SlideShare une entreprise Scribd logo

Security Patterns How To Make Security Arch Easy To Consume

J
Jeff Johnson

A challenge security professionals often face is ensuring security is aligned with the business strategy. Enterprise Security Architecture can solve that problem, but to do so you need a way to make it easy for the rest of IT to follow the security architecture. Security Patterns is one solution to that problem.

Technologie
1  sur  18
Télécharger pour lire hors ligne
Security Patterns: How to Make Security Architecture Easy to Consume Enterprise Risk/Security Management Conference Jeff L. Johnson, CISSP Insurance Americas Enterprise S E i Security A hi i Architect Minneapolis, MN – 06.10.2010 www.ing.com
Security Architecture Roadmap Business Goals Market Trends Security Architecture Information Security Roadmap Management Business Goals The future state of the enterprise security program Capabilities Matrix Security P tt S it Patterns 2
ING Insurance Americas 8th Largest Co. in the World1 Dutch Origins 107,000 107 000 employees 40 countries 10,000 Employees 29 mil Customers 500+ Applications pp 3,000+ Servers 2nd largest provider of Pensions 15,000 Employees 1 FORTUNE 2009 Global 500 List Retirement - Insurance - Investments 3 www.ing.com/us
Define - Step 3 Customers Drive Business Goals Easy to Use – Transparent – Compliant 4
Define - Step 3 Market Trends Competitors Legal Regulations Technology 5
Define - Step 3 Architecture Frameworks Togaf, Zachman, SABSA, etc. SABSA etc Challenges • Complex • Sequential Process • Time to Value • Resources 6
ISM Structure Risk Area Building Building Block Block Component Component Building Control Control Block Component 7
Define - Step 3 Risk Areas and Building Blocks User Access Platform IT Resilience Change Sourcing Security Security Management Monitoring User Access OS Hardening Hardware Infrastructure Change Management Vendor Management Security Event Management Resilience Monitoring Segregation of Duties Network Hardening Business and Generic Separation of Supplier Management Security Incident Application Resilience Environments Management Info. Access Generic App. & DB Data Centre Resilience System Plan.& Technical State Restrictions Security Acceptance Compliance Identify & Access Business App. Security Security & Penetration Management Testing Workstation & Mob. Devices Hardening Foundation Asset Ownership Information Asset IT-Architecture Configuration Op. Procedures & Compliance with ING Security Awareness Classification Management Responsibilities Policies 8
Define - Step 3 Risk Area, Building Blocks and Components Platform Security y OS Hardening Business Applications Security Network Hardening Critical Impact Assets Generic App. & DB Security Business App. High Impact Security S it Assets Workstation & Mob. Devices Hardening Medium Impact Assets Low Impact Assets 9
Building Block, Components and Controls Critical Impact Assets Business Applications Platform Security Controls overview Security No Control criteria Dependency Critical Impact 1 Asset Ownership Assets 2 Information Asset Classification 1 3 Manufacturer Supported Asset 1+2 High Impact 4 OSG Documented & Approved 1+2 Assets 5 OSG Implemented 1+2 6 Application of Security Patches 1+2 7 Tech. Vulnerability Management 1+2 Medium Impact Assets 8 Manufacturer Support Tooling 1+2 9 Security A S it Assessment & Risk A l i t Ri k Analysis 1+2 1 2 10 Data Protection 1+2 Low Impact Assets 10
Capabilities Matrix Current State 11
Security Architecture Roadmap Business Goals Market Trends Security Architecture Information Security Roadmap Management Business Goals The future state of the enterprise security program Capabilities Matrix Security P tt S it Patterns 12
Security Patterns A Security Pattern is a well-understood solution to a rec rring information sec rit problem recurring security Time to Value ∗ Easy ∗ Build Once, Use Many Cookbooks are a collection of related security patterns l t d it tt 13
Security Pattern Framework Open Security Architecture • Security Patterns Catalog • Based on Capabilities and ISM • Prioritize - security projects and operational needs 14
Data Protection Security Pattern Example Controls • Media Labeling • Information Leakage • Continuous Monitoring • Use of Cryptography • Etc. 15
Data Protection Security Pattern Example • Guidance on data protection • Repeatable and Consumable steps for end users • Maps to industry standards and enterprise capabilities 16
Security Architecture Roadmap Business Goals Market Trends Security Architecture Information Security Roadmap Management Business Goals The future state of the enterprise security program Capabilities Matrix Security P tt S it Patterns 17
References • Open Security Architecture www.opensecurityarchitecture.org • Security Patterns http://www.securitypatterns.org/ • The Open Group http://www.opengroup.org/security/gsp.htm • A Survey on Security Patterns http://www.nii.ac.jp/pi/n5/5_35.pdf • Data Security Pattern from OSA http://www.opensecurityarchitecture.org/cms/library/patte rnlandscape/259-pattern-data-security p p y 18

