SlideShare a Scribd company logo
The South African EA Forum
Twitter: @EAforumSA
#ogza
Follow the EA Forum
on Twitter…
http://opengroup.co.za/ea-forum
Our upcoming
events
The EA Forum is a networking event sponsored by The Open Group in South
Africa. It started in 2004 and is hosted every second month or so, with events
in Durban, Johannesburg and Cape Town. At the EA Forum, industry leaders
share their experiences and knowledge of architecture and related topics.
Real-world case studies highlight how business problems are solved using the
discipline and practice of architecture. The event is also an opportunity for the
architecture community members to network and collaborate.
For more information or to submit your presentation topics please contact
Stuart Macgregor
Subscribe to our
EA FORUM
DATABASE
Leading the development of open, vendor-neutral IT standards
and certifications
http://opengroup.co.za
http://opengroup.org/
Security-by-Design in Enterprise Architecture
Prof. Dr. Ernest Ketcha Ngassam / Ngoie Wandelewe / Frans Sauermann
The strategic importance of Information Security for organisations is gaining momentum. The current surge in cyber threats is
compelling organisations to invest in information security to protect their assets. Rushing to protect assets often comes with the
expense of excessive technology adoption without a valid strategic foundation. Enterprise Security Architecture is geared to
address these issues, but is frequently misaligned with Enterprise Architecture.
At this month’s EA Forum, we will explore avenues for the adoption and enforcement of Security-By-Design in the Enterprise
Architecture value-chain so as position Risk, Security and IT as true business enablers.
Prof. Dr. Ernest Ketcha Ngassam is the General Manager: Information Security Architecture and Technical Excellence at MTN Group. He is also Professor
Extraordinaire of Computer Science at the School of Computing, UNISA, and holds a PhD in Computer Science from the University of Pretoria.
Ngoie Wandelewe is the Solutions/Enterprise Architect - Strategy & Business Development where he designed the Technology and Strategy Road map.
He is reviewing current system security measures and recommending and implementing enhancements to the Architectural design to be used across 22
countries
Frans Sauermann is the Senior Manager: Information Systems Security Architecture at MTN Group. He holds 25 certifications related to information
security architecture from The Open Group, SABSA, ISACA, ISC^2, AXELOS, PMI, Cloud security alliance and others. He has over 14 years of experience in
information security, 10 of which were spent with MTN.
What we will be going through
Day 2
• Introduction
o Enterprise Architecture
o Enterprise Security Architecture
o Security by Design
o Stakeholder (CIO, CISO)
• Problem Statement
o EA Limitation
o ESA Limitation
o Stakeholder Conflict
• Security By Design – ESA
o EA, ESA, SRA & SSA
o EA Metamodel & Practice
o End goal of ESA & Practice
• Conclusion
1
2
3
4
Pick one:
A. Do whole talk first then questions
B. Questions while on discussion point
C. Jump between discussion points
until time runs out
D. Corner me after the talk
By all means, differing opinions and
backgrounds make us learn from each
other
Enterprise Architecture (EA)
Enterprise Security Architecture (ESA)
Security by Design (SbD)
Introducing EA,ESA, SbD - Definition
▪ Formal and structured way of viewing
and defining enterprise
▪ Aligns business vision with IT
▪ Builds transformative capabilities from
people, processes, technology, and
information
Enterprise Architecture (EA)
▪ Provides guidelines as services, models
and standards to achieve the overall
enterprise security strategy
▪ Translates business vision and strategy
into effective enterprise security
Enterprise Security Architecture (ESA)
1
OpenFAIR
1 Introducing EA,ESA, SbD - Definition
▪ Formalize infrastructure design and automate security controls to
enable building security into every part of IT
▪ Improving capability to develop secure products
▪ Enabling security capabilities - instead of auditing security into a
system
▪ Includes build and operations phases
Security by Design (SbD)
Problem Statement
CIO & CISO Conflicting Goals?
CISO
▪ Information systems and digital
management focus.
▪ Supports business with
technology solutions.
▪ Helps businesses modernize
legacy solutions/processes
▪ Positions IT as an enabler within
the organization
▪ Typically ensures EA is practiced
within the organization
CIO
▪ Information security risk and
compliance focus.
▪ Supports business with frameworks to
properly govern, evaluate, and
respond to risks.
▪ Partially takes ownership of security
toolset
▪ Position Security capabilities as a
business enabler
2
Traditional EA
▪ Metamodel has no Risk and Security elements and relationships
▪ Solution architects consider risk and security as non-functional
requirements
▪ Risk and security teams involved in projects post-solution design
▪ Understanding risks and the assets exposed to risks
▪ Choosing correct risk assessment methods and management
processes
▪ Integrating Security and Risk Management into the EA practice
▪ Generating appropriate views for demonstrating Compliance
▪ Vulnerabilities and threats landscape
▪ Design patterns, mechanisms and services used to mitigate risk
and implement controls
▪ Defining a complete implementation and change roadmap at
enterprise level
Business Architecture
IS (Application, Info & Data)
Architecture
Technology Architecture
2
Missing information security aspects
?
Traditional Security Architecture
Contextual
Conceptual
Logical
Physical
Component
Security
2
▪ Typically independent approach from EA
▪ Security architecture document typically the last document deliverable post data, application,
and technology architectures
▪ Frequently, security aspects of a system are analyzed and designed separately
Confidentiality
Integrity
Availability
Key role updates2
▪ Ensure full integration of Security and Risk in the Architecture Value Chain
▪ Integrate new changes in the EA repository.
▪ Update changes in metamodel relationships and concepts
▪ Ensures security and risk support business strategy and objectives.
▪ Embeds Security Design Patterns into the solution in collaboration with the
Security Solution Architect if necessary
▪ Sign off Solution Design and UAT
Enterprise Architect
▪ Capture security requirements
▪ Update risk, threats, vulnerability catalogues and relationships in EA repository
▪ Define and populate Security Design Patterns in architecture repository
▪ Vet IT Solution Architectures from a Security perspective
▪ Use Solution Risk Assessment for new design patterns
▪ Co-signatory on Solution Design UAT
Solution Architect
Security Solution Architect
How to align to business Risk?
How do we keep business and security aligned?
How do we minimize security gaps and
remediations costs?
How do we embed security in the wider business?
What strategy can be used to develop security
architecture as part of the enterprise architecture
?
How do we ensure security support the business ?
?
Questions to be addressed2
Security by Design
Risk-Based metamodeling: First try x 113
