1 / 41

The Invisible Person: A Closer Look at Information Security Architecture

Explore the role and importance of an Information Security Architect (ISA) in today's cyber war. Gain insight into the need for cohesive risk and business-based information security architecture and its impact on organizations. Enhance awareness, certifications, and definitions in the field.

ccrow
Télécharger la présentation

The Invisible Person: A Closer Look at Information Security Architecture

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. “ The Invisible Person …. The Security Architect “ INFOSECFORCE Application Security BILL ROSS 15 Sept 2008 “ Balancing security controls to business requirements “ BILL ROSS

  2. Critical Reason for ISA Excellence Undeclared global cyber war • “ We are in a CYBER War and corporations and governments are being clobbered by an invisible enemy that, at times, seems to own numerous private networks. Information Security Teams across the globe are fighting the good fight and win and lose in this battle. Every year thousands of articles and conferences across the globe address this challenge and when one reads the literature and attends the meetings, one gleans that a core weapon is missing in the discussion: • Cohesive risk and business based information security architecture • Systematically and strategically planned and executed • An Information Security Architect with a “Ninja war fighting spirit” • “ Will the real Information Security Architect step out of the shadows and reveal him/her self so we all know who and what we are? “ • INFOSECFORCE 2012

  3. The Invisible Person Searching for YETI ? The Security Architect

  4. The ISA brief objectives • Background: • Invisible person thought piece written 8/12/2012 … posted on ONLY two blogs … almost 600 global requests. • Purpose: • Discuss definition and roles of an information security architect (ISA)? • Is there a problem ? • Examine possible industry ISA interpretations ? • Review information security models ? • System Security Architecture Implementation Models ? • Expected outcome: • Enhanced awareness of the an ISA roles and responsibilities • More writings and better certifications and definitions • More securely built applications and infrastructure Not the “ Big Bang Theory “

  5. Acronyms glossary • ISA. Information Security Architect or Information Security Architecture • ISC. Information Security Community • SABSA. Sherwood Applied Business Security Architecture • OSA. Open Security Architecture • TAFIM. Technical Architecture Framework for Information Management • TRM. Technical Reference Model • EA. Enterprise Architecture • GISAA. Global Information Security Architecture Association • JD. Job description • ISSAP. Information Security Systems Architect Professional • ISO. International Standards Organization • IEEE. Institute of Electrical and Electronic Engineers • OPERA. Open Protocol Enabling Risk Aggregation • NIST. National Institute of Standards and Technology

  6. Personal ISA experiences • Have built Security Architectures/plans/road maps, designed strategies, hired Security Architects and mentored them BUT I am not a true architect …. Just like to cobble things together. • Enthralled by TAFIM in the 1990’s • Built the Tactical Collection Framework for Central American Wars • Integrated the Air Force SOF and regular USAF Intelligence architectures • Base lined the technical architecture for the global Army Material Command • For CSC, managed deploying JP Morgan’s first global security architecture • Built the security technical road map for the Federal Reserve IT • Appointed someone as the Federal Reserve’s first security architect • Hired the security architect for the Northrop VITA contract • Hired by AXA Tech as the Security Architect • Defined strategy for the Information Risk Architecture Framework (IRAF) • Security Architect for AIG at United Guaranty Corporation • Wrote “ The Invisible Person …. the Security Architect “ • Sherwood Applied Business Security Architecture Trained • SAIC Information Assurance Architect • Self appointed INFOSECFORCE llc Security Process Architect

  7. The Origins of Architecture Man’s primordial need to scream build • Architecture has its origins in the building of towns and cities, and everyone understands this sense of the word, so it makes sense to begin by examining the meaning of ‘architecture’ in this traditional context. • Architecture is a set of rules and conventions by which we create buildings that serve the purposes for which we intend them, both functionally and aesthetically. ‘ • Architecture is founded upon an understanding of the requirements that it must fulfil. • These needs are expressed in terms of function, aesthetics, culture, government policies and civil priorities. • Architecture is also both driven and constrained by a number of specific factors. IT Enterprise Architecture Evolution IT Architect

  8. Background analyses Why over 600 global requests for the paper in two years ? Two Possible Reasons Why

  9. Egregious data breaches this year Which should not be on this list? Source http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

  10. Will anything stop them ? “ Defense in Depth Cyber = Security’s Maginot Line ? “ “Sample : 1216 organizations, 63 countries, 20 industries, 67 Billion spent on security” Did the Security Architecture Fail ? Source: http://www2.fireeye.com/rs/fireye/images/fireeye-real-world-assessment.pdf

