Security architecture analyses brief 21 april 2015

IINFOSECFORCENFOSECFORCE
1BILL ROSS
Application Security
BILL ROSS
15 Sept 2008
““ Balancing security controls to business requirements “Balancing security controls to business requirements “
““ The Invisible Person …. TheThe Invisible Person …. The
Information Security Architect “Information Security Architect “

“ We are in a CYBER War and corporations and governments are being clobbered by
an invisible enemy that, at times, seems to own numerous private networks.
Information Security Teams across the globe are fighting the good fight and win and
lose in this battle. Every year thousands of articles and conferences across the
globe address this challenge and when one reads the literature and attends the
meetings, one gleans that a core weapon is missing in the discussion:
 Cohesive risk and business based information security architecture
 Systematically and strategically planned and executed
 An Information Security Architect with a “Ninja war fighting spirit”
INFOSECFORCE 2012
“ Will the real Information Security Architect step out of the shadows and
reveal him/her self so we all know who and what we are? “
Critical Reason for ISA ExcellenceCritical Reason for ISA Excellence

Searching for YETI ?Searching for YETI ?
The Invisible Person
The Security
Architect

 Two years ago, wrote paper “ The Invisible Person …. The Security Architecture “
 Concerned about the wide degree of interpretations of what a Security Architect is?
 Posted on “ONLY” two LinkedIn sites
 Amazing response …. Over 600 global requests for the paper in two years
Two Reasons Why ?
BackgroundBackground

Egregious data breaches this yearEgregious data breaches this year
Which should not be on this list?Which should not be on this list?
Source http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

Source: http://www2.fireeye.com/rs/fireye/images/fireeye-real-world-assessment.pdf
Will anything stop them ?Will anything stop them ?
“ Cyber Security’s Maginot Line “
“Sample : 1216 organizations, 63 countries, 20 industries, 67 Billion spent on security”
Did the Security Architecture Fail ?

 The Information Security Community (ISC) does not yet have a consistent and recognized
universal definition defining what an ISA is BUT we are gaining on it.
 Limited recognition in IT standard frameworks for what an ISA should accomplish. (EA,
TOGAF, DoDAF, Zackman)
 Security community standards ISA (SABSA, OSA, ISC2, Huxman )
 As such, wide ranging and variable job descriptions covering every aspect of Information
Security roles and responsibilities.
 Given the lack of an ISA standard, the Security
Architect sometimes struggles in his role as what he/she
thinks he/she should do is not what the company thinks
they hired him for.
SOURCE: http://securityarchitecture.com/docs/Security_Management_Frameworks.pdf
ISA Operational reportISA Operational report
Current indicators
Note about Enterprise Architecture

The ISA brief objectivesThe ISA brief objectives
 Background:
 Invisible person thought piece written 8/12/2014 … posted on ONLY two blogs
… almost 600 global requests.
 Purpose:
 Discuss definition and roles of an information security architect (ISA)?
 Is there a problem ?
 Examine possible industry ISA interpretations ?
 Review information security models ?
 System Security Architecture Implementation Models ?
 Expected outcome:
 Enhanced awareness of the an ISA roles and responsibilities
 More writings and better certifications and definitions
 More securely built applications and infrastructure
Not the “ Big Bang Theory “

Personal ISA experiencePersonal ISA experience
Have built Security Architectures/plans/road maps, designed
strategies, hired Security Architects and mentored them …. I am a
self taught architect …. Just like to build things.
Enthralled by TAFIM in the 1990’s
Built the Tactical Collection Framework for Central American Wars
Integrated the Air Force Special Ops and regular USAF Intelligence architectures
Base lined the technical architecture for the global Army Material Command
For CSC, managed deploying JP Morgan’s first global security architecture
Built the security technical road map for the Federal Reserve IT
Appointed someone as the Federal Reserve’s first security architect
Hired the security architect for the Northrop VITA contract
Hired by AXA Tech as the Security Architect
Defined strategy for the Information Risk Architecture Framework (IRAF)
Security Architect for AIG at United Guaranty Corporation
Wrote “ The Invisible Person …. the Security Architect “
Sherwood Applied Business Security Architecture Trained
SAIC Information Assurance Architect
INFOSECFORCE llc Security Process Architect

