Log Management Design, implement and operate tools and processes to collect, store, analyse, alert, review audit logs of solution activity events that to facilitate the detection, understanding and recovery from an attack Inventory and Control of Assets Design, implement and operate tools and processes to manage the infrastructure and software assets that comprise the totality of solutions in order to actively manage those assets Data Management, Backup and Recovery Design, implement and operate tools and processes to manage solution data and establish data backup and recovery including integrity of backup data Supplier and Service Provider Management Design, implement and operate tools and processes to initially assess and continually monitor the security arrangements of solution component suppliers and service providers and the components and services they provide Network Management Design, implement and operate tools and processes to design, implement, operate and manage the security of network infrastructure and facilities including their vulnerability Continuous Vulnerability Management Design, implement and operate tools and processes to continuously assess and track vulnerabilities on all solution components in order to identify, response to, remediate and minimise attacks Data Protection Design, implement and operate tools and processes to identify, classify, securely handle, manage access to, manage regulatory compliance, appropriately retain and dispose of solution data
  • 39. Operational Security Controls Activities Operate processes and procedures to analyse collected data to identify potential security breaches and vulnerabilities Identify any potential control breaches or deviations Assess the potential control breaches or deviations Escalate as appropriate Respond to potential control breaches or deviations Identify actions Track performance of actions Report on actions Improve based on analysis Detect Identify Respond Establish and configure the security control Define and implement the operational processes Allocate resources and budget Define control operation/usage data collection framework Define control data model Define management and reporting procedures Establish March 8, 2022 39
  • 40. Security Controls Activities – Asset Security • Breakdown of activities for the Asset Security control area March 8, 2022 40 Establish Detect Identify Respond • Implement tools and processes to scan, collect, store and provide access to infrastructure and software asset data and their configuration • Implement processes to identify changes • Implement processes to subscribe to vulnerability updates • Implement processes to monitor vulnerabilities and manage updates • Implement processes to disable assets • Implement processes to authorise changes to assets • Implement infrastructure device management including patching and software update distribution • Establish business function and allocate resources to operate asset management • Define asset security roles and responsibilities • Implement reporting and information access processes • Operate asset security management data collection processes • Detect asset changes • Analyse collected asset data to detect potential asset security breaches • Operate escalation processes • Operate asset security incident management processes • Operate asset security problem management processes • • Identify and evaluate asset security breaches and vulnerabilities • Create asset security breaches and vulnerabilities handling action plans and activity schedules including interim and long-term actions • Handle security breaches and vulnerabilities • Assign actions and activities • Work through action plan and report on progress • Finalise action plan
  • 41. Security Controls Activities – Network Monitoring • Breakdown of activities for the Network Monitoring control area March 8, 2022 41 Establish Detect Identify Respond • Acquire and implement tools and processes to monitor the network infrastructure, perform intrusion detection, traffic filtering, anti- malware, collect data on network operations and use, generate alerts and manage events • Implement processes to handle alerts and events and identify and manage network issues raised • Implement processes to subscribe to network security updates • Implement processes to authorise changes to network configuration • Establish business function and allocate resources to operate network monitoring • Define network monitoring roles and responsibilities • Implement network monitoring reporting and information access processes • Operate network monitoring alerting and event management • Operate network data collection processes • Operate escalation processes • Operate network monitoring alerting and event incident management processes • Operate network monitoring alerting and event problem management processes • Manage network monitoring alerting and event management infrastructure and apply patches and updates • • Identify, evaluate and prioritise network breaches and vulnerabilities • Create network monitoring alerting and event management breaches and vulnerabilities handling action plans and activity schedules including interim and long-term actions • Handle network monitoring alerting and event management breaches and vulnerabilities • Assign actions and activities • Work through action plan and report on progress • Finalise action plan