Business Attribute
profile
Security
Objective
Security
Category
Security Sub-
category
Security Domain
Security Service
Security Sub-
Service
Security Control
Risk
Asset
Threat
Vulnerability
Security Incident
Exploits
Causes
Treats
Reduces
Is targeted by
Exposes
Security
Requirement
Is quantified by
Is Attached to
Domain Owner
Is part of
Is part of
Is responsible for
Threat AgentRisk Owner
Is responsible for
Originates from
Wants to abuse
Is qualified by
Is part of
Is part of
Security Solution
Negative Business
Impact
Produces
Complies with
Decreases
Can lead to
Asset Class
StandardPolicy
Regulation
Reduces
Threat Domain
Threat Category
Qualifies
Is qualified by
Defines
Complies with
Security Mechanism
Security Component
(tool, technology,
product)
Is qualified by
Is implemented by
✓ Business Driven
Architecture
✓ Bi-Directional
Traceability
✓ Context sensitive
control compliance
✓ Multi-domain policy
architecture
✓ Impact and cost
traceability
✓ Planning and change
Management
✓ Efficiency
✓ Multiple viewpoints
… but does not live in a vacuum3
3 The outcome: ESA Metamodel - Security/Risk
Future dreams: Archimate alignment3
Enterprise Architecture
[Enterprise Security
Architecture]
Security
Solution
Architectures
Information
Security
Reference
Architecture
▪ Blueprint of reference for Solution Architects
▪ Includes policies, controls, procedure and guidelines
▪ Enforce the use of Design Patterns
▪ Vetted and approved as part of the established
governance framework
▪ Business and Risk-Driven approach
▪ Traceability for completeness & Justification
▪ Reusability of patterns, solutions and technologies
▪ Business value & cost to support/enable a strategy
▪ Understand business requirements and risks
▪ Articulate security requirements: Core and Generic
▪ Make use of patterns from Reference Architecture
▪ Vet design, implementation & acceptance testing
3 Security by Design – ESA, SRA, SSA
End Goal in EA & ESA: Capabilities enablement
Enterprise Security
Inter-operability Availability
Confidentiality
Compliant Integrity
Profitability
3
Value-assured
Prioritized & proportional responses
Scalable scope
Agility - ease of implementation & management
Free use, open source, global standard
Demonstrates compliance
Two-way traceability
Seamless alignment to TOGAF, ITIL, ISO27000, NIST,
CobIT, etc…
EA in Practice : ADM phases3
Strategy
Requirement
Solution/Pattern
Product/Service
Technology
Bidirectional
traceability
Security
SABSA Approach Step by Step3
Business
Driver
Business
Attribute
Threat
Analysis
Impact
Analysis
Control
Objective
Security
Service
Identify
Business
Drivers
Prioritize
Drivers
Translate
drivers into
security
attributes
Conform to
the SABSA
Framework
Perform
threat
analysis
Identify
actual
threats to
the
business
attributes
Use
quantitative
or qualitative
methods to
define
impact
realization of
the threat on
the identified
business
objectives
Define
Control
objectives to
mitigate
identified
threats to
acceptable
level
Define
Control
objectives to
mitigate
identified
threats to
acceptable
level
Putting it all together: SbD in EA3
Putting it all together: SbD in EA3
Security is driven by business requirements rather
than technical consideration
Directly traceable to business objectives
Cost Effective
Meet legal, regulatory and policy compliance
requirement by design
Alignment of business risk and organizations risk
appetite
2
3
1
5
4
Risk
Cost
Usability
Conclusion
Risk
Cost
Usability
▪ Blueprint of reference for Solution Architects
▪ Includes policies, controls, procedure and guidelines
▪ Meet compliance and align with risk appetite
▪ Driven by organization business requirement
▪ Business and Risk-Driven approach
▪ Traceability for completeness & Justification
▪ Provide structured framework for compliance purpose
▪ Create foundation for assessment of security ROI
▪ Eliminate redundant controls
▪ Reduce Ad hoc implementation
▪ Provides agreed security requirement
▪ Tracible security requirement to business requirement
4 Security by Design – Benefits
EA & ESA: Reference architecture compliance4
Solution Design process
initiated by business
Solution Design presented to
Design Authority for approval
Design Authority select
relevant architecture under
governance
Design Authority checks high
level conformance, either
“approve” or refers back for
“revision” by solution team
Checks
A
B
D
C
Thank you
Bonus round?
Risk assessment methods
OpenFAIR
NIST800-30
EA Metamodeling: an example
Business Strategy
Risk and Security
Strategy
Security
Requirement
Regulation, Policy and
Standard
Business
Requirement
Threat and
Vulnerabilities
Security
Mechanism
Security tool,
component,
technology
Security
Service
Technology Infrastructure
Vision
Business Process
Business Risk
Security
Controls
Data, Information and Application
Security
Solution
Business
Information
System
Technology
Planning
Security
Mechanism
Security tool,
component,
technology
Security
Solution
Strategy
Requirement
Solution/Pattern
Product/Service
Technology
Bidirectional traceability
Vision
Business Process
Business
Information
System
Technology
Planning
BP
Patterns XX Brand protectorBP RFP
Strategy
Requirement
Solution/Pattern
Product/Service
Technology
Bidirectional traceabilityIncrease
Reputation
Build new
offerings
Protect
brand
Brand
Policy
More Advert
fora
Aggressive
marketing
Check forum
using brand
Usage of
brand for
fraud
Scan all fora
with Logo
Detect, report
malicious usage
of brand
Malicious
usage of
brand
Unauthorized
access to
customer
Data
Brand
Protection
Software
Advert App
Server
Marketing
App Server
Advert
App
Marketing
App
Scan fora
with brand
Brand
detection
scanner
EA Metamodeling: Views &
Business attributes
Preliminaries for Integration: Some Key security
Concepts
Security Service
• A fundamental logical building block for constructing security solution architectures
• Creating a repository of standardised security services is part of an enterprise security
architecture, providing security architects with a library of security service definitions
for use ‘off-the-shelf’ when synthesising solution security architectures.
Security Mechanism
• A security mechanism is a type of technology or process that
can deliver a security service.
• Different mechanisms may be used to provide the same
service, depending on the actual context.
• Some services may be sub-services of higher-level services.
• Service: Access Control; sub-service: Authentication;
Mechanism: ID and password.
Security Sub-service
References
1. Kurpjuweit, S. and Winter, R., 2009. Concern-oriented business architecture engineering.
In Proceedings of
2. the 2009 ACM symposium on Applied Computing (SAC '09), pp. 265-272.
3. Kvale, S. and Brinkmann, S., 2009. InterViews: Learning the Craft of Qualitative Research
4. Interviewing.2nd ed.SAGE publications.
5. Langenberg, K. and Wegmann, A., 2004. Enterprise Architecture: What Aspects is Current
Research
6. https://whatis.techtarget.com/definition/security-by-design
7. https://www.owasp.org/index.php/Security_by_Design_Principles
8. Amer, H.S. and Hamilton, J.A., 2008. Understanding Security Architecture. Proceedings of
the 2008 Spring simulation multiconference (SpringSim ’08),pp. 335-342