 Architecture has its origins in the building of towns and cities, and everyone
understands this sense of the word, so it makes sense to begin by examining the
meaning of ‘architecture’ in this traditional context.
 Architecture is a set of rules and conventions by which we create buildings that
serve the purposes for which we intend them, both functionally and
aesthetically. ‘
 Architecture is founded upon an understanding of the requirements that it must fulfil.
 These needs are expressed in terms of function, aesthetics, culture, government
policies and civil priorities.
 Architecture is also both driven and constrained by a number of specific factors.
The Origins of ArchitectureThe Origins of Architecture
Man’s primordial need to scream build
IT Architect
IT Enterprise Architecture Evolution

 Relentless attacks hurting INFOSEC reputation
 Focus on frameworks like NIST and PCI versus architecting and
engineering
 Enterprise Architecture, TOGAF and ISO 27001 just now integrating SABSA
 Multiple IT and then Security Architecture frameworks …. Overwhelming
 Various interpretations of what an Information Security Architect is
 Scant references in the trades of the importance of integrating security
 SABSA and ISC2 certs but need Engineering equivalents
 SABSA the closest thing to ISA champion (like early ITIL mostly offshore)
 No true professional organization like “ The Global Information Security
Architect Association (GISAA) “
 Forthcoming and relentless Cyber Attacks
ISA corundumISA corundum
Working on to good ……………

JDs exemplify organizational ISA Soul Searching
1.Extremely technical in one or two security technologies such as Firewalls or
intrusion detection devices.
2. Extremely technical on all aspects of security but cannot connect the
architecture to business requirements and the overall strategy. Could install a
HIDS or even a firewall but the person did not design a strategy on how these
systems could operationally and tactically integrate as part of the intrusion
detection framework.
3. Extremely technical engineer and strategists who also has a holistic view of the
business objectives and the requirements definition process.
4. Highly technical and can combine all aspects of risk management and business
requirements into a cohesive strategy and technical plan.
5. Calling the security director or security manager the security architect
Various ISA job descriptionsVarious ISA job descriptions

Great High Medium Low
Extremely technical in one or two technologies like firewalls X
Extremely technical in all things security technology but no
business acumen
X
Extremely technical engineer and strategists who also has a
holistic view of the business objectives and the requirements
definition process.
X
Highly technical and can combine all aspects of risk management
and business requirements into a cohesive strategy
and technical plan.
X
Calling the security director or security manager the security
architect
X
10 years experience in information security X
SABSA, TOGAF, OSA, Brackman trained and certified X
Highly experienced in one of these frameworks NIST, SANS, ISO
27001, COBIT, Cyber Security Framework, PCI, FTI, FISMA,
DIACAP, RMF
X
ITIL, CISSP, GIAC, EE, DISA X
Likelihood of succeeding as an ISALikelihood of succeeding as an ISA

Optimum ISA Job Description
” An information security architect should have at least 10 years experience in
information security and at one point in his/her career should have had hands on
technical experience in anything from help desk support to being a UNIX or data
base administrator. This person should have extensive knowledge of security
platforms, has managed acquisition efforts, identity access management, cyber
warfare, and governance as it is translated from security standards and policies
into an operational technical environment that is aligned with the core business
processes be they financial institutions like JP Morgan or e-commerce giants like
Amazon or Best Buy. This person should have served on the front lines of cyber
battles such as NIMDA, LUZ or APT. Optimally, the person is ITIL certified, has an
EE degree, is a visionary, and understands security support business objectives.
Ultimately, the Security Architect is a perfect blend of a highly skilled security
engineer, a governance and policy expert, an enterprise architect, and a business
savvy professional with a Ninja spirit. “
Who ya gonna call ?

SAN thinkSAN think
“ Can you build a Defense in Depth architecture without an architect ? “
“ Of course, you are not going to get very far with an architectural approach to Defense in Depth
without an architect. Unfortunately, the industry is still unclear as to exactly what an
IT Security Architect is.
The concept is, however, starting to mature.
(ISC)2 organization has created an ISSAP (Information Systems Security Architecture
Professional) certification[2].
SABSA organization has three levels of certifications for Security Architects: Foundation,
Practitioner, and Master.
There are job opportunities for positions labeled as "Security Architects," although many times
they sound more like engineers than architects.
Though specific knowledge about systems and networks is important, an architect should have
the ability to assemble and disassemble pieces of knowledge to/from a whole.
“
Stephen Northcutt, J. Michael Butler and the GIAC Advisory Board