  • 42. Security Controls Activities • The control activities represent a general set of actions relating to each control • The specific detail for each control is different March 8, 2022 42
  • 43. Security Standards • There are many security standards including: − AICPA Trust Services Criteria - https://us.aicpa.org/interestareas/frc/assuranceadvisoryservices/trustdataintegritytaskforce − CIS Critical Security Controls - https://learn.cisecurity.org/cis-controls-download − Cloud Security Alliance (CSA)Cloud Controls Matrix (CCM) - https://cloudsecurityalliance.org/research/cloud-controls-matrix/ − Control Objectives for Information Technologies - https://www.isaca.org/resources/cobit − COSO - https://www.coso.org/Documents/COSO-Deloitte-Managing-Cyber-Risk-in-a-Digital-Age.pdf − Cybersecurity Maturity Model Certification (CMMC) - https://www.acq.osd.mil/cmmc/documentation.html − FS.31 GSMA Baseline Security Controls - https://www.gsma.com/security/resources/fs-31-gsma-baseline- security-controls/ − ISO 27000 Series - https://www.iso.org/isoiec-27001-information-security.html − NIST CSF (Cyber Security Framework) - https://www.nist.gov/cyberframework − NIST Framework for Improving Critical Infrastructure Cybersecurity - http://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf − NIST SP 1800 Series - https://csrc.nist.gov/publications/sp1800 − NIST SP 800-53, Revision 5 Controls CURRENT VERSION 5.1 - https://csrc.nist.gov/CSRC/media/Projects/risk-management/800-53%20Downloads/800-53r5/NIST_SP- 800-53_rev5-derived-OSCAL.xlsx − NIST: Cybersecurity Framework, 800-53, 800-171 – https://csrc.nist.gov/Projects/risk-management/sp800- 53-controls/downloads − US FedRAMP (Federal Risk and Authorization Management Program) - https://tailored.fedramp.gov/ March 8, 2022 43
  • 44. Security Standards • Security standards exist at various levels with varying levels of detail and complexity − Some are very detailed with hundreds of controls • There needs to be a balance between complexity and level of detail and the ease of implementation, operation and use • There are no specific solution-oriented security standards across all solution components types and operational deployment patterns March 8, 2022 44
  • 45. Operational Solution Entities And Solution Zones March 8, 2022 45 Solution Component Types Solution Components Solution Solution Zones Solution Zone Types Solution Topology Security Standards And Controls Solution Consists Of Multiple Components Each Solution Component Has A Type Solution Exists Within A Topology Of Many Solutions Solution Components Are Located In Solution Zones Each Solution Zone Has A Type Different Solution Standards And Controls Apply To Solution Zones Solution Operational Entity Solution Operational Entity Type Deployed Solution Consists Of Multiple Operational Entities Each Solution Operational Entity Has A Type Solution Operational Entities Are Located In Solution Zones Security Controls Apply To Solution Components Security Controls Apply To Solution Operational Entities Some Solution Components Become Deployed Operational Entities
  • 46. Operational Solution Entities March 8, 2022 46 Solution Components Time-Bounded Delivery Entity Types Sets of Installation and Implementation Services Existing Data Conversions/ Migrations New Data Loads Parallel Runs Enhanced Support/ Hypercare Enduring Operational Technology Entity Types Changes to Existing Systems New Custom Developed Applications Acquired and Customised Software Products System Integrations/ Data Transfers/ Exchanges Reporting and Analysis Facilities Information Storage Facilities Central, Distributed and Communications Infrastructure Application Hosting and Management Services Enduring Process, Procedure and Structural Entity Types Cutover/ Transfer to Production And Support Operational Functions and Processes Sets of Maintenance, Service Management and Support Services Changes to Existing Business Processes New Business Processes Organisational Changes, Knowledge Management Training and Documentation
  • 47. Operational Solution Entities • The designed, deployed and operational solution components become solution operational entities • Solution security starts with the solution design process • These physical entities reside in the solution zones • As with solution component types and solution components, there are operational entity types and instances of those types that are the actual solution operational entities • Operational security controls and protection activities need to focus on these entities – they are the main points of solution vulnerability March 8, 2022 47
