Add to collection(s) Add to saved
  1. Business
  2. Management
  3. Business Information Systems

Introduction to Security Architecture

advertisement 
INTRODUCTION TO
SECURITY ARCHITECTURE
Andy Wood
Enterprise Security Architect
andy@securingtheenterprise.com
•
Types of Security Architecture
•
What is Security Architecture?
•
Why do Security Architecture?
•
What is SABSA?
•
What is the SABSA Framework?
•
SABSA Models
•
SABSA in the Real World
•
Integration to other Frameworks
•
Training & Certification
AGENDA
Two types of Security Architecture:
•
•
Enterprise Security Architecture (ESA)
•
Part of EA function.
•
Development of security Models and Frameworks for business to
operate under.
•
Drives security holistically through every part of the business.
•
Ensures security supports business strategy and objectives.
Solution Security Architecture (SSA)
•
Project / Programme Scope
•
Capture security requirements for project/programme
•
Ensure integration with enterprise models
TYPES OF SECURITY ARCHITECTURE
Problem solutioning with a focus on Security
•
Ensuring security requirements are identified and met.
•
Ensuring controls & enablers are proportionate to risk & opportunity.
•
Ensuring security services are managed through its lifecycle.
Security Architecture is a business supporting function
•
Must be maintained.
•
Must evolve to changes in threat landscape and business strategy.
WHAT IS SECURITY ARCHITECTURE?
To support the business deliver its objectives in a risk and
opportunity managed way
1.
Need to understand the risks and opportunities
2.
Need to implement controls and enablers to support (1)
3.
Need to deliver service management to support (2)
Prevent introduction of unknown risk.
WHY DO SECURITY ARCHITECTURE?
“Methodology for developing business-driven, risk and opportunity focused security architecture,
and for delivering security solutions that traceably support the business requirements.” (SABSA)
Sherwood Applied Business Security Architecture (SABSA)
•
John Sherwood, David Lynas and Andrew Clark
•
Started in mid-1995 following consultancy engagements
•
No framework at the time (or since) to deliver ESA properly
•
De facto framework used today globally in different markets and sectors
including government and defence.
•
Builds upon “missing components” from other frameworks
•
•
Doesn’t re-invent – i.e. implementation isn’t in SABSA – use PRINCE2
Open Source & protected by SABSA Institute
WHAT IS SABSA?
SABSA Institute
•
Formed 2012/13 to protect the framework
•
Will ensure framework evolves and matures
•
•
Will provide resource to develop and market next versions
Manages the chartered architect exam
WHAT IS SABSA?
SABSA FRAMEWORK
SABSA MODEL FOR SECURITY
ARCHITECTURE
SABSA MATRIX
Many models available for direct use, or can be customised.
These include:
•
Attribute profiling
•
Risk & Opportunity Model
•
Multi-Tiered Control Strategy
•
Assurance Framework
•
Maturity Model
•
Governance Model
•
Vitality Model
•
Domain & Trust Model
•
Policy Model
•
Lifecycle Model, etc…
FRAMEWORKS AND MODELS
•
Most powerful tool in SABSA
•
To be introduced in future TOGAF version
•
Conceptual abstraction of real business requirement.
•
Standardised and re-usable.
•
Provides 2-way traceability.
•
Defines monitoring & reporting.
•
Starting Taxonomy available
ATTRIBUTE PROFILING
STANDARD ATTRIBUTE
TAXONOMY
•
•
Defence in depth applies layering of controls to reduce risk
•
are the layers providing the right type of controls?
•
is it cost effective?
•
does it meet BRs?
Multi-Tiered Control Strategy
•
•
controls architected to function
•
Deter, Prevent, Contain, Detect, Track, Recover and Assure
•
Provides cost effectiveness by preventing over investment
Traceability of controls back to BRs
•
•
Provides justification
Provides assurance around controls
MULTI-TIERED CONTROL STRATEGY
(MTCS)
MTCS MODEL
MTCS
ENHANCED
•
Green Field Architecture
•
•
Clean and simple
Brown Field Architecture
•
Muddy waters
•
Unknown current state
•
Heavy emphasis on strategy
SABSA IN THE REAL WORLD
•
Flexible and adaptive framework
•
Aligns with others such as
•
TOGAF
•
ITIL
•
COBIT
•
ISO27001
•
SOX
•
PCI-DSS
•
And any other…
INTEGRATION WITH FRAMEWORKS
•
Three levels
•
Foundation (SCF) [4,500]
•
•
One official specialised course + 2 essay questions.
Master (SCM) [8]
•
•
Official foundation course + 2 multiple choice exams (96Q’s / 75%+) in 2 hours.
Practitioner (SCP) [400] (able to apply)
•
•
(knowledge of)
(able to redevelop)
Two official specialist courses + 10,000 word thesis.
Four specialisms
•
Security Architecture Design & Development
•
Risk Management & Governance
•
Business Continuity & Crisis Management
•
Security Operations & Service Management
TRAINING & CERTIFICATION
Related documents
Chapter 2
Chapter 2
Securing the IT Spring - Information Security Group
Securing the IT Spring - Information Security Group
IM4DC Operations Overview - International Mining for Development
IM4DC Operations Overview - International Mining for Development
WASP Periodic Table of Vulnerabilities
WASP Periodic Table of Vulnerabilities
Human testing of mobile apps - Better Software Testing Blog
Human testing of mobile apps - Better Software Testing Blog
business reporting management services
business reporting management services
fireproof - Christ In Culture
fireproof - Christ In Culture
Consulting Skills and Frameworks - M
Consulting Skills and Frameworks - M
Sahlin-Farm-Lot-9-Briefing
Sahlin-Farm-Lot-9-Briefing
People performance and principles - our co - Co
People performance and principles - our co - Co
The Legend of Robin Hood
The Legend of Robin Hood
The Merry Adventures of Robin Hood
The Merry Adventures of Robin Hood
Download
advertisement