Recommandé

Zero Trust Model
Zero Trust ModelZero Trust Model
Zero Trust ModelYash
 
BATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdfBATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdfBATbern
 
Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)Frances Coronel
 
Threat modelling with_sample_application
Threat modelling with_sample_applicationThreat modelling with_sample_application
Threat modelling with_sample_applicationUmut IŞIK
 
Cyber Threat Modeling
Cyber Threat ModelingCyber Threat Modeling
Cyber Threat ModelingEC-Council
 
Adopting A Zero-Trust Model. Google Did It, Can You?
Adopting A Zero-Trust Model. Google Did It, Can You?Adopting A Zero-Trust Model. Google Did It, Can You?
Adopting A Zero-Trust Model. Google Did It, Can You?Zscaler
 
Strategy considerations for building a security operations center
Strategy considerations for building a security operations centerStrategy considerations for building a security operations center
Strategy considerations for building a security operations centerCMR WORLD TECH
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)PECB
 

Recommandé

Zero Trust Model
Zero Trust ModelZero Trust Model
Zero Trust ModelYash
 
BATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdfBATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdfBATbern
 
Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)Frances Coronel
 
Threat modelling with_sample_application
Threat modelling with_sample_applicationThreat modelling with_sample_application
Threat modelling with_sample_applicationUmut IŞIK
 
Cyber Threat Modeling
Cyber Threat ModelingCyber Threat Modeling
Cyber Threat ModelingEC-Council
 
Adopting A Zero-Trust Model. Google Did It, Can You?
Adopting A Zero-Trust Model. Google Did It, Can You?Adopting A Zero-Trust Model. Google Did It, Can You?
Adopting A Zero-Trust Model. Google Did It, Can You?Zscaler
 
Strategy considerations for building a security operations center
Strategy considerations for building a security operations centerStrategy considerations for building a security operations center
Strategy considerations for building a security operations centerCMR WORLD TECH
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)PECB
 
Enterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating ModelEnterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating ModelEryk Budi Pratama
 
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORKZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORKMaganathin Veeraragaloo
 
Improving Security Metrics
Improving Security MetricsImproving Security Metrics
Improving Security MetricsDoug Copley
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
 
Cyber security maturity model- IT/ITES
Cyber security maturity model- IT/ITES Cyber security maturity model- IT/ITES
Cyber security maturity model- IT/ITES Priyanka Aash
 
Planning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management ProgramPlanning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management ProgramSasha Nunke
 
Identity & Access Management - Securing Your Data in the 21st Century Enterprise
Identity & Access Management - Securing Your Data in the 21st Century EnterpriseIdentity & Access Management - Securing Your Data in the 21st Century Enterprise
Identity & Access Management - Securing Your Data in the 21st Century EnterpriseLance Peterman
 
7 Steps to Build a SOC with Limited Resources
7 Steps to Build a SOC with Limited Resources7 Steps to Build a SOC with Limited Resources
7 Steps to Build a SOC with Limited ResourcesLogRhythm
 
SOC and SIEM.pptx
SOC and SIEM.pptxSOC and SIEM.pptx
SOC and SIEM.pptxSandeshUprety4
 
7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat ModelingDanny Wong
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingPriyanka Aash
 
Why upgrade your MFA to Adaptive Authentication?
Why upgrade your MFA to Adaptive Authentication?Why upgrade your MFA to Adaptive Authentication?
Why upgrade your MFA to Adaptive Authentication?WSO2
 