  • 48. Operational Solution Entities March 8, 2022 48 Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Changes to Existing Systems New Custom Developed Applications Acquired and Customised Software Products System Integrations/ Data Transfers/ Exchanges Reporting and Analysis Facilities Sets of Installation and Implementation Services Information Storage Facilities Existing Data Conversions/ Migrations New Data Loads Central, Distributed and Communications Infrastructure Cutover/ Transfer to Production And Support Operational Functions and Processes Parallel Runs Enhanced Support/ Hypercare Sets of Maintenance, Service Management and Support Services Application Hosting and Management Services Changes to Existing Business Processes New Business Processes Organisational Changes, Knowledge Management Training and Documentation
  • 49. Operational Solution Entity Types And Solution Zones March 8, 2022 49
  • 50. Operational Solution Entity Types – 1 March 8, 2022 50 Operational Entity Type Description External Data Sources Data sources outside the organisation boundary providing data to the organisation External Public Interacting Parties Public solution consumers outside the organisation and outside the control of the organisation External Data Telemetry Devices Devices owned by the organisation in public locations and from which solutions receive data External Telecommand Devices Devices owned by the organisation in public locations and to which solutions send commands External Private Interacting Parties Solution consumers external to the organisation and with whom the organisation has a relationship and who may have authenticated access Externally Located Employees Employees accessing organisation solutions from outside the organisation’s security boundary Mobile Employees Employees accessing organisation solutions outside the organisation but within the organisation’s extended security boundary Private Access Groups Interaction areas for secure collaboration with third-parties with authenticated access Publicly Accessible Solutions Solutions hosted on organisation on-premises infrastructure that are publicly accessible without authentication Externally Accessible Solutions Solutions hosted on organisation on-premises infrastructure that are publicly accessible with authentication Data Access, Exchange and Service Gateway Facility to allow the access to organisation data and services and to enable the exchange and transfer of data Secure Communications Access Component that provides common secure communications facilities to solutions Identity, Access and Authentication Component providing common facilities for identity and access management and consumer authorisation and authentication Access and Activity Logging Component that provides facilities to log resource accesses, activities and events Anti-Virus, Malware Defence Provides protection against viruses and other malware Network Monitoring Provides facilities to monitor network access, usage and performance Threat Protection and Vulnerability Checking Provides protection against vulnerabilities contained in solutions and any components they use or incorporate Business Continuity and Disaster Recovery Component that provides common secure business continuity and disaster recovery facilities to solutions Mail Organisation email facility Identity, Access and Authentication Component that provides common secure identity, authentication and access control facilities to solutions Backup and Recovery Organisation data backup and recovery facility Internally Accessible Solutions Solutions deployed on on-premises infrastructure designed to be used by internal solution consumers Solution Structured Data Stores Database-oriented data stores for solutions deployed on on-premises infrastructure Solution Unstructured Data Stores Database-oriented data stores for solutions deployed on on-premises infrastructure Business Unit Solution Access Group Set of solution consumers located within a separately located business unit Solution Access Groups Set of solution consumers located within the central organisation Outsourced Service Provider Connectivity and Access Component within outsourced service provider for secure connectivity and access to outsourced solutions and data Outsourced Service Provider Access and Authentication Facility within outsourced service provider for identity and access management and consumer authorisation and authentication
  • 51. Operational Solution Entity Types – 2 March 8, 2022 51 Operational Entity Type Description Hosted Shared Solutions Solutions on a shared platform hosted by within outsourced service provider Hosted Shared Solution Data Stores Data stores for solutions on a shared platform deployed within outsourced service provider Hosted Dedicated Solutions Solutions on a dedicated platform hosted by within outsourced service provider Hosted Dedicated Solution Data Stores Data stores for solutions on a dedicated platform deployed within outsourced service provider Cloud Service Provider Connectivity and Access Component within cloud service provider for secure connectivity and access to cloud-located solutions and data Cloud Service Provider Access and Authentication Component