More Related Content

What's hot

SABSA Implementation(Part VI)_ver1-0
SABSA Implementation(Part VI)_ver1-0SABSA Implementation(Part VI)_ver1-0
SABSA Implementation(Part VI)_ver1-0
Maganathin Veeraragaloo
 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber Security
The Open Group SA
 
SABSA Implementation(Part V)_ver1-0
SABSA Implementation(Part V)_ver1-0SABSA Implementation(Part V)_ver1-0
SABSA Implementation(Part V)_ver1-0
Maganathin Veeraragaloo
 
What is a secure enterprise architecture roadmap?
What is a secure enterprise architecture roadmap?What is a secure enterprise architecture roadmap?
What is a secure enterprise architecture roadmap?
Ulf Mattsson
 
SABSA overview
SABSA overviewSABSA overview
SABSA overview
SABSAcourses
 
SABSA Implementation(Part II)_ver1-0
SABSA Implementation(Part II)_ver1-0SABSA Implementation(Part II)_ver1-0
SABSA Implementation(Part II)_ver1-0
Maganathin Veeraragaloo
 
SABSA Implementation(Part I)_ver1-0
SABSA Implementation(Part I)_ver1-0SABSA Implementation(Part I)_ver1-0
SABSA Implementation(Part I)_ver1-0
Maganathin Veeraragaloo
 
NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF) NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF)
Priyanka Aash
 
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
Craig Martin
 
Conceptual security architecture
Conceptual security architectureConceptual security architecture
Conceptual security architecture
MubashirAslam5
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security Architecture
Priyanka Aash
 
SABSA vs. TOGAF in a RMF NIST 800-30 context
SABSA vs. TOGAF in a RMF NIST 800-30 contextSABSA vs. TOGAF in a RMF NIST 800-30 context
SABSA vs. TOGAF in a RMF NIST 800-30 context
David Sweigert
 
Security architecture
Security architectureSecurity architecture
Security architecture
Duncan Unwin
 
Adaptive Enterprise Security Architecture
Adaptive Enterprise Security ArchitectureAdaptive Enterprise Security Architecture
Adaptive Enterprise Security Architecture
SABSAcourses
 
Cybersecurity Risk Management Framework Strategy Workshop
Cybersecurity Risk Management Framework Strategy WorkshopCybersecurity Risk Management Framework Strategy Workshop
Cybersecurity Risk Management Framework Strategy Workshop
Life Cycle Engineering
 
Security Operation Center - Design & Build
Security Operation Center - Design & BuildSecurity Operation Center - Design & Build
Security Operation Center - Design & Build
Sameer Paradia
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
Shriya Rai
 
Information Security Architecture: Building Security Into Your Organziation
Information Security Architecture: Building Security Into Your OrganziationInformation Security Architecture: Building Security Into Your Organziation
Information Security Architecture: Building Security Into Your Organziation
Seccuris Inc.
 
Security review using SABSA
Security review using SABSASecurity review using SABSA
Security review using SABSA
Maganathin Veeraragaloo
 
Business value of Enterprise Security Architecture
Business value of Enterprise Security Architecture Business value of Enterprise Security Architecture
Business value of Enterprise Security Architecture
Ajay Kumar Uppal
 

What's hot (20)

SABSA Implementation(Part VI)_ver1-0
SABSA Implementation(Part VI)_ver1-0SABSA Implementation(Part VI)_ver1-0
SABSA Implementation(Part VI)_ver1-0
 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber Security
 
SABSA Implementation(Part V)_ver1-0
SABSA Implementation(Part V)_ver1-0SABSA Implementation(Part V)_ver1-0
SABSA Implementation(Part V)_ver1-0
 
What is a secure enterprise architecture roadmap?
What is a secure enterprise architecture roadmap?What is a secure enterprise architecture roadmap?
What is a secure enterprise architecture roadmap?
 
SABSA overview
SABSA overviewSABSA overview
SABSA overview
 
SABSA Implementation(Part II)_ver1-0
SABSA Implementation(Part II)_ver1-0SABSA Implementation(Part II)_ver1-0
SABSA Implementation(Part II)_ver1-0
 
SABSA Implementation(Part I)_ver1-0
SABSA Implementation(Part I)_ver1-0SABSA Implementation(Part I)_ver1-0
SABSA Implementation(Part I)_ver1-0
 
NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF) NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF)
 
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
 
Conceptual security architecture
Conceptual security architectureConceptual security architecture
Conceptual security architecture
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security Architecture
 
SABSA vs. TOGAF in a RMF NIST 800-30 context
SABSA vs. TOGAF in a RMF NIST 800-30 contextSABSA vs. TOGAF in a RMF NIST 800-30 context
SABSA vs. TOGAF in a RMF NIST 800-30 context
 
Security architecture
Security architectureSecurity architecture
Security architecture
 
Adaptive Enterprise Security Architecture
Adaptive Enterprise Security ArchitectureAdaptive Enterprise Security Architecture
Adaptive Enterprise Security Architecture
 