E-RBAC Development - A Risk Based Security Architecture Approach
E-RBAC Development - A Risk Based Security Architecture ApproachE-RBAC Development - A Risk Based Security Architecture Approach
E-RBAC Development - A Risk Based Security Architecture ApproachFemi Ashaye
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
Security architecture
Security architectureSecurity architecture
Security architectureDuncan Unwin
 
Cyber Security Maturity Assessment
Cyber Security Maturity Assessment Cyber Security Maturity Assessment
Cyber Security Maturity AssessmentDoreen Loeber
 
Why Zero Trust Architecture Will Become the New Normal in 2021
Why Zero Trust Architecture Will Become the New Normal in 2021Why Zero Trust Architecture Will Become the New Normal in 2021
Why Zero Trust Architecture Will Become the New Normal in 2021Cloudflare
 
Presentation: Enterprise Architecture design In 3 Minutes or so
Presentation: Enterprise Architecture design In 3 Minutes or soPresentation: Enterprise Architecture design In 3 Minutes or so
Presentation: Enterprise Architecture design In 3 Minutes or soAdrian Grigoriu
 
cyberedu_module_4_cybersecurite_organisation_02_2017.pptx
cyberedu_module_4_cybersecurite_organisation_02_2017.pptxcyberedu_module_4_cybersecurite_organisation_02_2017.pptx
cyberedu_module_4_cybersecurite_organisation_02_2017.pptxJean-Michel Razafindrabe
 
COBIT and IT Policy Presentation
COBIT and IT Policy PresentationCOBIT and IT Policy Presentation
COBIT and IT Policy PresentationSarah Cortes
 
Is awareness government
Is awareness governmentIs awareness government
Is awareness governmentHamisi Kibonde
 

Contenu connexe

Tendances

Enterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating ModelEnterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating ModelEryk Budi Pratama
 
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORKZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORKMaganathin Veeraragaloo
 
Improving Security Metrics
Improving Security MetricsImproving Security Metrics
Improving Security MetricsDoug Copley
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
 
Cyber security maturity model- IT/ITES
Cyber security maturity model- IT/ITES Cyber security maturity model- IT/ITES
Cyber security maturity model- IT/ITES Priyanka Aash
 
Planning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management ProgramPlanning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management ProgramSasha Nunke
 
Identity & Access Management - Securing Your Data in the 21st Century Enterprise
Identity & Access Management - Securing Your Data in the 21st Century EnterpriseIdentity & Access Management - Securing Your Data in the 21st Century Enterprise
Identity & Access Management - Securing Your Data in the 21st Century EnterpriseLance Peterman
 
7 Steps to Build a SOC with Limited Resources
7 Steps to Build a SOC with Limited Resources7 Steps to Build a SOC with Limited Resources
7 Steps to Build a SOC with Limited ResourcesLogRhythm
 
7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat ModelingDanny Wong
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingPriyanka Aash
 
Why upgrade your MFA to Adaptive Authentication?
Why upgrade your MFA to Adaptive Authentication?Why upgrade your MFA to Adaptive Authentication?
Why upgrade your MFA to Adaptive Authentication?WSO2
 
E-RBAC Development - A Risk Based Security Architecture Approach
E-RBAC Development - A Risk Based Security Architecture ApproachE-RBAC Development - A Risk Based Security Architecture Approach
E-RBAC Development - A Risk Based Security Architecture ApproachFemi Ashaye
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
Security architecture
Security architectureSecurity architecture
Security architectureDuncan Unwin
 
Cyber Security Maturity Assessment
Cyber Security Maturity Assessment Cyber Security Maturity Assessment
Cyber Security Maturity AssessmentDoreen Loeber
 
Why Zero Trust Architecture Will Become the New Normal in 2021
Why Zero Trust Architecture Will Become the New Normal in 2021Why Zero Trust Architecture Will Become the New Normal in 2021
Why Zero Trust Architecture Will Become the New Normal in 2021Cloudflare
 
