Chapter 3: Enterprise Security Using Zachman Framework Lecture Materials for the John Wiley & Sons book: Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions April 13, 2015 DRAFT 1 What is Security Architecture? Why Do We Need It? • Architecture is the design of a complex structure that enable change and reuse – An office building blueprint – Peoplesoft solution architecture – An enterprise architecture • Enterprise architecture is the architecture of an enterprise, e.g. – The Ohio State University – The State Department • The goal of strategy and enterprise architecture is enterprise agility, i.e. what’s needed for competitiveness and success Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions 4/13/2015 DRAFT 2 Enterprises are Very Complex and Changing • Imagine a complex building: The US Capitol – Its blueprints capture bricks, mortar, plumbing, electrical, HVAC • Imagine an enterprise, such as the US Congress – Its enterprise architecture includes the building blueprints… plus: – The people, the furniture, the computers, electronics, and constant change • Incorporating cybersecurity requirements in the enterprise change process – assures that changes result in secure systems and a secure enterprise Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions 4/13/2015 DRAFT 3 The Zachman Framework for Enterprise Architecture • Periodic Table of Enterprise Architecture • Invented by John A. Zachman in mid 1980s • Utilized by over 3000 large enterprises to gain self understanding and agility Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions 4/13/2015 DRAFT 4 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions 4/13/2015 DRAFT 5 Primitive Models versus Composite Models • A primitive model resides only within 1 cell • A primitive model can exhaustively answer one of the 6 fundamental interogatives (questions): What, How, Where, When, Who, Why, for example: – What are all of the roles in an enterprise (Who?) – What are all of the processes in the enterprise (How?) • Composite model crosses between columns, e.g. a Role X Process matrix Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions 4/13/2015 DRAFT 6 How do Architecture Frameworks Help Us with Cyber Security? • NIST Special Publication 800-39 defines the role of Risk Executive – Risk executive is in charge of business continuity and disaster recovery, among other risks • To do continuity and DR, an exhaustive list of enterprise processes is required, i.e. what we populate Zachman framework column 2 with (How?) – Risk executive needs a blueprint of the organization (Enterprise Architecture) to know whether or not to approve changes • If you conduct changes without a blueprint, catastrophy is likely, e.g. building collapses Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions 4/13/2015 DRAFT 7 Everyone Has Their Own Specifications • Zachman rows represent the full range of specification perspectives – – – – – – Executive Business Management Architect Engineer Technician The Enterprise • Examples of common cybersecurity specifications: System Security Plan, Plan of Actions and Milestores, Accreditation Letter Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions 4/13/2015 DRAFT 8 The Goldmine is in Row 2 • Row 2 is the Business Management perspective – Business managers control investment decisions for the enterprise, i.e. the money • Row 2 models are hierarchies – All of the primitives are categorized in the hierarchy – Closeness in the hierarchy implies similarity – A deep hierarchy represents a detailed understanding of each set of primitives Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions 4/13/2015 DRAFT 9 Frameworks for Row 3 • Row 3 contains models from the Architect’s perspective • Architects do not specify every detail, that’s what engineers do in Row 4 – Architects specify the architecturally significant constraints, i.e. critical success factors • Example Row 3 Frameworks – For defense industry: DODAF, MODAF – Solution Architectures: TOGAF, IEEE-1471, ISO/IEC 42010 – Telecomm and Finance: RM-ODP Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions 4/13/2015 DRAFT 10 Architectural Problem Solving Patterns • Business Question Analysis • Document Mining • Hierarchy Formation • Enterprise Workshop • Nominal Group Technique • Minipatterns for Problem Solving Meetings Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions 4/13/2015 DRAFT 11 Business Question Analysis • Determines the appropriate metamodel for an enterprise architecture – “Metamodel” means what kinds of entities and relationships will we model • Starts with questions from business owners – Proceeds with selection of primitives (columns) from the Zachman Framework – The business questions drive the relationships that will be modeled, i.e. using matrices across columns Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions 4/13/2015 DRAFT 12 Document Mining • Extracts primitives from enterprise documentation, i.e. populates row 1 • Document mining can be exhaustive, i.e. capture all the primitive entities in a column • Document Mining is preferable to interviewing because: – Documents usually represent a consensus of two or more people – 1:1 interviews represent only 1 opinion on a certain day in a certain life Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions 4/13/2015 DRAFT 13 Hierarchy Formation • Hierarchy formation populates row 2 of the Zachman Framework • A hierarchy is created using a cards on the wall exercise, group discussion – Non-experts can perform this task – Experts are used in an Enterprise Workshop to confirm and perfect the results • Hierarchies help us understand the primitives and find commonality Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions 4/13/2015 DRAFT 14 Enterprise Workshop • Document Mining and Hierarchy Formation can be conducted by non-expert teams – The non-experts draft a 70% solution, imperfect, but much better than a blank page • Business owners and experts are called into the Enterprise Workshop to take the 70% solution to 100%, in terms of accuracy and completeness Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions 4/13/2015 DRAFT 15 Nominal Group Technique • NGT is a classic idea creation technique, e.g. a powerful form of brainstorming – It very quickly generates results without substantial time wasted in discussing digressions • NGT involves: – Silent writing – to formulate ideas quickly in a large group working in parallel – Group notes – recording of the ideas on a flip chart so that everyone can be a heads-up active participant – Group definitions – information sharing to define the ideas – Straw poll – prioritizing the ideas by casting multiple informal votes Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions 4/13/2015 DRAFT 16 Minipatterns for Problem Solving Meetings • • • • • • • Get Organized Breakouts Flipcharts Time Management Groundrules Idea Parking Lot Other Problem Solving Catalogs Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions 4/13/2015 DRAFT 17 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions REVIEW CHAPTER SUMMARY 4/13/2015 DRAFT 18