Cybersecurity Risk Management Framework Strategy Workshop
Cybersecurity Risk Management Framework Strategy WorkshopCybersecurity Risk Management Framework Strategy Workshop
Cybersecurity Risk Management Framework Strategy Workshop
 
Security Operation Center - Design & Build
Security Operation Center - Design & BuildSecurity Operation Center - Design & Build
Security Operation Center - Design & Build
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
 
Information Security Architecture: Building Security Into Your Organziation
Information Security Architecture: Building Security Into Your OrganziationInformation Security Architecture: Building Security Into Your Organziation
Information Security Architecture: Building Security Into Your Organziation
 
Security review using SABSA
Security review using SABSASecurity review using SABSA
Security review using SABSA
 
Business value of Enterprise Security Architecture
Business value of Enterprise Security Architecture Business value of Enterprise Security Architecture
Business value of Enterprise Security Architecture
 

Similar to Security-by-Design in Enterprise Architecture

Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdfMicrosoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
ParishSummer
 
Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?
rbrockway
 
MS. Cybersecurity Reference Architecture
MS. Cybersecurity Reference ArchitectureMS. Cybersecurity Reference Architecture
MS. Cybersecurity Reference Architecture
angelohammond
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Mark Simos
 
Visualizing BI technical cyber risks. Enterprise Risk and Security
Visualizing BI technical cyber risks. Enterprise Risk and SecurityVisualizing BI technical cyber risks. Enterprise Risk and Security
Visualizing BI technical cyber risks. Enterprise Risk and Security
BiZZdesign
 
IT Information Security Management Principles, 28 February - 02 March 2016 Du...
IT Information Security Management Principles, 28 February - 02 March 2016 Du...IT Information Security Management Principles, 28 February - 02 March 2016 Du...
IT Information Security Management Principles, 28 February - 02 March 2016 Du...
360 BSI
 
IT Information Security Management Principles, 23 - 26 November 2015 Dubai UAE
IT Information Security Management Principles, 23 - 26 November 2015 Dubai UAEIT Information Security Management Principles, 23 - 26 November 2015 Dubai UAE
IT Information Security Management Principles, 23 - 26 November 2015 Dubai UAE
360 BSI
 
IT Information Security Management Principles, 15 - 18 May 2016 Dubai UAE
IT Information Security Management Principles, 15 - 18 May 2016 Dubai UAEIT Information Security Management Principles, 15 - 18 May 2016 Dubai UAE
IT Information Security Management Principles, 15 - 18 May 2016 Dubai UAE
360 BSI
 
Enterprise Architecture: An enabler of organizational agility
Enterprise Architecture: An enabler of organizational agility Enterprise Architecture: An enabler of organizational agility
Enterprise Architecture: An enabler of organizational agility
PECB
 
CV_Anil K Dubey V1.1
CV_Anil K Dubey V1.1CV_Anil K Dubey V1.1
The Open Group - ZT Commandments and Reference Model.pptx
The Open Group - ZT Commandments and Reference Model.pptxThe Open Group - ZT Commandments and Reference Model.pptx
The Open Group - ZT Commandments and Reference Model.pptx
Mark Simos
 
Secure Data Center for Enterprise— Threat Management with NextGen IPS
Secure Data Center for Enterprise— Threat Management with NextGen IPSSecure Data Center for Enterprise— Threat Management with NextGen IPS
Secure Data Center for Enterprise— Threat Management with NextGen IPS
Cisco Russia
 
OT Security Architecture & Resilience: Designing for Security Success
OT Security Architecture & Resilience:  Designing for Security SuccessOT Security Architecture & Resilience:  Designing for Security Success
OT Security Architecture & Resilience: Designing for Security Success
accenture
 
iDEAFest Enteprise InfoSec Program Lessons Learned
iDEAFest Enteprise InfoSec Program Lessons LearnediDEAFest Enteprise InfoSec Program Lessons Learned
iDEAFest Enteprise InfoSec Program Lessons Learned
Michael King
 
Security Incidents
Security IncidentsSecurity Incidents
Security Incidents
belsis
 
Irfan Ur Rehman
Irfan Ur RehmanIrfan Ur Rehman
Irfan Ur Rehman
Irfan Ur Rehman
 
Cybersecurity Management: Preventing Data Breaches in the Age of Big Data, 25...
Cybersecurity Management: Preventing Data Breaches in the Age of Big Data, 25...Cybersecurity Management: Preventing Data Breaches in the Age of Big Data, 25...
Cybersecurity Management: Preventing Data Breaches in the Age of Big Data, 25...
360 BSI
 
IT Security Architecture & Leadership, 03 - 06 March 2019 Dubai, UAE
IT Security Architecture & Leadership, 03 - 06 March 2019 Dubai, UAEIT Security Architecture & Leadership, 03 - 06 March 2019 Dubai, UAE
IT Security Architecture & Leadership, 03 - 06 March 2019 Dubai, UAE
360 BSI
 
NUS-ISS Digital Architecture Information Session
NUS-ISS Digital Architecture Information SessionNUS-ISS Digital Architecture Information Session
NUS-ISS Digital Architecture Information Session
engtsze
 
Enterprise Architecture - Information Security
Enterprise Architecture - Information SecurityEnterprise Architecture - Information Security
Enterprise Architecture - Information Security
Ajay Kumar Uppal
 

Similar to Security-by-Design in Enterprise Architecture (20)

Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdfMicrosoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
 
Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?
 
MS. Cybersecurity Reference Architecture
MS. Cybersecurity Reference ArchitectureMS. Cybersecurity Reference Architecture
MS. Cybersecurity Reference Architecture
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Visualizing BI technical cyber risks. Enterprise Risk and Security
Visualizing BI technical cyber risks. Enterprise Risk and SecurityVisualizing BI technical cyber risks. Enterprise Risk and Security
Visualizing BI technical cyber risks. Enterprise Risk and Security
 
IT Information Security Management Principles, 28 February - 02 March 2016 Du...
IT Information Security Management Principles, 28 February - 02 March 2016 Du...IT Information Security Management Principles, 28 February - 02 March 2016 Du...
IT Information Security Management Principles, 28 February - 02 March 2016 Du...
 