within cloud service providing facilities for identity and access management and consumer authorisation and authentication Internally Accessible Infrastructure Deployed Solutions Solutions deployed in an IaaS pattern designed for use within the organisation Externally Accessible Infrastructure Deployed Solutions Solutions deployed in an IaaS pattern designed for use outside the organisation Internally Accessible Infrastructure Deployed Solutions Data Stores Data stores for solutions deployed in an IaaS pattern designed for use within the organisation Internally Accessible Platform Deployed Solutions Solutions deployed in a PaaS pattern designed for use within the organisation Externally Accessible Infrastructure Deployed Solutions Data Stores Data stores for solutions deployed in an IaaS pattern designed for use outside the organisation by designated external consumers Externally Accessible Platform Deployed Solutions Solutions deployed in a PaaS pattern designed for use outside the organisation by designated external consumers Publicly Accessible Platform Deployed Solutions Solutions deployed in a PaaS pattern designed for use outside the organisation by public consumers Publicly Accessible Infrastructure Deployed Solutions Solutions deployed in an IaaS pattern designed for use outside the organisation by public consumers Publicly Accessible Infrastructure Deployed Solutions Data Stores Data stores for solutions deployed in an IaaS pattern designed for use outside the organisation by public consumers Platform Deployed Solutions Data Stores Data stores for solutions deployed in a PaaS pattern Externally Accessible Service Deployed Solutions Solutions deployed in a SaaS pattern designed for use outside the organisation by designated external consumers Publicly Accessible Service Deployed Solutions Solutions deployed in a SaaS pattern designed for use outside the organisation by public consumers Internally Accessible Service Deployed Solutions Solutions deployed in a SaaS pattern designed for use within the organisation Service Deployed Solutions Data Stores Data stores for solutions deployed in a SaaS pattern Co-Location Provider Connectivity and Access Component within a co-location service provider for secure connectivity and access to co-located solutions and data Co-Location Identity, Access and Authentication Facility within a co-location service provider for identity and access management and consumer authorisation and authentication Co-Located Solutions Facility within a co-location service provider for identity and access management and consumer authorisation and authentication Co-Located Solution Data Stores Solutions hosted by within a co-location service provider
  • 52. Operational Solution Entity Types And Solution Zone Type – 1 March 8, 2022 52 Zone Operational Entity Insecure External Organisation Presentation And Access External Data Sources External Public Interacting Parties External Data Telemetry Devices External Telecommand Devices Secure External Organisation Participation and Collaboration External Private Interacting Parties Externally Located Employees Mobile Employees Private Access Groups Secure External Organisation Access Publicly Accessible Solutions Externally Accessible Solutions Data Access, Exchange and Service Gateway Secure Communications Access Identity, Access and Authentication Organisation Access and Activity Logging Anti-Virus, Malware Defence Network Monitoring Threat Protection and Vulnerability Checking Business Continuity and Disaster Recovery Central Solutions and Access Mail Identity, Access and Authentication Backup and Recovery Solution Zone Internally Accessible Solutions Data Zone Solution Structured Data Stores Solution Unstructured Data Stores
  • 53. Operational Solution Entity Types And Solution Zone Type – 2 March 8, 2022 53 Zone Operational Entity Outsourced Service Provider Solutions and Access Outsourced Service Provider Connectivity and Access Outsourced Service Provider Access and Authentication Hosted Shared Solutions Hosted Shared Solution Data St3ores Hosted Dedicated Solutions Hosted Dedicated Solution Data Stores Cloud Service Provider Solutions and Access Cloud Service Provider Connectivity and Access Cloud Service Provider Access and Authentication Internally Accessible Infrastru9cture Deployed Solutions3 Externally Accessible Infrastructure Deployed Solutions Internally Accessible Infrastructure Deployed Solutions Data Stores Internally Accessible Platform Deployed Solutions Externally Accessible Infrastructure Deployed Solutions Data Stores Externally Accessible Platform Deployed Solutions Publicly Accessible Platform Deployed Solutions Publicly Accessible Infrastructure Deployed Solutions Publicly Accessible Infrastructure Deployed Solutions Data Stores Platform Deployed Solutions Data Stores Externally Accessible Service Deployed Solutions Publicly Accessible Service Deployed Solutions Internally Accessible Service Deployed Solutions Service Deployed Solutions Data Stores Co-Located Solutions and Access Co-Location Provider Connectivity and Access Co-Location Identity, Access and Authentication Co-Located Solutions Co-Located Solution Data Stores