Presentation: Enterprise Architecture design In 3 Minutes or so
Presentation: Enterprise Architecture design In 3 Minutes or soPresentation: Enterprise Architecture design In 3 Minutes or so
Presentation: Enterprise Architecture design In 3 Minutes or soAdrian Grigoriu
 
cyberedu_module_4_cybersecurite_organisation_02_2017.pptx
cyberedu_module_4_cybersecurite_organisation_02_2017.pptxcyberedu_module_4_cybersecurite_organisation_02_2017.pptx
cyberedu_module_4_cybersecurite_organisation_02_2017.pptxJean-Michel Razafindrabe
 

Tendances (20)

Enterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating ModelEnterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating Model
 
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORKZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
 
Improving Security Metrics
Improving Security MetricsImproving Security Metrics
Improving Security Metrics
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
 
Cyber security maturity model- IT/ITES
Cyber security maturity model- IT/ITES Cyber security maturity model- IT/ITES
Cyber security maturity model- IT/ITES
 
Planning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management ProgramPlanning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management Program
 
Identity & Access Management - Securing Your Data in the 21st Century Enterprise
Identity & Access Management - Securing Your Data in the 21st Century EnterpriseIdentity & Access Management - Securing Your Data in the 21st Century Enterprise
Identity & Access Management - Securing Your Data in the 21st Century Enterprise
 
7 Steps to Build a SOC with Limited Resources
7 Steps to Build a SOC with Limited Resources7 Steps to Build a SOC with Limited Resources
7 Steps to Build a SOC with Limited Resources
 
SOC and SIEM.pptx
SOC and SIEM.pptxSOC and SIEM.pptx
SOC and SIEM.pptx
 
7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat Modeling
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat Modelling
 
Why upgrade your MFA to Adaptive Authentication?
Why upgrade your MFA to Adaptive Authentication?Why upgrade your MFA to Adaptive Authentication?
Why upgrade your MFA to Adaptive Authentication?
 
E-RBAC Development - A Risk Based Security Architecture Approach
E-RBAC Development - A Risk Based Security Architecture ApproachE-RBAC Development - A Risk Based Security Architecture Approach
E-RBAC Development - A Risk Based Security Architecture Approach
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
 
Security architecture
Security architectureSecurity architecture
Security architecture
 
Cyber Security Maturity Assessment
Cyber Security Maturity Assessment Cyber Security Maturity Assessment
Cyber Security Maturity Assessment
 
Why Zero Trust Architecture Will Become the New Normal in 2021
Why Zero Trust Architecture Will Become the New Normal in 2021Why Zero Trust Architecture Will Become the New Normal in 2021
Why Zero Trust Architecture Will Become the New Normal in 2021
 
Presentation: Enterprise Architecture design In 3 Minutes or so
Presentation: Enterprise Architecture design In 3 Minutes or soPresentation: Enterprise Architecture design In 3 Minutes or so
Presentation: Enterprise Architecture design In 3 Minutes or so
 
cyberedu_module_4_cybersecurite_organisation_02_2017.pptx
cyberedu_module_4_cybersecurite_organisation_02_2017.pptxcyberedu_module_4_cybersecurite_organisation_02_2017.pptx
cyberedu_module_4_cybersecurite_organisation_02_2017.pptx
 

En vedette

COBIT and IT Policy Presentation
COBIT and IT Policy PresentationCOBIT and IT Policy Presentation
COBIT and IT Policy PresentationSarah Cortes
 
Is awareness government
Is awareness governmentIs awareness government
Is awareness governmentHamisi Kibonde
 
1. security management practices
1. security management practices1. security management practices
1. security management practices7wounders
 
Super CISO 2020: How to Keep Your Job
Super CISO 2020: How to Keep Your JobSuper CISO 2020: How to Keep Your Job
Super CISO 2020: How to Keep Your JobPriyanka Aash
 

En vedette (6)

COBIT and IT Policy Presentation
COBIT and IT Policy PresentationCOBIT and IT Policy Presentation
COBIT and IT Policy Presentation
 
Is awareness government
Is awareness governmentIs awareness government
Is awareness government
 
IT Policy
IT PolicyIT Policy
IT Policy
 
1. security management practices
1. security management practices1. security management practices
1. security management practices
 
