Download as KEY, PPTX
Uploaded byVladimir Jirasek
Security architecture for LSE 2009
This document is a presentation about the role of security architecture in managing information risk in large retail enterprises. It discusses what security architecture is, the business benefits it provides, and practical examples from a retail organization. The presentation covers topics like principles of security architecture, protecting assets from threats and vulnerabilities, examples of real security issues faced by banks and telecom companies, and using a layered "onion" approach to security rather than just relying on outer defenses. It proposes taking a business-driven approach to security architecture aligned with enterprise policies and frameworks.
More Related Content
Similar to Security architecture for LSE 2009
Security architecture for LSE 2009
- 1. The role ofsecurity architecture in managing information risk in large scale retail enterprises presentation for London School Of Economics by Vladimir Jirasek 28th January 2009
- 2.
- 3. Disclaimer The information includedin this presentation represents personal opinions of the presenter and not Tesco plc.
- 4. Today we willcover... • What information security architecture is • Value of security for business • Practical examples from a retail organisation • And finally your questions ...
- 5. Real story • On-linebank • Telecommunication company • Government
- 6. Real story • On-linebank • Telecommunication company • Government
- 7. (information) Architecture is ... • Activity to oversee building of business processes in controlled way • Covers people, processes, information, technology • Supports organisation to manage business risks
- 9. Business benefits • Measuringand prioritising business risks • Adding value to the core product • Empowering customers • Protecting relationship and leveraging trust • Information Security as a business enabler
- 10. Business enabler? • Enablebusiness to provide services to customers or partners in secure way • Utilise new technologies • Internet (1.0, 2.0, …) • Outsourcing of IT operations • Remote access for B2B • Digital medial delivery • Improving customer services
- 11. Architecture principles • Startwith business requirements • Progress to Information Architecture • Deliver with technology and processes Source: Wikipedia
- 12. Magic triangle Security Cost Usability
- 13. Magic triangle Security Cost Usability
- 14. Magic triangle Security Cost Usability Importance of objectives - Military
- 15. Magic triangle Security Cost Usability Importance of objectives - Bank
- 16. Magic triangle Security Cost Usability Importance of objectives - Retail
- 17. What we protect Classification Threats Vulnerabilities Assets Compliance Technology People
- 18. What we protect Classification Threats Vulnerabilities Assets Compliance Technology People
- 19. What we protect Classification Threats Vulnerabilities Assets Compliance Technology People
- 20. What we protect Classification Threats Vulnerabilities Assets Compliance Technology People
- 21. What we protect Classification Threats Vulnerabilities Assets Compliance Technology People
- 22. What we protect Classification Threats Vulnerabilities Assets Compliance Technology People
- 23. What we protect Classification Threats Vulnerabilities Assets Compliance Technology People
- 24. Risk of riskmanagement • Risk can be calculated as: • Asset value • Impact of threat exploiting vulnerability • Likelihood of event Problems: •asset business value •likelihood
- 25. LEVEL OF HARM A B C D E Extremely Very No Appropriate serious serious Serious significant NATURE OF HARM harm harm harm Minor harm harm measure Financial loss Loss of sales, £10 + million £1 - 10 million £100 thousand £10 - 100 £0 - 10 (loss of sales, orders or orders or - £1 million thousand thousand contract., unforeseen costs, contracts legal liabilities, fraud) Loss of tangible £10 + million £1 - 10 million £100 thousand £10 - 100 £0 - 10 assets (eg - £1 million thousand thousand fraud, theft of money, lost interest) Penalties/Legal £10 + million £1 - 10 million £100 thousand £10 - 100 £0 - 10 liabilities (eg - £1 million thousand thousand breach of legal, regulatory or contractual obligations) Depressed 25%+ 11% to 25% 6% to 10% 1% to 5% Less than 1% share price (eg SUdden loss of share value) Degraded performance Key targets 10%+ 5% to 10% 1% to 5% Less than 1% No impact (failure to achieve targets, loss under-achieved of productivity) by: Number of 10,000+ 1,000 to 10,000 500 to 1,000 100 to 500 0 to 100 staff-hours staff-hours staff-hours staff-hours staff-hours staff-hours wasted: Loss of management control Key records not 1 month+ 1 to 4 week Few days Few hours Little delay, no (over key financial, health or up-to-date or delay, all delay, many delay, some delay, a few wrong entries safety risks) accurate: entries wrong entries wrong entries wrong entries unreliable Impaired Severe loss of Serious loss of Significant loss Moderate loss Minor loss of Decision control control of control of control control Making
- 27. Soft shell isbad... • Relying on outer defences • We have firewall - we must be secure! • Insiders? What insiders? • Mostly technology oriented