IT Information Security Management Principles, 23 - 26 November 2015 Dubai UAE
IT Information Security Management Principles, 23 - 26 November 2015 Dubai UAEIT Information Security Management Principles, 23 - 26 November 2015 Dubai UAE
IT Information Security Management Principles, 23 - 26 November 2015 Dubai UAE
 
IT Information Security Management Principles, 15 - 18 May 2016 Dubai UAE
IT Information Security Management Principles, 15 - 18 May 2016 Dubai UAEIT Information Security Management Principles, 15 - 18 May 2016 Dubai UAE
IT Information Security Management Principles, 15 - 18 May 2016 Dubai UAE
 
Enterprise Architecture: An enabler of organizational agility
Enterprise Architecture: An enabler of organizational agility Enterprise Architecture: An enabler of organizational agility
Enterprise Architecture: An enabler of organizational agility
 
CV_Anil K Dubey V1.1
CV_Anil K Dubey V1.1CV_Anil K Dubey V1.1
CV_Anil K Dubey V1.1
 
The Open Group - ZT Commandments and Reference Model.pptx
The Open Group - ZT Commandments and Reference Model.pptxThe Open Group - ZT Commandments and Reference Model.pptx
The Open Group - ZT Commandments and Reference Model.pptx
 
Secure Data Center for Enterprise— Threat Management with NextGen IPS
Secure Data Center for Enterprise— Threat Management with NextGen IPSSecure Data Center for Enterprise— Threat Management with NextGen IPS
Secure Data Center for Enterprise— Threat Management with NextGen IPS
 
OT Security Architecture & Resilience: Designing for Security Success
OT Security Architecture & Resilience:  Designing for Security SuccessOT Security Architecture & Resilience:  Designing for Security Success
OT Security Architecture & Resilience: Designing for Security Success
 
iDEAFest Enteprise InfoSec Program Lessons Learned
iDEAFest Enteprise InfoSec Program Lessons LearnediDEAFest Enteprise InfoSec Program Lessons Learned
iDEAFest Enteprise InfoSec Program Lessons Learned
 
Security Incidents
Security IncidentsSecurity Incidents
Security Incidents
 
Irfan Ur Rehman
Irfan Ur RehmanIrfan Ur Rehman
Irfan Ur Rehman
 
Cybersecurity Management: Preventing Data Breaches in the Age of Big Data, 25...
Cybersecurity Management: Preventing Data Breaches in the Age of Big Data, 25...Cybersecurity Management: Preventing Data Breaches in the Age of Big Data, 25...
Cybersecurity Management: Preventing Data Breaches in the Age of Big Data, 25...
 
IT Security Architecture & Leadership, 03 - 06 March 2019 Dubai, UAE
IT Security Architecture & Leadership, 03 - 06 March 2019 Dubai, UAEIT Security Architecture & Leadership, 03 - 06 March 2019 Dubai, UAE
IT Security Architecture & Leadership, 03 - 06 March 2019 Dubai, UAE
 
NUS-ISS Digital Architecture Information Session
NUS-ISS Digital Architecture Information SessionNUS-ISS Digital Architecture Information Session
NUS-ISS Digital Architecture Information Session
 
Enterprise Architecture - Information Security
Enterprise Architecture - Information SecurityEnterprise Architecture - Information Security
Enterprise Architecture - Information Security
 

More from The Open Group SA

Debunking Technology Trend Myths
Debunking Technology Trend MythsDebunking Technology Trend Myths
Debunking Technology Trend Myths
The Open Group SA
 
An architects framework for navigating complexity
An architects framework for navigating complexityAn architects framework for navigating complexity
An architects framework for navigating complexity
The Open Group SA
 
A toolbox of modern management practices for a Digital World and the role EA ...
A toolbox of modern management practices for a Digital World and the role EA ...A toolbox of modern management practices for a Digital World and the role EA ...
A toolbox of modern management practices for a Digital World and the role EA ...
The Open Group SA
 
Architecting solutions for the cloud
Architecting solutions for the cloudArchitecting solutions for the cloud
Architecting solutions for the cloud
The Open Group SA
 
Approaches to business architecture
Approaches to business architectureApproaches to business architecture
Approaches to business architecture
The Open Group SA
 
ArchiMate® 3.0 - Trick or Treat?
ArchiMate® 3.0 - Trick or Treat?ArchiMate® 3.0 - Trick or Treat?
ArchiMate® 3.0 - Trick or Treat?
The Open Group SA
 
Technological Trends in a Disruptive Age
Technological Trends in a Disruptive AgeTechnological Trends in a Disruptive Age
Technological Trends in a Disruptive Age
The Open Group SA
 
Global Implications for Business Process and EA
Global Implications for Business Process and EAGlobal Implications for Business Process and EA
Global Implications for Business Process and EA
The Open Group SA
 
IT4IT™ - Managing the Business of IT
IT4IT™ - Managing the Business of ITIT4IT™ - Managing the Business of IT
IT4IT™ - Managing the Business of IT
The Open Group SA
 
Corporate Governance of ICT in the Public Sector
Corporate Governance of ICT in the Public SectorCorporate Governance of ICT in the Public Sector
Corporate Governance of ICT in the Public Sector
The Open Group SA
 
The open group profession framework
The open group profession frameworkThe open group profession framework
The open group profession framework
The Open Group SA
 
Frameworks of the IBM Systems Journal
Frameworks of the IBM Systems JournalFrameworks of the IBM Systems Journal
Frameworks of the IBM Systems Journal
The Open Group SA
 
You can lead a horse to water… (Managing the Human Aspects of Change in EA Im...
You can lead a horse to water… (Managing the Human Aspects of Change in EA Im...You can lead a horse to water… (Managing the Human Aspects of Change in EA Im...
You can lead a horse to water… (Managing the Human Aspects of Change in EA Im...
The Open Group SA
 
Enterprise Architecture - The Linchpin between Corporate Governance & IT Gove...
Enterprise Architecture - The Linchpin between Corporate Governance & IT Gove...Enterprise Architecture - The Linchpin between Corporate Governance & IT Gove...
Enterprise Architecture - The Linchpin between Corporate Governance & IT Gove...
The Open Group SA
 
