A challenge security professionals often face is ensuring security is aligned with the business strategy. Enterprise Security Architecture can solve that problem, but to do so you need a way to make it easy for the rest of IT to follow the security architecture. Security Patterns is one solution to that problem.
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Security Patterns How To Make Security Arch Easy To Consume
1. Security Patterns: How to Make
Security Architecture Easy to Consume
Enterprise Risk/Security Management Conference
Jeff L. Johnson, CISSP
Insurance Americas
Enterprise S
E i Security A hi
i Architect
Minneapolis, MN – 06.10.2010
www.ing.com
2. Security Architecture Roadmap
Business Goals
Market Trends Security
Architecture
Information Security Roadmap
Management Business Goals
The future state of the
enterprise security
program
Capabilities Matrix
Security P tt
S it Patterns
2
3. ING Insurance Americas
8th Largest Co. in the World1
Dutch Origins
107,000
107 000 employees
40 countries
10,000 Employees
29 mil Customers
500+ Applications
pp
3,000+ Servers
2nd largest provider of Pensions
15,000 Employees
1 FORTUNE 2009 Global 500 List
Retirement - Insurance - Investments 3 www.ing.com/us
4. Define - Step 3
Customers Drive Business Goals
Easy to Use – Transparent – Compliant
4
6. Define - Step 3
Architecture Frameworks
Togaf, Zachman,
SABSA, etc.
SABSA etc
Challenges
• Complex
• Sequential Process
• Time to Value
• Resources
6
7. ISM Structure
Risk Area
Building
Building Block
Block
Component
Component
Building Control Control
Block Component
7
8. Define - Step 3
Risk Areas and Building Blocks
User Access Platform IT Resilience Change Sourcing Security
Security Management Monitoring
User Access OS Hardening Hardware Infrastructure Change Management Vendor Management Security Event
Management Resilience Monitoring
Segregation of Duties Network Hardening Business and Generic Separation of Supplier Management Security Incident
Application Resilience Environments Management
Info. Access Generic App. & DB Data Centre Resilience System Plan.& Technical State
Restrictions Security Acceptance Compliance
Identify & Access Business App. Security Security & Penetration
Management Testing
Workstation & Mob.
Devices Hardening
Foundation
Asset Ownership Information Asset IT-Architecture Configuration Op. Procedures & Compliance with ING Security Awareness
Classification Management Responsibilities Policies
8
9. Define - Step 3
Risk Area, Building Blocks and Components
Platform
Security
y
OS Hardening
Business Applications Security
Network
Hardening
Critical Impact
Assets
Generic App. &
DB Security
Business App. High Impact
Security
S it Assets
Workstation &
Mob. Devices
Hardening Medium Impact
Assets
Low Impact
Assets
9
10. Building Block, Components and Controls
Critical Impact Assets
Business
Applications Platform Security Controls overview
Security
No Control criteria Dependency
Critical Impact 1 Asset Ownership
Assets
2 Information Asset Classification 1
3 Manufacturer Supported Asset 1+2
High Impact
4 OSG Documented & Approved 1+2
Assets
5 OSG Implemented 1+2
6 Application of Security Patches 1+2
7 Tech. Vulnerability Management 1+2
Medium Impact
Assets 8 Manufacturer Support Tooling 1+2
9 Security A
S it Assessment & Risk A l i
t Ri k Analysis 1+2
1 2
10 Data Protection 1+2
Low Impact
Assets
10
12. Security Architecture Roadmap
Business Goals
Market Trends Security
Architecture
Information Security Roadmap
Management Business Goals
The future state of the
enterprise security
program
Capabilities Matrix
Security P tt
S it Patterns
12
13. Security Patterns
A Security Pattern is a well-understood solution
to a rec rring information sec rit problem
recurring security
Time to Value ∗ Easy ∗ Build Once, Use Many
Cookbooks are a collection of
related security patterns
l t d it tt
13
14. Security Pattern Framework
Open Security Architecture
• Security Patterns Catalog
• Based on Capabilities and ISM
• Prioritize - security projects and operational needs
14
15. Data Protection Security Pattern Example
Controls
• Media Labeling
• Information Leakage
• Continuous Monitoring
• Use of Cryptography
• Etc.
15
16. Data Protection Security Pattern Example
• Guidance on data protection
• Repeatable and Consumable steps for end
users
• Maps to industry standards and enterprise
capabilities
16
17. Security Architecture Roadmap
Business Goals
Market Trends Security
Architecture
Information Security Roadmap
Management Business Goals
The future state of the
enterprise security
program
Capabilities Matrix
Security P tt
S it Patterns
17
18. References
• Open Security Architecture
www.opensecurityarchitecture.org
• Security Patterns
http://www.securitypatterns.org/
• The Open Group
http://www.opengroup.org/security/gsp.htm
• A Survey on Security Patterns
http://www.nii.ac.jp/pi/n5/5_35.pdf
• Data Security Pattern from OSA
http://www.opensecurityarchitecture.org/cms/library/patte
rnlandscape/259-pattern-data-security
p p y
18