This document discusses transitioning from business architecture to security architecture. It provides an overview of key aspects of digital architecture like technology adoption, infrastructure management, threat modeling, and security solutions. It then discusses how a typical business architecture in the banking/finance sector (BFSI) can involve many threats across various areas. These threats need to be addressed through proper security architecture and controls. Finally, it analyzes security options for transactions and how they can help protect, defend, deter, limit exposure, detect issues, monitor activities, respond to incidents, contain damage, investigate problems, and aid recovery.

1. From Business Architecture to
Security Architecture
Vinayak Godse
Senior Director, Data Security Council of India

2. A NASSCOM®
Initiative
Sector Profile - Digital Architecture
2
Digital Architecture
Architecture: Architectural
Arrangements, Solution
Positioning, etc.
Technology Adoption:
Technology Map &
Profiling, Technology
Sourcing, Characteristics
etc.
Infrastructure Management:
Management Processes,
Standards, etc
Threat Modeling: Sector
Threat Perceptions, Threat
Profiling, etc.
Security Solution Profile:
Solution positioning,
Solution deployments, etc
Security Management:
Practices, Processes, &
Standards adoption
Digital
Architecture
Business Objectives
Business Strategy
Business Processes
Regulatory Requirements
Market Competition
Technology & Services Options

3. A NASSCOM®
Initiative
Digital Business Architecture

4. A NASSCOM®
Initiative
- 4 - - 4 -
BFSI – A Typical Business Architecture
 Vulnerable
infrastructure
 Inadequate
protection
 Increased threats/attacks
 Covert Channels
 SQL Injection
 Identity theft
 Data theft
 Prone to data
exposure
 Insider threats
 Privacy regulations
 Unauthenticated misuse
 Malicious attacks
 Vulnerable DBS
 Data/ Information
leakage threats
 Network security
 Data center security
 DoS and DDoS
 Protocol weaknesses
 Operations & Management
 Component Failures
 Corporate information leakage
 Customer privacy violation
 Transaction security
 Internal Threats
 Compliance deficiency
 Web application security
 Phishing attacks
 Identity theft
 Malicious traffic
 Virus attacks
 Online Fraud
 Unauthorized Access
 Session hijack
 Eavesdropping
 Information theft
 Online Fraud
 Security compromise at
channel partners
 Physical Security
 Access controls
 Transactional secrecy and
integrity
 Customer identity integrity
 Device operation integrity
 Customer security
 Corporate information leakage
 Customer privacy violation
 Transaction security
 Internal Threats
 Security compromise at
Agents
 Social Engineering
 Compliance Regulation and
Reporting
 Social Engineering
 Corporate information
leakage
 Customer privacy violation
 Transaction security
 Internal Threats
 Corporate information
leakage
 Customer privacy violation
 Transaction security
 Internal Threats
 Government & Industry
Compliance Regulations
 Unauthorized Disclosure
 Confidentiality Breach

5. A NASSCOM®
Initiative
Architecting For?

6. A NASSCOM®
Initiative
Attack Exposure StealingLeakageCompromise Disruption Exploitation
Architecting For?

7. A NASSCOM®
Initiative
Transaction Security: Security Options
Transaction
Login
ID/Pas
sword
Virtual
Keybo
ard
Risk
based
Authent-
ication
Separate
Transactio
n Password
OTP Identity
Grid
SMS
verifica
tion
SMS
Alert
Account Logging 89% 67% 11% 28% 11% 11% 17% 28%
Checking A/C Statements 88% 47% 0% 6% 6% 0% 0% 0%
Register Payee 78% 56% 6% 39% 22% 6% 44% 50%
Profile change 88% 56% 6% 31% 13% 6% 19% 38%
Money transfer to self 82% 53% 0% 47% 18% 6% 0% 59%
Money transfer to other 76% 59% 6% 65% 29% 6% 24% 71%
Paying utility bills 65% 53% 0% 47% 18% 6% 18% 47%
Online purchases 76% 53% 6% 59% 12% 12% 18% 65%
Service Requests 82% 59% 0% 24% 6% 6% 0% 29%
Protect Defend Deter Limit Exposure Detect Monitor
Respond Contain Damage Investigate Recover