GWEA Framework Yields Success at Ekurhuleni Metropolitan Municipality
GWEA Framework Yields Success at Ekurhuleni Metropolitan MunicipalityGWEA Framework Yields Success at Ekurhuleni Metropolitan Municipality
GWEA Framework Yields Success at Ekurhuleni Metropolitan Municipality
The Open Group SA
 
Business-Driven EA at Eskom
Business-Driven EA at EskomBusiness-Driven EA at Eskom
Business-Driven EA at Eskom
The Open Group SA
 
EXPLORATION AND MINING (EM) BUSINESS REFERENCE MODEL
EXPLORATION AND MINING (EM) BUSINESS REFERENCE MODELEXPLORATION AND MINING (EM) BUSINESS REFERENCE MODEL
EXPLORATION AND MINING (EM) BUSINESS REFERENCE MODEL
The Open Group SA
 
EMMMV - Caging the Gorilla
EMMMV - Caging the GorillaEMMMV - Caging the Gorilla
EMMMV - Caging the Gorilla
The Open Group SA
 
The linchpin between Corporate Governance and IT Governance
The linchpin between Corporate Governance and IT GovernanceThe linchpin between Corporate Governance and IT Governance
The linchpin between Corporate Governance and IT Governance
The Open Group SA
 
Mapping vendor solutions to EMMM capability map
Mapping vendor solutions to EMMM capability mapMapping vendor solutions to EMMM capability map
Mapping vendor solutions to EMMM capability map
The Open Group SA
 

More from The Open Group SA (20)

Debunking Technology Trend Myths
Debunking Technology Trend MythsDebunking Technology Trend Myths
Debunking Technology Trend Myths
 
An architects framework for navigating complexity
An architects framework for navigating complexityAn architects framework for navigating complexity
An architects framework for navigating complexity
 
A toolbox of modern management practices for a Digital World and the role EA ...
A toolbox of modern management practices for a Digital World and the role EA ...A toolbox of modern management practices for a Digital World and the role EA ...
A toolbox of modern management practices for a Digital World and the role EA ...
 
Architecting solutions for the cloud
Architecting solutions for the cloudArchitecting solutions for the cloud
Architecting solutions for the cloud
 
Approaches to business architecture
Approaches to business architectureApproaches to business architecture
Approaches to business architecture
 
ArchiMate® 3.0 - Trick or Treat?
ArchiMate® 3.0 - Trick or Treat?ArchiMate® 3.0 - Trick or Treat?
ArchiMate® 3.0 - Trick or Treat?
 
Technological Trends in a Disruptive Age
Technological Trends in a Disruptive AgeTechnological Trends in a Disruptive Age
Technological Trends in a Disruptive Age
 
Global Implications for Business Process and EA
Global Implications for Business Process and EAGlobal Implications for Business Process and EA
Global Implications for Business Process and EA
 
IT4IT™ - Managing the Business of IT
IT4IT™ - Managing the Business of ITIT4IT™ - Managing the Business of IT
IT4IT™ - Managing the Business of IT
 
Corporate Governance of ICT in the Public Sector
Corporate Governance of ICT in the Public SectorCorporate Governance of ICT in the Public Sector
Corporate Governance of ICT in the Public Sector
 
The open group profession framework
The open group profession frameworkThe open group profession framework
The open group profession framework
 
Frameworks of the IBM Systems Journal
Frameworks of the IBM Systems JournalFrameworks of the IBM Systems Journal
Frameworks of the IBM Systems Journal
 
You can lead a horse to water… (Managing the Human Aspects of Change in EA Im...
You can lead a horse to water… (Managing the Human Aspects of Change in EA Im...You can lead a horse to water… (Managing the Human Aspects of Change in EA Im...
You can lead a horse to water… (Managing the Human Aspects of Change in EA Im...
 
Enterprise Architecture - The Linchpin between Corporate Governance & IT Gove...
Enterprise Architecture - The Linchpin between Corporate Governance & IT Gove...Enterprise Architecture - The Linchpin between Corporate Governance & IT Gove...
Enterprise Architecture - The Linchpin between Corporate Governance & IT Gove...
 
GWEA Framework Yields Success at Ekurhuleni Metropolitan Municipality
GWEA Framework Yields Success at Ekurhuleni Metropolitan MunicipalityGWEA Framework Yields Success at Ekurhuleni Metropolitan Municipality
GWEA Framework Yields Success at Ekurhuleni Metropolitan Municipality
 
Business-Driven EA at Eskom
Business-Driven EA at EskomBusiness-Driven EA at Eskom
Business-Driven EA at Eskom
 
EXPLORATION AND MINING (EM) BUSINESS REFERENCE MODEL
EXPLORATION AND MINING (EM) BUSINESS REFERENCE MODELEXPLORATION AND MINING (EM) BUSINESS REFERENCE MODEL
EXPLORATION AND MINING (EM) BUSINESS REFERENCE MODEL
 
EMMMV - Caging the Gorilla
EMMMV - Caging the GorillaEMMMV - Caging the Gorilla
EMMMV - Caging the Gorilla
 
The linchpin between Corporate Governance and IT Governance
The linchpin between Corporate Governance and IT GovernanceThe linchpin between Corporate Governance and IT Governance
The linchpin between Corporate Governance and IT Governance
 
Mapping vendor solutions to EMMM capability map
Mapping vendor solutions to EMMM capability mapMapping vendor solutions to EMMM capability map
Mapping vendor solutions to EMMM capability map
 

Recently uploaded

Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
tolgahangng
 
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxOcean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
SitimaJohn
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
panagenda
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
Edge AI and Vision Alliance
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Speck&Tech
 

Recently uploaded (20)

Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
 
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxOcean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
 