ISA Certification syllabusesISA Certification syllabuses
SABSA
•Define enterprise security architecture,
its role, objectives and benefits
•Describe the SABSA model,
architecture matrix, service management
matrix and terminology
•Describe SABSA principles, framework,
approach and lifecycle
•Use business goals and objectives to
engineer information security
requirements
•Create a business attributes taxonomy
•Apply key architectural defence-in-
depth concepts
•Explain security engineering principles,
methods and techniques
•Use an architected approach to design
an integrated compliance framework
•Describe and design appropriate policy
architecture
•Define security architecture value
proposition,
•Use SABSA to create an holistic
framework to align and integrate
standards
SABSA cont,
•Describe roles, responsibilities,
decision-making and organisational
structure
•Explain the integration of SABSA into a
service management environment
•Define Security Services
•Describe the placement of security
services within ICT Infrastructure
•Create a SABSA Trust Model
•Describe and model security
associations intra-domain and inter-
domain
•Explain temporal factors in security and
sequence security services
•Determine an appropriate start-up
approach for SABSA Architecture
•Apply SABSA Foundation level
competencies to the benefit of your
organisation
ISC 2 ISSAP
•Access Control Systems and
Methodology
•Communications & Network
Security
•Cryptography
•Security Architecture Analysis
•Technology Related Business
Continuity Planning (BCP) &
Disaster Recovery Planning
(DRP)
•Physical Security Considerations
NOTE: ISSAP capitalizes on
CISSP training
Two prime ISA Certifications

The GARTNER View is EA FocusedThe GARTNER View is EA Focused

Enterprise Security ArchitectureEnterprise Security Architecture
• Information security solutions often designed, acquired and installed on a tactical basis.
• No strategic dimension
• Organization builds up a mixture of technical solutions on an ad hoc basis ‘
• No guarantee that they will be compatible and inter-operable.
• Solution is to base decisions on business requirements, including:
 The need for cost reduction
 Modularity
 Scalability
 Ease of component re-use
 Operability
 Usability
 Inter-operability both internally and externally
 Integration with the enterprise IT architecture and its legacy systems.
Ad hoc, not integrated not planned and costly
Security is business
Source: http://www.intigrow.com/enterprise-security-architecture-design.html

Being a Successful Information Security Architect
‘” Unless the security architecture can address a wide range of operational requirements and provide
real business support and business enablement, rather than just focusing upon ‘security’, then it is
likely that it will fail to deliver what the business expects and needs. “
 Common phenomenon throughout the information systems industry,
 Being a successful security architect means thinking in business terms at all times,
 You always need to have in mind the questions: Why are you doing this? What are you
trying to achieve in business terms here? Otherwise you will lose the thread and finish up
making all the classic mistakes.
 Do not understand strategic architecture, and who think that it is all to do with
technology.
 Buy-in and sponsorship from senior management
 Enterprise architecture cannot be achieved unless the most senior decision-makers are
on your side.
 Creating this environment of acceptance and support is probably one of the most difficult
tasks that you will face in the early stages of your work.
Source SABSA
WHAT’S IT GONNA TAKE ?WHAT’S IT GONNA TAKE ?

ISA Situation
Onslaught of cyber attacks costing millions in damages and loss of consumer trust
Numerous interpretations of ISA limit organizational success in ISA
While improving, need more global awareness of the essential importance of
“Building Security In”
SABSA and ISSAP good but not good enough
Standards like NIST and PCI good but not nearly good enough
Action Plan
Bring the ISA out of the Shadows or redefine what an ISA is
Industry and government ISA punctuation greatly needed
Need to create an ISO or IEEE level standard
Make it an engineering science as is an EE degree
Trades like SC, CISO, Information Week and companies like RSA, Symantec,
Verizon, need to champion ISA
Somehow, someway create GISAA
ISAISA
ISA corundum summaryISA corundum summary

The eloquent designsThe eloquent designs
The IT and Security “Architecture” Designs …… thinking and planning
Source: http://antifan-real.deviantart.com/art/Grand-Universe-17189369

SABSA Eloquent designSABSA Eloquent design

SABSA Eloquent design matrixSABSA Eloquent design matrix

ISA Landscape by OSAISA Landscape by OSA

Source: http://www.opensecurityarchitecture.org/cms/library/patternlandscape/315-sp-026-pci-full
PCI OSA PatternPCI OSA Pattern

Server OSA PatternServer OSA Pattern

TOGAF development processTOGAF development process
Source: http://www.opengroup.org/subjectareas/enterprise/togaf