  • 54. Operational Solution Entity Types And Security Controls • Security controls apply to operational solution entity types • Each operational entity type will have different security control requirements depending on what the entity does and in what zone it is located March 8, 2022 54 Operational Entity Asset Security Account Management Access Control Management Solution Availability, Resilience, Fault Tolerance and Recovery Solution Monitoring Inventory and Control of Assets Data Protection Audit Log Management Application Solution Security Browser Protection Email Protection Malware Defense Data Management and Backup and Recovery Network Monitoring Penetration Testing Continuous Vulnerability Management Network Management Supplier and Service Provider Management
  • 55. External Data Sources External Public Interacting Parties External Data Telemetry Devices Data sources outside the organisation boundary providing data to the organisation Public solution consumers outside the organisation and outside the control of the organisation Devices owned by the organisation in public locations and from which solutions receive data Security Controls And Operational Solution Entity Types March 8, 2022 55
  • 56. External Telecommand Devices External Private Interacting Parties Mobile Employees Devices owned by the organisation in public locations and to which solutions send commands Solution consumers external to the organisation and with whom the organisation has a relationship and who may have authenticated access Employees accessing organisation solutions from outside the organisation’s security boundary Security Controls And Operational Solution Entity Types March 8, 2022 56 External Telecommand Devices Account Management Access Control Management Inventory and Control of Assets Data Protection Audit Log Management Application Solution Security Malware Defense Data Management and Backup and Recovery Network Monitoring Penetration Testing Continuous Vulnerability Management Network Management
  • 57. Private Access Groups Publicly Accessible Solutions Externally Accessible Solutions Interaction areas for secure collaboration with third-parties with authenticated access Solutions hosted on organisation on-premises infrastructure that are publicly accessible without authentication Solutions hosted on organisation on-premises infrastructure that are publicly accessible with authentication Security Controls And Operational Solution Entity Types March 8, 2022 57
  • 58. Data Access, Exchange and Service Gateway Secure Communications Access Identity, Access and Authentication Facility to allow the access to organisation data and services and to enable the exchange and transfer of data Component that provides common secure communications facilities to solutions Component providing common facilities for identity and access management and consumer authorisation and authentication Security Controls And Operational Solution Entity Types March 8, 2022 58
  • 59. Access and Activity Logging Anti-Virus, Malware Defence Network Monitoring Component that provides facilities to log resource accesses, activities and events Provides protection against viruses and other malware Provides protection against viruses and other malware Security Controls And Operational Solution Entity Types March 8, 2022 59
  • 60. Threat Protection and Vulnerability Checking Business Continuity and Disaster Recovery Mail Provides protection against vulnerabilities contained in solutions and any components they use or incorporate Component that provides common secure business continuity and disaster recovery facilities to solutions Component that provides common secure business continuity and disaster recovery facilities to solutions Security Controls And Operational Solution Entity Types March 8, 2022 60
  • 61. Identity, Access and Authentication Backup and Recovery Internally Accessible Solutions Component that provides common secure identity, authentication and access control facilities to solutions Organisation data backup and recovery facility Solutions deployed on on- premises infrastructure designed to be used by internal solution consumers Security Controls And Operational Solution Entity Types March 8, 2022 61
  • 62. Solution Structured Data Stores Solution Unstructured Data Stores Business Unit Solution Access Group Database-oriented data stores for solutions deployed on on- premises infrastructure Database-oriented data stores for solutions deployed on on- premises infrastructure Set of solution consumers located within a separately located business unit Security Controls And Operational Solution Entity Types March 8, 2022 62
  • 63. Solution Access Groups Outsourced Service Provider Connectivity and Access Outsourced Service Provider Access and Authentication Set of solution consumers located within the central organisation Component within outsourced service provider for secure connectivity and access to outsourced solutions and data Facility within outsourced service provider for identity and access management and consumer authorisation and authentication Security Controls And Operational Solution Entity Types March 8, 2022 63