Security-by-Design in Enterprise Architecture

  • 1. The South African EA Forum Twitter: @EAforumSA #ogza Follow the EA Forum on Twitter… http://opengroup.co.za/ea-forum Our upcoming events The EA Forum is a networking event sponsored by The Open Group in South Africa. It started in 2004 and is hosted every second month or so, with events in Durban, Johannesburg and Cape Town. At the EA Forum, industry leaders share their experiences and knowledge of architecture and related topics. Real-world case studies highlight how business problems are solved using the discipline and practice of architecture. The event is also an opportunity for the architecture community members to network and collaborate. For more information or to submit your presentation topics please contact Stuart Macgregor Subscribe to our EA FORUM DATABASE
  • 2. Leading the development of open, vendor-neutral IT standards and certifications http://opengroup.co.za http://opengroup.org/
  • 3.
  • 4. Security-by-Design in Enterprise Architecture Prof. Dr. Ernest Ketcha Ngassam / Ngoie Wandelewe / Frans Sauermann The strategic importance of Information Security for organisations is gaining momentum. The current surge in cyber threats is compelling organisations to invest in information security to protect their assets. Rushing to protect assets often comes with the expense of excessive technology adoption without a valid strategic foundation. Enterprise Security Architecture is geared to address these issues, but is frequently misaligned with Enterprise Architecture. At this month’s EA Forum, we will explore avenues for the adoption and enforcement of Security-By-Design in the Enterprise Architecture value-chain so as position Risk, Security and IT as true business enablers. Prof. Dr. Ernest Ketcha Ngassam is the General Manager: Information Security Architecture and Technical Excellence at MTN Group. He is also Professor Extraordinaire of Computer Science at the School of Computing, UNISA, and holds a PhD in Computer Science from the University of Pretoria. Ngoie Wandelewe is the Solutions/Enterprise Architect - Strategy & Business Development where he designed the Technology and Strategy Road map. He is reviewing current system security measures and recommending and implementing enhancements to the Architectural design to be used across 22 countries Frans Sauermann is the Senior Manager: Information Systems Security Architecture at MTN Group. He holds 25 certifications related to information security architecture from The Open Group, SABSA, ISACA, ISC^2, AXELOS, PMI, Cloud security alliance and others. He has over 14 years of experience in information security, 10 of which were spent with MTN.
  • 5. What we will be going through Day 2 • Introduction o Enterprise Architecture o Enterprise Security Architecture o Security by Design o Stakeholder (CIO, CISO) • Problem Statement o EA Limitation o ESA Limitation o Stakeholder Conflict • Security By Design – ESA o EA, ESA, SRA & SSA o EA Metamodel & Practice o End goal of ESA & Practice • Conclusion 1 2 3 4 Pick one: A. Do whole talk first then questions B. Questions while on discussion point C. Jump between discussion points until time runs out D. Corner me after the talk By all means, differing opinions and backgrounds make us learn from each other
  • 6. Enterprise Architecture (EA) Enterprise Security Architecture (ESA) Security by Design (SbD)
  • 7. Introducing EA,ESA, SbD - Definition ▪ Formal and structured way of viewing and defining enterprise ▪ Aligns business vision with IT ▪ Builds transformative capabilities from people, processes, technology, and information Enterprise Architecture (EA) ▪ Provides guidelines as services, models and standards to achieve the overall enterprise security strategy ▪ Translates business vision and strategy into effective enterprise security Enterprise Security Architecture (ESA) 1 OpenFAIR
  • 8. 1 Introducing EA,ESA, SbD - Definition ▪ Formalize infrastructure design and automate security controls to enable building security into every part of IT ▪ Improving capability to develop secure products ▪ Enabling security capabilities - instead of auditing security into a system ▪ Includes build and operations phases Security by Design (SbD)
  • 10. CIO & CISO Conflicting Goals? CISO ▪ Information systems and digital management focus. ▪ Supports business with technology solutions. ▪ Helps businesses modernize legacy solutions/processes ▪ Positions IT as an enabler within the organization ▪ Typically ensures EA is practiced within the organization CIO ▪ Information security risk and compliance focus. ▪ Supports business with frameworks to properly govern, evaluate, and respond to risks. ▪ Partially takes ownership of security toolset ▪ Position Security capabilities as a business enabler 2
  • 11. Traditional EA ▪ Metamodel has no Risk and Security elements and relationships ▪ Solution architects consider risk and security as non-functional requirements ▪ Risk and security teams involved in projects post-solution design ▪ Understanding risks and the assets exposed to risks ▪ Choosing correct risk assessment methods and management processes ▪ Integrating Security and Risk Management into the EA practice ▪ Generating appropriate views for demonstrating Compliance ▪ Vulnerabilities and threats landscape ▪ Design patterns, mechanisms and services used to mitigate risk and implement controls ▪ Defining a complete implementation and change roadmap at enterprise level Business Architecture IS (Application, Info & Data) Architecture Technology Architecture 2 Missing information security aspects ?
  • 12. Traditional Security Architecture Contextual Conceptual Logical Physical Component Security 2 ▪ Typically independent approach from EA ▪ Security architecture document typically the last document deliverable post data, application, and technology architectures ▪ Frequently, security aspects of a system are analyzed and designed separately Confidentiality Integrity Availability
  • 13. Key role updates2 ▪ Ensure full integration of Security and Risk in the Architecture Value Chain ▪ Integrate new changes in the EA repository. ▪ Update changes in metamodel relationships and concepts ▪ Ensures security and risk support business strategy and objectives. ▪ Embeds Security Design Patterns into the solution in collaboration with the Security Solution Architect if necessary ▪ Sign off Solution Design and UAT Enterprise Architect ▪ Capture security requirements ▪ Update risk, threats, vulnerability catalogues and relationships in EA repository ▪ Define and populate Security Design Patterns in architecture repository ▪ Vet IT Solution Architectures from a Security perspective ▪ Use Solution Risk Assessment for new design patterns ▪ Co-signatory on Solution Design UAT Solution Architect Security Solution Architect
  • 14. How to align to business Risk? How do we keep business and security aligned? How do we minimize security gaps and remediations costs? How do we embed security in the wider business? What strategy can be used to develop security architecture as part of the enterprise architecture ? How do we ensure security support the business ? ? Questions to be addressed2