  11. ISA Operational report Current indicators • Information Security Architect and Information Security Architecture • The Information Security Community (ISC) does not yet have a consistent and recognized universal definition defining what an ISA is BUT we are possibly gaining on it. • Now being integrated sometimes in IT standard frameworks for what an ISA should accomplish. (EA, TOGAF, DoDAF, Zackman) • Security community standards and certifications ISA (SABSA, OSA, ISC2, Huxham ) • As such, wide ranging ISA job descriptions • Given the lack of an ISA standard, the Security • Architect sometimes struggles in his role as what he/she • thinks he/she should do is not what the company thinks • they hired him for. • SOURCE: http://securityarchitecture.com/docs/Security_Management_Frameworks.pdf Note about Enterprise Architecture

  12. ISA challenge ? Working on to good …………… • Relentless attacks hurting INFOSEC reputation • Focus on frameworks like NIST and PCI versus architecting and engineering • Enterprise Architecture, TOGAF and ISO 27001 just now integrating SABSA • Multiple IT and then Security Architecture frameworks …. Overwhelming • Various interpretations of what an Information Security Architect is • Scant references in the trades of the importance of integrating security • SABSA and ISC2 certs but need Engineering equivalents • SABSA the closest thing to ISA champion (like early ITIL mostly offshore) • No true professional organization like “ The Global Information Security Architect Association (GISAA) “ • Forthcoming and relentless Cyber Attacks

  13. Various ISA job descriptions • JDs exemplify organizational ISA Soul Searching • Extremely technical in one or two security technologies such as Firewalls or intrusion detection devices. • Extremely technical on all aspects of security but cannot connect the architecture to business requirements and the overall strategy.   Could install a HIDS or even a firewall but the person did not design a strategy on how these systems could operationally and tactically integrate as part of the intrusion detection framework. • 3.  Extremely technical engineer and strategists who also has a holistic view of the business objectives and the requirements definition process. • 4.  Highly technical and can combine all aspects of risk management and business requirements into a cohesive strategy and technical plan.   • 5.  Calling the security director or security manager the security architect

  14. Likelihood of succeeding as an ISA

  15. Who ya gonna call ? Optimum ISA Job Description  ” An information security architect should have at least 10 years experience in information security and at one point in his/her career should have had hands on technical experience in anything from help desk support to being a UNIX or data base administrator. This person should have extensive knowledge of security platforms, has managed acquisition efforts, identity access management, cyber warfare, and governance as it is translated from security standards and policies into an operational technical environment that is aligned with the core business processes be they financial institutions like JP Morgan or e-commerce giants like Amazon or Best Buy. This person should have served on the front lines of cyber battles such as NIMDA, LUZ or APT. Optimally, the person is ITIL certified, has an EE degree, is a visionary, and understands security support business objectives. Ultimately, the Security Architect is a perfect blend of a highly skilled security engineer, a governance and policy expert, an enterprise architect, and a business savvy professional with a Ninja spirit. “

  16. SAN think “ Can you build a Defense in Depth architecture without an architect ? “ “ Of course, you are not going to get very far with an architectural approach to Defense in Depth without an architect. Unfortunately, the industry is still unclear as to exactly what an IT Security Architect is. The concept is, however, starting to mature. (ISC)2 organization has created an ISSAP (Information Systems Security Architecture Professional) certification[2]. SABSA organization has three levels of certifications for Security Architects: Foundation, Practitioner, and Master. There are job opportunities for positions labeled as "Security Architects," although many times they sound more like engineers than architects. Though specific knowledge about systems and networks is important, an architect should have the ability to assemble and disassemble pieces of knowledge to/from a whole. “ Stephen Northcutt, J. Michael Butler and the GIAC Advisory Board Source: http://www.sans.edu/research/security-laboratory/article/security-architect

  17. ISA Certification syllabuses Two prime ISA Certifications

  18. The GARTNER View is EA Focused • “Incorporating Security Into the Enterprise Architecture (EA) Process” • Gartner Outline for “Incorporating Security Into the Enterprise Architecture (EA) Process” • 1.0 The Rationale for Incorporating Security With the EA Process Model • 2.0 Security and the EA Process Model in Relation to EA Frameworks • 3.0 Environmental Trends • 4.0 Business Strategy • 5.0 Organize Architecture Effort • 6.0 Security in the Future-State Architecture • 6.1 Develop Requirements • 6.2 Develop Principles • 6.3 Develop Models • 7.0 Current-State Architecture — Documenting • 8.0 Closing the Gap • 9.0 Governing and Managing • 9.1 Governing EA Artifact Creation • 9.2 Governing EA Compliance and Project/Procurement Management • 9.3 Managing • SOURCE:http://www.gartner.com/DisplayDocument?ref=g_search&id=488575 • Possibly add technical engineering skills, risk-based ISA decisions, secure development life cycle management, return on investment, metrics, operational tracking, software updating, security road maps (N-1 plan) and role and responsibilities.