Huxham Security FrameworkHuxham Security Framework

INFOSECFORCE baselineINFOSECFORCE baseline

MAKING IT REAL ….yikesMAKING IT REAL ….yikes

Implementing a framework orImplementing a framework or
enterprise improvementsenterprise improvements
COBIT
ISO 27001
PCI
NIST RMF
OPRA
HIPPA
UCF SOX
NIST CSF
Security
Engineering
&
Architecture
SANS
Top 20

Implementation tool and designsImplementation tool and designs
Keeping it simple
 System security plan that defines risk, architecture and controls
 Control framework of your choosing such as NIST CSF, PCI and etc
 Plan, Build, Deploy, and Operate Project Plan
 INFOSECFORCE risk management analysis (process and technology gaps)
 SABSA framework sheet establishing overall situational awareness
 OSA patterns
 High level engineering design
 Detailed engineering design
 Excruciating detailed test plans
 Implementation plan
 Policy, process and procedures
 Certification and accreditation
 Continuous control monitoring plan
 Production security

Enterprise Security Architecture Asynchronous Planning
 Information security solutions are often designed, acquired and installed on a
tactical basis.
 “ A requirement is identified, a specification is developed and a solution is
sought to meet that situation.
 Strategic dimension Not considered
 Mixture of technical solutions on an ad hoc basis, each independently
designed and specified and with no guarantee that they will be compatible and
inter-operable.
 No analysis of the long-term costs, especially the operational costs which
make up a large proportion of the total cost of ownership, no strategy that can
be identifiably said to support the goals of the business.
Fundamental Enterprise SecurityFundamental Enterprise Security
Architecture Planning IssueArchitecture Planning Issue
Source: SABSA

 Development of an enterprise security architecture which is business-driven
 A structured inter-relationship between the technical and procedural solutions to
support the long-term needs of the business.
 Must provide a rational framework within which decisions can be made based on
an understanding of the business requirements, including:
 The need for cost reduction
 Modularity
 Scalability
 Ease of component re-use
 Operability
 Usability
 Inter-operability both internally and externally
 Integration with the enterprise IT architecture and its legacy systems.
Enterprise Security ArchitectureEnterprise Security Architecture
Planning SolutionPlanning Solution
Security Architecture Planning is the missing piece of the puzzle
Source: SABSA

Security Architecture ApproachSecurity Architecture Approach
Holistic Approach
mistake= believing that building security into information systems is simply a matter of
referring to a checklist of technical and procedural controls and applying the appropriate
security measures on the list.
Car example
A car is a good example of a complex system. It has many sub-systems, which in turn have
sub-systems, and eventually a very large number components. Designing and building a
car needs a ‘systems-engineering’ approach.
Architecture system approach
 Do you understand the requirements?
 Do you have a design philosophy?
 Do you have all of the components?
 Do these components work together?
 Do they form an integrated system?
 Does the system run smoothly
 Are you assured that it is properly assembled?
 Is the system properly tuned?
 Do you operate the system correctly
 Do you maintain the system?
Are PCI, NIST,
SANS Top 20,
DIACAP
architectures
?

Architect/Engineer/Implement?Architect/Engineer/Implement?
Implementing a framework or a system
PLAN DEPLOYBUILD OPERATE
Define:
- Feasibility
- Business case
- Initial risk
assessment
- Requirements
- Security CIA
- Charter
- System type
- System security
plan
- Baseline
Define:
- EA Architecture
plan
- System risk level
- Applicable security
control requirements
- High level design
- Detailed design
- Functional design
Define:
- Test, test, test
- Acceptance
- Procedure
- Process
- CONOPS
- Certify and attest
Define:
- Vulnerability mgt
- Pent Test mgt
- Continuous
logging and
monitoring
- Compliance plan
PCI/SOX
- Patch mgt
- Security CIA
- Change mgt
- Incident response