  • 16. Risk-Based metamodeling: First try x 113 Business Attribute profile Security Objective Security Category Security Sub- category Security Domain Security Service Security Sub- Service Security Control Risk Asset Threat Vulnerability Security Incident Exploits Causes Treats Reduces Is targeted by Exposes Security Requirement Is quantified by Is Attached to Domain Owner Is part of Is part of Is responsible for Threat AgentRisk Owner Is responsible for Originates from Wants to abuse Is qualified by Is part of Is part of Security Solution Negative Business Impact Produces Complies with Decreases Can lead to Asset Class StandardPolicy Regulation Reduces Threat Domain Threat Category Qualifies Is qualified by Defines Complies with Security Mechanism Security Component (tool, technology, product) Is qualified by Is implemented by ✓ Business Driven Architecture ✓ Bi-Directional Traceability ✓ Context sensitive control compliance ✓ Multi-domain policy architecture ✓ Impact and cost traceability ✓ Planning and change Management ✓ Efficiency ✓ Multiple viewpoints
  • 17. … but does not live in a vacuum3
  • 18. 3 The outcome: ESA Metamodel - Security/Risk
  • 20. Enterprise Architecture [Enterprise Security Architecture] Security Solution Architectures Information Security Reference Architecture ▪ Blueprint of reference for Solution Architects ▪ Includes policies, controls, procedure and guidelines ▪ Enforce the use of Design Patterns ▪ Vetted and approved as part of the established governance framework ▪ Business and Risk-Driven approach ▪ Traceability for completeness & Justification ▪ Reusability of patterns, solutions and technologies ▪ Business value & cost to support/enable a strategy ▪ Understand business requirements and risks ▪ Articulate security requirements: Core and Generic ▪ Make use of patterns from Reference Architecture ▪ Vet design, implementation & acceptance testing 3 Security by Design – ESA, SRA, SSA
  • 21. End Goal in EA & ESA: Capabilities enablement Enterprise Security Inter-operability Availability Confidentiality Compliant Integrity Profitability 3 Value-assured Prioritized & proportional responses Scalable scope Agility - ease of implementation & management Free use, open source, global standard Demonstrates compliance Two-way traceability Seamless alignment to TOGAF, ITIL, ISO27000, NIST, CobIT, etc…
  • 22. EA in Practice : ADM phases3 Strategy Requirement Solution/Pattern Product/Service Technology Bidirectional traceability Security
  • 23. SABSA Approach Step by Step3 Business Driver Business Attribute Threat Analysis Impact Analysis Control Objective Security Service Identify Business Drivers Prioritize Drivers Translate drivers into security attributes Conform to the SABSA Framework Perform threat analysis Identify actual threats to the business attributes Use quantitative or qualitative methods to define impact realization of the threat on the identified business objectives Define Control objectives to mitigate identified threats to acceptable level Define Control objectives to mitigate identified threats to acceptable level
  • 24. Putting it all together: SbD in EA3
  • 25. Putting it all together: SbD in EA3 Security is driven by business requirements rather than technical consideration Directly traceable to business objectives Cost Effective Meet legal, regulatory and policy compliance requirement by design Alignment of business risk and organizations risk appetite 2 3 1 5 4 Risk Cost Usability
  • 27. Risk Cost Usability ▪ Blueprint of reference for Solution Architects ▪ Includes policies, controls, procedure and guidelines ▪ Meet compliance and align with risk appetite ▪ Driven by organization business requirement ▪ Business and Risk-Driven approach ▪ Traceability for completeness & Justification ▪ Provide structured framework for compliance purpose ▪ Create foundation for assessment of security ROI ▪ Eliminate redundant controls ▪ Reduce Ad hoc implementation ▪ Provides agreed security requirement ▪ Tracible security requirement to business requirement 4 Security by Design – Benefits
  • 28. EA & ESA: Reference architecture compliance4 Solution Design process initiated by business Solution Design presented to Design Authority for approval Design Authority select relevant architecture under governance Design Authority checks high level conformance, either “approve” or refers back for “revision” by solution team Checks A B D C
  • 32. EA Metamodeling: an example Business Strategy Risk and Security Strategy Security Requirement Regulation, Policy and Standard Business Requirement Threat and Vulnerabilities Security Mechanism Security tool, component, technology Security Service Technology Infrastructure Vision Business Process Business Risk Security Controls Data, Information and Application Security Solution Business Information System Technology Planning Security Mechanism Security tool, component, technology Security Solution Strategy Requirement Solution/Pattern Product/Service Technology Bidirectional traceability
  • 33. Vision Business Process Business Information System Technology Planning BP Patterns XX Brand protectorBP RFP Strategy Requirement Solution/Pattern Product/Service Technology Bidirectional traceabilityIncrease Reputation Build new offerings Protect brand Brand Policy More Advert fora Aggressive marketing Check forum using brand Usage of brand for fraud Scan all fora with Logo Detect, report malicious usage of brand Malicious usage of brand Unauthorized access to customer Data Brand Protection Software Advert App Server Marketing App Server Advert App Marketing App Scan fora with brand Brand detection scanner EA Metamodeling: Views & Business attributes
  • 34. Preliminaries for Integration: Some Key security Concepts Security Service • A fundamental logical building block for constructing security solution architectures • Creating a repository of standardised security services is part of an enterprise security architecture, providing security architects with a library of security service definitions for use ‘off-the-shelf’ when synthesising solution security architectures. Security Mechanism • A security mechanism is a type of technology or process that can deliver a security service. • Different mechanisms may be used to provide the same service, depending on the actual context. • Some services may be sub-services of higher-level services. • Service: Access Control; sub-service: Authentication; Mechanism: ID and password. Security Sub-service
  • 35. References 1. Kurpjuweit, S. and Winter, R., 2009. Concern-oriented business architecture engineering. In Proceedings of 2. the 2009 ACM symposium on Applied Computing (SAC '09), pp. 265-272. 3. Kvale, S. and Brinkmann, S., 2009. InterViews: Learning the Craft of Qualitative Research 4. Interviewing.2nd ed.SAGE publications. 5. Langenberg, K. and Wegmann, A., 2004. Enterprise Architecture: What Aspects is Current Research 6. https://whatis.techtarget.com/definition/security-by-design 7. https://www.owasp.org/index.php/Security_by_Design_Principles 8. Amer, H.S. and Hamilton, J.A., 2008. Understanding Security Architecture. Proceedings of the 2008 Spring simulation multiconference (SpringSim ’08),pp. 335-342