Super CISO 2020: How to Keep Your Job
Super CISO 2020: How to Keep Your JobSuper CISO 2020: How to Keep Your Job
Super CISO 2020: How to Keep Your Job
 
IT Governance
IT GovernanceIT Governance
IT Governance
 

Similaire à Security Patterns How To Make Security Arch Easy To Consume

Sådan undgår du misbrug af kundedata og fortrolig information
Sådan undgår du misbrug af kundedata og fortrolig informationSådan undgår du misbrug af kundedata og fortrolig information
Sådan undgår du misbrug af kundedata og fortrolig informationIBM Danmark
 
International approaches to critical information infrastructure protection ...
International approaches to critical information infrastructure protection ...International approaches to critical information infrastructure protection ...
International approaches to critical information infrastructure protection ...owaspindia
 
Information Security By Design
Information Security By DesignInformation Security By Design
Information Security By DesignNalneesh Gaur
 
SunGard Enterprise Cloud Services @ Cloud Connect 2011
SunGard Enterprise Cloud Services @ Cloud Connect 2011SunGard Enterprise Cloud Services @ Cloud Connect 2011
SunGard Enterprise Cloud Services @ Cloud Connect 2011Satish Hemachandran
 
Outlook emerging security_technology_trends
Outlook emerging security_technology_trendsOutlook emerging security_technology_trends
Outlook emerging security_technology_trendswardell henley
 
En arkitektonisk vy av en ledande och dynamisk IT-säkerhetsportfölj - PCTY 2011
En arkitektonisk vy av en ledande och dynamisk IT-säkerhetsportfölj - PCTY 2011En arkitektonisk vy av en ledande och dynamisk IT-säkerhetsportfölj - PCTY 2011
En arkitektonisk vy av en ledande och dynamisk IT-säkerhetsportfölj - PCTY 2011IBM Sverige
 
Arrow ECS IBM Partner Jam - Security Update - Vicki Cooper - IBM
Arrow ECS IBM Partner Jam - Security Update - Vicki Cooper - IBMArrow ECS IBM Partner Jam - Security Update - Vicki Cooper - IBM
Arrow ECS IBM Partner Jam - Security Update - Vicki Cooper - IBMArrow ECS UK
 
Secure Enterprise Cloud
Secure Enterprise CloudSecure Enterprise Cloud
Secure Enterprise CloudIndu Kodukula
 
Enterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to auditEnterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to auditBob Rhubart
 
Cloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. RealityCloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. RealityInternap
 
PCTY 2012, IBM Security and Strategy v. Fabio Panada
PCTY 2012, IBM Security and Strategy v. Fabio PanadaPCTY 2012, IBM Security and Strategy v. Fabio Panada
PCTY 2012, IBM Security and Strategy v. Fabio PanadaIBM Danmark
 
Dubai Cyber Security 01 Ics Scada Cyber Security Solutions and Challenges...
Dubai Cyber Security 01 Ics Scada Cyber Security Solutions and Challenges...Dubai Cyber Security 01 Ics Scada Cyber Security Solutions and Challenges...
Dubai Cyber Security 01 Ics Scada Cyber Security Solutions and Challenges...Ahmed Al Enizi
 
2012 ReEnergize the Americas 3B: Gene Rodriguez
2012 ReEnergize the Americas 3B: Gene Rodriguez2012 ReEnergize the Americas 3B: Gene Rodriguez
2012 ReEnergize the Americas 3B: Gene RodriguezReenergize
 
Integrated Cloud Framework: Security, Governance, Compliance, Content Applica...
Integrated Cloud Framework: Security, Governance, Compliance, Content Applica...Integrated Cloud Framework: Security, Governance, Compliance, Content Applica...
Integrated Cloud Framework: Security, Governance, Compliance, Content Applica...Chad Lawler
 
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...Andris Soroka
 

Similaire à Security Patterns How To Make Security Arch Easy To Consume (20)

Sådan undgår du misbrug af kundedata og fortrolig information
Sådan undgår du misbrug af kundedata og fortrolig informationSådan undgår du misbrug af kundedata og fortrolig information
Sådan undgår du misbrug af kundedata og fortrolig information
 
International approaches to critical information infrastructure protection ...
International approaches to critical information infrastructure protection ...International approaches to critical information infrastructure protection ...
International approaches to critical information infrastructure protection ...
 