  • 64. Hosted Shared Solutions Hosted Shared Solution Data Stores Hosted Dedicated Solutions Solutions on a shared platform hosted by within outsourced service provider Data stores for solutions on a shared platform deployed within outsourced service provider Solutions on a dedicated platform hosted by within outsourced service provider Security Controls And Operational Solution Entity Types March 8, 2022 64
  • 65. Hosted Dedicated Solution Data Stores Cloud Service Provider Connectivity and Access Cloud Service Provider Access and Authentication Data stores for solutions on a dedicated platform deployed within outsourced service provider Component within cloud service provider for secure connectivity and access to cloud-located solutions and data Component within cloud service providing facilities for identity and access management and consumer authorisation and authentication Security Controls And Operational Solution Entity Types March 8, 2022 65
  • 66. Internally Accessible Infrastructure Deployed Solutions Internally Accessible Infrastructure Deployed Solutions Data Stores Internally Accessible Platform Deployed Solutions Solutions deployed in an IaaS pattern designed for use within the organisation Data stores for solutions deployed in an IaaS pattern designed for use within the organisation Data stores for solutions deployed in an IaaS pattern designed for use within the organisation Security Controls And Operational Solution Entity Types March 8, 2022 66
  • 67. Internally Accessible Service Deployed Solutions Externally Accessible Infrastructure Deployed Solutions Externally Accessible Infrastructure Deployed Solutions Data Stores Solutions deployed in a SaaS pattern designed for use within the organisation Solutions deployed in an IaaS pattern designed for use outside the organisation Data stores for solutions deployed in an IaaS pattern designed for use outside the organisation by designated external consumers Security Controls And Operational Solution Entity Types March 8, 2022 67
  • 68. Externally Accessible Platform Deployed Solutions Externally Accessible Service Deployed Solutions Publicly Accessible Infrastructure Deployed Solutions Solutions deployed in a PaaS pattern designed for use outside the organisation by designated external consumers Solutions deployed in a SaaS pattern designed for use outside the organisation by designated external consumers Solutions deployed in a SaaS pattern designed for use outside the organisation by public consumers Security Controls And Operational Solution Entity Types March 8, 2022 68
  • 69. Publicly Accessible Infrastructure Deployed Solutions Data Stores Publicly Accessible Platform Deployed Solutions Platform Deployed Solutions Data Stores Data stores for solutions deployed in an IaaS pattern designed for use outside the organisation by public consumers Solutions deployed in a PaaS pattern designed for use outside the organisation by public consumers Data stores for solutions deployed in a PaaS pattern Security Controls And Operational Solution Entity Types March 8, 2022 69
  • 70. Service Deployed Solutions Data Stores Co-Location Provider Connectivity and Access Co-Location Identity, Access and Authentication Data stores for solutions deployed in a SaaS pattern Component within a co- location service provider for secure connectivity and access to co-located solutions and data Facility within a co-location service provider for identity and access management and consumer authorisation and authentication Security Controls And Operational Solution Entity Types March 8, 2022 70
  • 71. Security Controls And Operational Solution Entity Types March 8, 2022 71 Co-Located Solutions Co-Located Solution Data Stores Facility within a co-location service provider for identity and access management and consumer authorisation and authentication Solutions hosted by within a co- location service provider
  • 72. Sample Solution Security Data Model • The sample core and extended conceptual solution security data models described earlier can be translated into a more tangible and usable data model • The data model can be implemented easily March 8, 2022 72
  • 73. Sample Solution Security Data Model March 8, 2022 73
  • 74. Summary • These notes have proposed a solution-oriented security approach that can be applied across the entire set of solutions that comprise the organisation solution landscape • It describes a model for collecting, structuring and analysing solution security across the entire organisation solution topology • The proposed model can be applied to solution design and implementation process to create an inventory of required and implemented and operational security controls across all operation components • It can be used as part of solution design and operation due diligence − Use at stage gates during solution delivery to validate solution security March 8, 2022 74