  19. What’s will it take? • Being a Successful Information Security Architect • ‘” Unless the security architecture can address a wide range of operational requirements and provide real business support and business enablement, rather than just focusing upon ‘security’, then it is likely that it will fail to deliver what the business expects and needs. “ • Common phenomenon throughout the information systems industry, • Being a successful security architect means thinking in business terms at all times, • You always need to have in mind the questions: Why are you doing this? What are you trying to achieve in business terms here? Otherwise you will lose the thread and finish up making all the classic mistakes. • Do not understand strategic architecture, and who think that it is all to do with technology. • Buy-in and sponsorship from senior management • Enterprise architecture cannot be achieved unless the most senior decision-makers are on your side. • Creating this environment of acceptance and support is probably one of the most difficult tasks that you will face in the early stages of your work. • Source SABSA

  20. ISA challenge summary ISA • ISA Situation • Onslaught of cyber attacks costing millions in damages and loss of consumer trust • Numerous interpretations of ISA limit organizational success in ISA • While improving, need more global awareness of the essential importance of “Building Security In” • SABSA and ISSAP good but not good enough • Standards like NIST and PCI good but not nearly good enough • Action Plan • Bring the ISA out of the Shadows or redefine what an ISA is • Industry and government ISA punctuation greatly needed • Need to create an ISO or IEEE level standard • Make it an engineering science as is an EE degree • Trades like SC, CISO, Information Week and companies like RSA, Symantec, Verizon, need to champion ISA • Somehow, someway create GISAA

  21. The eloquent designs The IT and Security “Architecture” Designs …… thinking and planning Source: http://antifan-real.deviantart.com/art/Grand-Universe-17189369

  22. SABSA Eloquent design

  23. SABSA Eloquent design matrix

  24. ISA Landscape by OSA Source: http://www.opensecurityarchitecture.org

  25. PCI OSA Pattern Source: http://www.opensecurityarchitecture.org/cms/library/patternlandscape/315-sp-026-pci-full

  26. Server OSA Pattern

  27. TOGAF development process Source: http://www.opengroup.org/subjectareas/enterprise/togaf

  28. Huxham Security Framework

  29. INFOSECFORCE baseline

  30. MAKING IT REAL ….yikes

  31. Implementing a framework or enterprise improvements SANS Top 20 NIST RMF COBIT NIST CSF Security Engineering & Architecture PCI HIPPA OPERA ISO 27001 UCF SOX

  32. Fundamental Enterprise Security Architecture Planning Issue • Enterprise Security Architecture Asynchronous Planning • Information security solutions are often designed, acquired and installed on a tactical basis. • “ A requirement is identified, a specification is developed and a solution is sought to meet that situation. • Strategic dimension Not considered • Mixture of technical solutions on an ad hoc basis, each independently designed and specified and with no guarantee that they will be compatible and inter-operable. • No analysis of the long-term costs, especially the operational costs which make up a large proportion of the total cost of ownership, no strategy that can be identifiably said to support the goals of the business. Source: SABSA

  33. Enterprise Security Architecture Planning Solution Security Architecture Planning is the missing piece of the puzzle • Development of an enterprise security architecture which is business-driven • A structured inter-relationship between the technical and procedural solutions to support the long-term needs of the business. • Must provide a rational framework within which decisions can be made based on an understanding of the business requirements, including: • The need for cost reduction • Modularity • Scalability • Ease of component re-use • Operability • Usability • Inter-operability both internally and externally • Integration with the enterprise IT architecture and its legacy systems. Source: SABSA

  34. Security Architecture Approach • Holistic Approach • Mistake= believing that building security into information systems is simply a matter of referring to a checklist of technical and procedural controls and applying the appropriate security measures on the list. • Car example • A car is a good example of a complex system. It has many sub-systems, which in turn have sub-systems, and eventually a very large number components. Designing and building a car needs a ‘systems-engineering’ approach. • Architecture system approach • Do you understand the requirements? • Do you have a design philosophy? • Do you have all of the components? • Do these components work together? • Do they form an integrated system? • Does the system run smoothly • Are you assured that it is properly assembled? • Is the system properly tuned? • Do you operate the system correctly • Do you maintain the system? • Are PCI, NIST, SANS Top 20, DIACAP architectures • ?