Information Security By Design
Information Security By DesignInformation Security By Design
Information Security By Design
 
SunGard Enterprise Cloud Services @ Cloud Connect 2011
SunGard Enterprise Cloud Services @ Cloud Connect 2011SunGard Enterprise Cloud Services @ Cloud Connect 2011
SunGard Enterprise Cloud Services @ Cloud Connect 2011
 
SYMCAnnual
SYMCAnnualSYMCAnnual
SYMCAnnual
 
Day 3 p2 - security
Day 3 p2 - securityDay 3 p2 - security
Day 3 p2 - security
 
Day 3 p2 - security
Day 3 p2 - securityDay 3 p2 - security
Day 3 p2 - security
 
Outlook emerging security_technology_trends
Outlook emerging security_technology_trendsOutlook emerging security_technology_trends
Outlook emerging security_technology_trends
 
En arkitektonisk vy av en ledande och dynamisk IT-säkerhetsportfölj - PCTY 2011
En arkitektonisk vy av en ledande och dynamisk IT-säkerhetsportfölj - PCTY 2011En arkitektonisk vy av en ledande och dynamisk IT-säkerhetsportfölj - PCTY 2011
En arkitektonisk vy av en ledande och dynamisk IT-säkerhetsportfölj - PCTY 2011
 
Arrow ECS IBM Partner Jam - Security Update - Vicki Cooper - IBM
Arrow ECS IBM Partner Jam - Security Update - Vicki Cooper - IBMArrow ECS IBM Partner Jam - Security Update - Vicki Cooper - IBM
Arrow ECS IBM Partner Jam - Security Update - Vicki Cooper - IBM
 
Secure Enterprise Cloud
Secure Enterprise CloudSecure Enterprise Cloud
Secure Enterprise Cloud
 
Enterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to auditEnterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to audit
 
Sw keynote
Sw keynoteSw keynote
Sw keynote
 
Cloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. RealityCloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. Reality
 
PCTY 2012, IBM Security and Strategy v. Fabio Panada
PCTY 2012, IBM Security and Strategy v. Fabio PanadaPCTY 2012, IBM Security and Strategy v. Fabio Panada
PCTY 2012, IBM Security and Strategy v. Fabio Panada
 
Dubai Cyber Security 01 Ics Scada Cyber Security Solutions and Challenges...
Dubai Cyber Security 01 Ics Scada Cyber Security Solutions and Challenges...Dubai Cyber Security 01 Ics Scada Cyber Security Solutions and Challenges...
Dubai Cyber Security 01 Ics Scada Cyber Security Solutions and Challenges...
 
VSD Infotech
VSD InfotechVSD Infotech
VSD Infotech
 
2012 ReEnergize the Americas 3B: Gene Rodriguez
2012 ReEnergize the Americas 3B: Gene Rodriguez2012 ReEnergize the Americas 3B: Gene Rodriguez
2012 ReEnergize the Americas 3B: Gene Rodriguez
 
Integrated Cloud Framework: Security, Governance, Compliance, Content Applica...
Integrated Cloud Framework: Security, Governance, Compliance, Content Applica...Integrated Cloud Framework: Security, Governance, Compliance, Content Applica...
Integrated Cloud Framework: Security, Governance, Compliance, Content Applica...
 
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...
 

Dernier

Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 

Dernier (20)

Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 

Security Patterns How To Make Security Arch Easy To Consume

  • 1. Security Patterns: How to Make Security Architecture Easy to Consume Enterprise Risk/Security Management Conference Jeff L. Johnson, CISSP Insurance Americas Enterprise S E i Security A hi i Architect Minneapolis, MN – 06.10.2010 www.ing.com
  • 2. Security Architecture Roadmap Business Goals Market Trends Security Architecture Information Security Roadmap Management Business Goals The future state of the enterprise security program Capabilities Matrix Security P tt S it Patterns 2
  • 3. ING Insurance Americas 8th Largest Co. in the World1 Dutch Origins 107,000 107 000 employees 40 countries 10,000 Employees 29 mil Customers 500+ Applications pp 3,000+ Servers 2nd largest provider of Pensions 15,000 Employees 1 FORTUNE 2009 Global 500 List Retirement - Insurance - Investments 3 www.ing.com/us
  • 4. Define - Step 3 Customers Drive Business Goals Easy to Use – Transparent – Compliant 4
  • 5. Define - Step 3 Market Trends Competitors Legal Regulations Technology 5
  • 6. Define - Step 3 Architecture Frameworks Togaf, Zachman, SABSA, etc. SABSA etc Challenges • Complex • Sequential Process • Time to Value • Resources 6
  • 7. ISM Structure Risk Area Building Building Block Block Component Component Building Control Control Block Component 7
  • 8. Define - Step 3 Risk Areas and Building Blocks User Access Platform IT Resilience Change Sourcing Security Security Management Monitoring User Access OS Hardening Hardware Infrastructure Change Management Vendor Management Security Event Management Resilience Monitoring Segregation of Duties Network Hardening Business and Generic Separation of Supplier Management Security Incident Application Resilience Environments Management Info. Access Generic App. & DB Data Centre Resilience System Plan.& Technical State Restrictions Security Acceptance Compliance Identify & Access Business App. Security Security & Penetration Management Testing Workstation & Mob. Devices Hardening Foundation Asset Ownership Information Asset IT-Architecture Configuration Op. Procedures & Compliance with ING Security Awareness Classification Management Responsibilities Policies 8
  • 9. Define - Step 3 Risk Area, Building Blocks and Components Platform Security y OS Hardening Business Applications Security Network Hardening Critical Impact Assets Generic App. & DB Security Business App. High Impact Security S it Assets Workstation & Mob. Devices Hardening Medium Impact Assets Low Impact Assets 9
  • 10. Building Block, Components and Controls Critical Impact Assets Business Applications Platform Security Controls overview Security No Control criteria Dependency Critical Impact 1 Asset Ownership Assets 2 Information Asset Classification 1 3 Manufacturer Supported Asset 1+2 High Impact 4 OSG Documented & Approved 1+2 Assets 5 OSG Implemented 1+2 6 Application of Security Patches 1+2 7 Tech. Vulnerability Management 1+2 Medium Impact Assets 8 Manufacturer Support Tooling 1+2 9 Security A S it Assessment & Risk A l i t Ri k Analysis 1+2 1 2 10 Data Protection 1+2 Low Impact Assets 10
  • 11. Capabilities Matrix Current State 11
  • 12. Security Architecture Roadmap Business Goals Market Trends Security Architecture Information Security Roadmap Management Business Goals The future state of the enterprise security program Capabilities Matrix Security P tt S it Patterns 12
  • 13. Security Patterns A Security Pattern is a well-understood solution to a rec rring information sec rit problem recurring security Time to Value ∗ Easy ∗ Build Once, Use Many Cookbooks are a collection of related security patterns l t d it tt 13
  • 14. Security Pattern Framework Open Security Architecture • Security Patterns Catalog • Based on Capabilities and ISM • Prioritize - security projects and operational needs 14
  • 15. Data Protection Security Pattern Example Controls • Media Labeling • Information Leakage • Continuous Monitoring • Use of Cryptography • Etc. 15
  • 16. Data Protection Security Pattern Example • Guidance on data protection • Repeatable and Consumable steps for end users • Maps to industry standards and enterprise capabilities 16
  • 17. Security Architecture Roadmap Business Goals Market Trends Security Architecture Information Security Roadmap Management Business Goals The future state of the enterprise security program Capabilities Matrix Security P tt S it Patterns 17
  • 18. References • Open Security Architecture www.opensecurityarchitecture.org • Security Patterns http://www.securitypatterns.org/ • The Open Group http://www.opengroup.org/security/gsp.htm • A Survey on Security Patterns http://www.nii.ac.jp/pi/n5/5_35.pdf • Data Security Pattern from OSA http://www.opensecurityarchitecture.org/cms/library/patte rnlandscape/259-pattern-data-security p p y 18