- 28. Soft shell isbad... • Relying on outer defences • We have firewall - we must be secure! • Insiders? What insiders? • Mostly technology oriented
- 29. Replaced by anonion • Inside threats are as bad outside? • Data should protect itself - carry security information • Compliance and best practice frameworks
- 30. How we doit Enterprise Business IT security policy drivers architecture framework
- 31. Business driven architecture Enterprise policy IT security Business drivers framework architecture External Policies Enterprise level • Laws and regulations • Information security • Security domain (DPA, FSA, PCI) strategy principles • Best practices (ISO, • Information security • Access control CobiT, ISF, TOGAF, policy and • Vulnerability SABSA) governance management • Technical standards • Risk management • Risk management (NIST, SANS, CIS) policy • Operational security Internal • Data protection Solution • Strategy policy architecture • Cost • End user policy • Authentication • Usability • IT Security policy • Logging and • Security Standards monitoring • Configuration and • PKI hardening standards • other detailed SAs
- 32. Measure value added •ROI or ROSI (why confuse?) • KPIs used to measure value of security controls
- 33. topics for discussion 1.Is security a business enabler or prevention in your organisation? 2. Issues with measuring ROI on security.
- 34.
Editor's Notes
- #2 \n
- #3 talk about myself, the way IT security evolved from pure technical to business enabler\n
- #4 value - why do it (risk management), how to measure the value\n
- #5 Online bank, security important, customers were able to see other customer accounts. Bank stopped the site quickly and started proper security review.\ntelco - in denial over compromised system, press coverage -> investigation and new data security controls in place. constant denial did company no good. Press was all over the company and the company CEO admited the problem later and data protection programme started.\n
- #6 Online bank, security important, customers were able to see other customer accounts. Bank stopped the site quickly and started proper security review.\ntelco - in denial over compromised system, press coverage -> investigation and new data security controls in place. constant denial did company no good. Press was all over the company and the company CEO admited the problem later and data protection programme started.\n
- #7 Online bank, security important, customers were able to see other customer accounts. Bank stopped the site quickly and started proper security review.\ntelco - in denial over compromised system, press coverage -> investigation and new data security controls in place. constant denial did company no good. Press was all over the company and the company CEO admited the problem later and data protection programme started.\n
- #8 Building a framework of repeatable processes that address business risks and enable business objectives\n\n
- #9 Mention politics.\nThis building needed proper architecture but architects needed good knowledge of technologies to design something that will actually stand on its own. The difference from information security architecture is that this building was designed with the help of computers\n
- #10 By properly doing risk management the company understands the issues and can invest money where it is needed and add value - talk about risk management (there is detailed slide later), control objectives, control objectives = enablement objectives. Consider brakes on the car - car can go faster with good brakes!\nAdding value - air-plane manuals now available over the Internet as on-line service. Important to assure CIA of the service\nEmpowering - customers will select supplier with good customer service and information system. Example utility companies (gas and electricity is a commodity, customer service is diff factor)\nTrust - trusted third party is a important concept, technical systems can leverage trust already built\nEnabler - (next slide) \n\n
- #11 new business opportunities with Internet, B2B, IM. Case - one banks failure affected another bank launch of Internet service (PR damage)\nOutsourcing can hugely reduce costs but increase security risks\n
- #12 Business - business requirements whatm who, which, where. when (AS SOON AS POSSIBLE)\nthis drives information architecture hat cares about data, integration with other systems and applications\nthis drives tehcnology, systems, networks and operations\n
- #13 Every project will have three objectives and these affect each other. Cost includes money, time and resources (people). Cost and usability are usually driving force behind business projects.\nSecurity is most of the time as an afterthought. Or is it? Let’s look at different organisations.\n\n\n
- #14 Important to understand that although usability will be of small importance, in the terms of cost the project may spend more money on usability then bank or retail.\n\n
- #15 Banks do have legal obligation and can be fined heavily by FSA. Example is Natwest - fined £1.4m for losing encrypted laptop, for breach of company processes as laptop contained customer data and investigation started 3 weeks after the incident. \nUsability is important for eBank systems (compare Barclays and HSBC)\n\n