  35. Implementation tool and designs Keeping it simple • System security plan that defines risk, architecture and controls • Control framework of your choosing such as NIST CSF, PCI and etc • Plan, Build, Deploy, and Operate Project Plan • Risk management analysis (process and technology gaps) • SABSA framework sheet establishing overall situational awareness • OSA patterns • High level engineering design • Detailed engineering design • Excruciating detailed test plans • Implementation plan • Policy, process and procedures • Certification and accreditation • Continuous control monitoring plan • Production security

  36. Architect/Engineer/Implement? Implementing a framework or a system OPERATE DEPLOY BUILD PLAN Define: - Vulnerability mgt - Pent Test mgt - Continuous logging and monitoring - Compliance plan PCI/SOX - Patch mgt - Security CIA - Change mgt - Incident response Define: - Feasibility - Business case - Initial risk assessment - Requirements - Security CIA - Charter - System type - System security plan - Baseline • Define: • - Test, test, test • - Acceptance • - Procedure • - Process • - CONOPS • - Certify and attest Define: - EA Architecture plan - System risk level - Applicable security control requirements - High level design - Detailed design - Functional design

  37. SLCMP and the SDLC …“The Dance” BUILD Deploy PLAN OPERATE 2 nd phase prod testing Pre prod Statement of need for new business process, application or technology Functional requirements document designed Design and technical architecture developed Code development 1 st phase prod testing QA Prod Post Prod INFOSEC architecture document created based on data security categorization, policy, application functionality and risk and vulnerability assessments Application and infrastructure penetration testing INFOSEC participation in feasibility analyses, no documentation required Server cert Integrate controls and createdetailed application security test plan defining testing tools, timelines, remedial action processes and testers. Gain approval from project manager. Second phase app security testing using formalized process to decompile code as much as possible to determine if code has organic exposures violating policy, security design, and the security architecture. Correct findings and provide to developers to fix or define mitigating controls. Aspect security has expertise in this area Third phase app security test which follows phase one testing process. Used as final verification that code is stable from INFOSEC perspective Build the System Security Plan based on NIST 800-53 control guidelines. Preliminary risk and vulnerability assessment done. Measures requirements against policy and provides functional adjustments. Security requirements stated based on preliminary risk and vulnerability assessments. If necessary, requirements document adjusted First phase application security testing. Once code begins solidifying, use soft tools such as AppScan or Spi Dynamics for high level testing. Feedback findings to developers for code correction Create final risk acceptance document Ongoing pen tests, vulnerability assessments, risk management * * Security certification and accreditation should be finalized

  38. The ISA does not exist after all ISA Paradigm shift (ed) • ISA Not an architect after all • Engineer defining and implementing security requirements • Implementing the security components of an enterprise architect solution • Integrated and symbiotic with the enterprise architecture • Security processes that run on the infrastructure and something the business enterprise can not do without • It is a senior engineer that guides the construction and implementation of the security components

  39. Invisible person conclusion • We are at war • A Security Architect can define strategies to defeat the aggressors. • The IT industry governance boards (ISO …. IEEE) needs to standardize its doctrine and strategy to define the ISA • Organizations need to hire the right people for ISA jobs • Reduce confusing the Senior Security Engineers with the roles and responsibilities of an Information Security Architect. • While they are complimentary in nature, the roles are different. • Ultimately though …. is the discussion over …. Incorporate ISA into the EA solution for consistent and seamless IT architecture and operational builds?

  40. INFOSECFORCE Application Security BILL ROSS 15 Sept 2008 Contact information “ Balancing security controls to business requirements “ • Marion Ross, INFOSECFORCE llc, President • Phone:804-387-9253 • Bill Ross, INFOSECFORCE llc, Security Process Architect • Phone: 804-855-4988 • Email: INFOSECFORCE@YAHOO.com

  41. Enterprise Security Architecture Ad hoc, not integrated not planned and costly • Information security solutions often designed, acquired and installed on a tactical basis. • No strategic dimension • Organization builds up a mixture of technical solutions on an ad hoc basis ‘ • No guarantee that they will be compatible and inter-operable. • Solution is to base decisions on business requirements, including: • The need for cost reduction • Modularity • Scalability • Ease of component re-use • Operability • Usability • Inter-operability both internally and externally • Integration with the enterprise IT architecture and its legacy systems. Security is business Source: http://www.intigrow.com/enterprise-security-architecture-design.html

More Related