SLCMPSLCMP and theand the SDLC …SDLC …“The Dance”“The Dance”
Statement of need
for new business
process,
application or
technology
Functional
requirements
document
designed
Design and
technical
architecture
developed
Code
development
1 st phase
prod testing
QA
PLAN BUILD Deploy
Pre prod Prod Post Prod
OPERATE
INFOSEC participation
in feasibility analyses,
no documentation
required
Build the System Security Plan
based on NIST 800-53 control
guidelines. Preliminary risk and
vulnerability assessment done.
Measures requirements against
policy and provides functional
adjustments. Security
requirements stated based on
preliminary risk and vulnerability
assessments. If necessary,
requirements document
adjusted
INFOSEC architecture
document created based
on data security
categorization, policy,
application functionality
and risk and vulnerability
assessments
Integrate controls
and create detailed
application security
test plan defining
testing tools,
timelines, remedial
action processes and
testers. Gain
approval from project
manager.
First phase
application security
testing. Once code
begins solidifying,
use soft tools such as
AppScan or Spi
Dynamics for high
level testing.
Feedback findings to
developers for code
correction
Second phase app security
testing using formalized
process to decompile code
as much as possible to
determine if code has
organic exposures violating
policy, security design, and
the security architecture.
Correct findings and provide
to developers to fix or define
mitigating controls. Aspect
security has expertise in
this area
Third phase app
security test which
follows phase one
testing process.
Used as final
verification that
code is stable
from INFOSEC
perspective
Create final
risk
acceptance
document
Application and
infrastructure
penetration testing
Server cert
2 nd phase
prod testing
Ongoing pen
tests,
vulnerability
assessments,
risk
management
* * Security certification
and accreditation should
be finalized

The ISA does not exist after allThe ISA does not exist after all
 ISA Not an architect after all
 Engineer defining and implementing security requirements
 Implementing the security components of an enterprise architect
solution
 Integrated and symbiotic with the enterprise architecture
 Security processes that run on the infrastructure and something the
business enterprise can not do without
 It is a senior engineer that guides the construction and implementation of the
security components
ISAISA
Paradigm shift (ed)

Conclusion
We are at war. A Security Architect can define strategies to defeat the aggressors.
The ISC needs to standardize its doctrine and strategy to define the ISC view
concerning what an ISA is and as such, once defined, it will be easier to define what
a Security Architect is and should do to protect vital business data assets. Not only
will this protect your data and business, you will implement optimized solutions for
investment utilization. Organizations need to hire the right people for ISA jobs and
stop confusing the Senior Security Engineers with the roles and responsibilities of an
Information Security Architect. While they are complimentary in nature, the roles are
different. Smart Security Architects always should include brilliant security and
infrastructure engineers in developing their business’ holistic and comprehensive
ISA.
I am confident that if the an organization uses the simple framework I described
above that it’s Security Architect will create an outstanding ISA and ISA road map.

Summary
By including security requirements in the EA
process and security professionals in the EA
team, enterprises can ensure that security
requirements are incorporated into priority
investments and solutions. Enterprise-level
security awareness and support for the
security team can improve as well.
Controls are services, when to use SOAP,
when to encrypt

BACKUPS

Framework for Improving
Critical Infrastructure Cybersecurity
The framework throws a bone at the
notion of improving security by
discussing gap analysis, but how to
do that is well understood and
documented elsewhere. The real value
here is a means to both justify and
compel private sector spending in a
commercially competitive
environment to fill the security gaps.
http://www.darkreading.com/vulnerabilities---threats/baby-teeth-in-
infrastructure-cyber-security-framework/d/d-id/1204437

SDLC/PLCMP DeliverablesSDLC/PLCMP Deliverables
- Security control integration
- Second phase app security testing
- Third phase app security testing
Implement
- Data security categorization - Security Plan
- Preliminary risk assessment
Initiate
- Threat management
- Configuration management and control
- Continuous monitoring
- Incident response plan
Production
- Risk assessment
- Functional requirements analyses
- Assurance requirements
- Control selection
Design and
develop
- Security architecture
- Functional and vulnerability
test plan
- First phase testing
- Additional planning
assignments
- Security certification
- Security accreditation
- Final risk acceptance
document
REF: NIST 800-53

SLCMP DeliverablesSLCMP Deliverables
InitiateInitiate DevelopDevelop ImplementImplement ProductionProduction
- Data security categorization
- Preliminary risk assessment
- Security plan
- Risk assessment
- Functional requirements
analyses
- Assurance requirements
- Control selection
- Security control integration
- Second phase app security
testing
- Third phase app security testing
- Security certification
- Security accreditation
- Threat management
- Configuration
management and control
- Continuous monitoring
- Incident response plan
- Security architecture
- Functional and vulnerability
test plan
- First phase testing
- Additional planning
assignments

Security architecture analyses brief 21 april 2015

More Related Content

What's hot

Similar to Security architecture analyses brief 21 april 2015

More from Bill Ross

Recently uploaded

In this document

Security architecture analyses brief 21 april 2015