- #16 Retails have small margins and cost of any project is rather important. Discussion about usability x security. \n
- #17 Classification - types of (public to confidential), why classify\nThreats - what it is, examples\nVulnerabilities - what it is, examples\nCompliance - different legislations (DPA, PCI DSS)\ntechnology - fast moving IT, usability and productivity is sometimes more important that security\nPeople - weakest link in any security architecture; can become the strongest if properly engaged “make it personal”\n\n
- #18 Classification - types of (public to confidential), why classify\nThreats - what it is, examples\nVulnerabilities - what it is, examples\nCompliance - different legislations (DPA, PCI DSS)\ntechnology - fast moving IT, usability and productivity is sometimes more important that security\nPeople - weakest link in any security architecture; can become the strongest if properly engaged “make it personal”\n\n
- #19 Classification - types of (public to confidential), why classify\nThreats - what it is, examples\nVulnerabilities - what it is, examples\nCompliance - different legislations (DPA, PCI DSS)\ntechnology - fast moving IT, usability and productivity is sometimes more important that security\nPeople - weakest link in any security architecture; can become the strongest if properly engaged “make it personal”\n\n
- #20 Classification - types of (public to confidential), why classify\nThreats - what it is, examples\nVulnerabilities - what it is, examples\nCompliance - different legislations (DPA, PCI DSS)\ntechnology - fast moving IT, usability and productivity is sometimes more important that security\nPeople - weakest link in any security architecture; can become the strongest if properly engaged “make it personal”\n\n
- #21 Classification - types of (public to confidential), why classify\nThreats - what it is, examples\nVulnerabilities - what it is, examples\nCompliance - different legislations (DPA, PCI DSS)\ntechnology - fast moving IT, usability and productivity is sometimes more important that security\nPeople - weakest link in any security architecture; can become the strongest if properly engaged “make it personal”\n\n
- #22 Classification - types of (public to confidential), why classify\nThreats - what it is, examples\nVulnerabilities - what it is, examples\nCompliance - different legislations (DPA, PCI DSS)\ntechnology - fast moving IT, usability and productivity is sometimes more important that security\nPeople - weakest link in any security architecture; can become the strongest if properly engaged “make it personal”\n\n
- #23 Classification - types of (public to confidential), why classify\nThreats - what it is, examples\nVulnerabilities - what it is, examples\nCompliance - different legislations (DPA, PCI DSS)\ntechnology - fast moving IT, usability and productivity is sometimes more important that security\nPeople - weakest link in any security architecture; can become the strongest if properly engaged “make it personal”\n\n
- #24 Classification - types of (public to confidential), why classify\nThreats - what it is, examples\nVulnerabilities - what it is, examples\nCompliance - different legislations (DPA, PCI DSS)\ntechnology - fast moving IT, usability and productivity is sometimes more important that security\nPeople - weakest link in any security architecture; can become the strongest if properly engaged “make it personal”\n\n
- #25 Classification - types of (public to confidential), why classify\nThreats - what it is, examples\nVulnerabilities - what it is, examples\nCompliance - different legislations (DPA, PCI DSS)\ntechnology - fast moving IT, usability and productivity is sometimes more important that security\nPeople - weakest link in any security architecture; can become the strongest if properly engaged “make it personal”\n\n
- #26 Classification - types of (public to confidential), why classify\nThreats - what it is, examples\nVulnerabilities - what it is, examples\nCompliance - different legislations (DPA, PCI DSS)\ntechnology - fast moving IT, usability and productivity is sometimes more important that security\nPeople - weakest link in any security architecture; can become the strongest if properly engaged “make it personal”\n\n
- #27 Classification - types of (public to confidential), why classify\nThreats - what it is, examples\nVulnerabilities - what it is, examples\nCompliance - different legislations (DPA, PCI DSS)\ntechnology - fast moving IT, usability and productivity is sometimes more important that security\nPeople - weakest link in any security architecture; can become the strongest if properly engaged “make it personal”\n\n
- #28 discuss risk management, ways to deal with risks (insure, ignore, fix, partial fix)\nrisk appetite (acceptable risk)\n\n
- #29 \n
- #30 \n
- #31 \n
- #32 Jericho forum\n
- #33 show how policy and IT architecture is driven by Business drivers\n
- #34 best practices - ISO, CobiT, ISF, SABSA - tell major components and ideas\n\n
- #35 \n
- #36 \n
- #37 \n