Enterprise Security Architecture - PowerPoint by rzu11221

VIEWS: 209 PAGES: 79

									Enterprise Security Architecture

    Rolf von Roessing CISA, CISM
               Overview (1)
• Security Architecture: Managerial
  Framework
• Corporate (security) governance: Rules of
  Engagement
• Linking Management and Infrastructure:
  Two Worlds Apart?
• Useful Standards: A Starting Point for
  Designing a Security Architecture
                  Overview (2)
• Process and Infrastructure: Architecture is
  Dynamic, Not Static
• Step-By-Step Life Cycle for an Enterprise
  Security Architecture
   –   Phase 1: Threats, Risks, Business Impact
   –   Phase 2: Business Case, Strategy
   –   Phase 3: Framework – ISO Areas, CobiT Baseline
   –   Phase 4: Implementation, Project Management
   –   Phase 5: Closure (?) – No More Than A Gateway
   –   Phase 6: Internal Review, Audit and Compliance
       Managerial Framework
• Security as a concept requires extensive
  investment
• Cost-benefit analysis is a prerequisite to
  implementing a security architecture
• Basic assumption: limited amount of money,
  maximise security impact
• Business management interests differ from
  those of security management
        Managerial Framework
• Process-driven View: Architecture is a
  management process as well as a concept
• Process yields „Return on Security
  Investment“
• Management must consider organisational
  aspects of security
 Corporate (Security) Governance
• Increasing maturity, increased control density
• Corporate Governance mandates appropriate
  security as an abstract concept
• Three-tier model of security-related control
  objectives
• Security must „fit in“ with the broader concept
  of corporate governance
Corporate (Security) Governance
                                                                                        Y2K
                                          ARPA CERT 1988

                                                                                         ORM          CG


       CivD                Critical Infrastructure Protection (CIP)                                  HS


                                                  IT Disaster Recovery                   BCM


                                                                                          CIP
          General IT Security
            Few Incidents
           Relative Stability                              Evolving CERTs



1972                1980            1988       1990    1992   1994       1996    1998     2000       2002


         Business             Protection, Continuity           Information Technology           Strategy
Corporate (Security Governance)
• Rules of Engagement highly diversified
• National / Regional variations
• Security is influenced by a multitude of
  otherwise unrelated rules and regulations
• Architectural work requires „navigation“ –
  even outside the IT / security box
            Rules of Engagement
                                  Industry/
ISO 17799                                     ISO 15208
                                    Prof.


  ISO TR
                                 SECURITY     ISO 12207*
   13335


   BSI                              COBIT      ISO TR
 Baseline                            etc      15504-2**

*Software Lifecycle Processes
**Assessment of IT Software Processes
         Rules of Engagement
• Legal provisions: binding, but unspecific
• Some laws on certain aspects of security
  (e. g. signatures) but not comprehensive
• Directives, guidelines etc.: set the political
  scene, but no framework for action
• Industry frameworks (e.g. Basel II):
  security as a prerequisite
        Rules of Engagement
Incident      Disaster     Product
 Mgmt         Recovery      Certs


                          Operational
  BCM         SECURITY
                             Risk


Facilities     Human       Health &
 Mgmt         Resources     Safety
Linking Management and Infrastructure
  • Infrastructure is just that: not a management
    process, not a management evaluation
  • Business view is different from infrastructure
    view
  • Infrastructure supports business processes
  • Links are provided by the security
    management process
Linking Management and Infrastructure
  • Security management: design, implement,
    maintain infrastructure and architecture
  • Security architecture  „the house“
  • Security management  „living in the
    house“
  • Security management owns checkpoints /
    gateways for architecture evaluation and
    development
           Useful Standards
• ISO 17799: general framework and guideline
• ISO TR 13335: more specific framework for
  IT security
• BSI Baseline Manual: „toolbox“ for detailed
  security work
• Austrian Security Handbook
• COBIT: audit and control framework, linking
  to other ISACA documents
            Useful Standards
• CobiT Security Baseline & Survival Kits
• Security Architecture Components (SANS)
• ISF Security Standard
• EnSEC
• Other Toolkits, depending on region and industry
  sector
• ISACA SOX Guidelines as a high-level test tool
                  Starting Point
• Use ISO to define security management process –
  make it a „living“ architecture
• Use framework templates to define basic
  architecture elements serving:
   –   Confidentiality
   –   Integrity
   –   Availability
   –   Non-repudiation
• Move on to technology level
      Process and Infrastructure
• Architecture and infrastructure must be
  flexible
• Security management process = continuous
  improvement
• Architecture improves from a defined state to
  another defined state (without losing the level
  of security in the process)
     Process and Infrastructure
• Systems analysis approach: examine all
  states of the overall security system:
  – Current state: apply security criteria
  – Transition state: monitor levels of security
  – Future state: assess security improvement
• Dynamic infrastructure is adaptable to
  quality management standards
          Step-by-Step Life Cycle
• Phase 1 (Analysis): Threats, Risks, Business Impact
• Phase 2 (Analysis): Business Case, Strategy
• Phase 3 (Implementation): Framework – ISO Areas, CobiT
  Baseline
• Phase 4 (Implementation): Detailed Implementation, Project
  Management
• Phase 5 (Verification): Closure (?) – No More Than A
  Gateway
• Phase 6 (Verification): Internal Review, Audit and
  Compliance
     Threats and Threat Analysis
• Resist the temptation to classify technical threats:
  stick to business (see business case below)
• Deductive threat identification:
   – use CERT or other sources for stats on major threats
   – use internal stats and logs where available
• Inductive threat identification:
   – where targets of threats, or threat patterns are known,
     extrapolate to understand where the next hit will be
• What´s a threat? – anything we´re not prepared for,
  anything we refuse to acknowledge
    Threats and Threat Analysis
• Consider architectural weaknesses („threats
  from within“)
• Consider possible internal threats and attack
  paths – both organisational and technical
• Consider external threats on the principles of
  known weaknesses and statistics
• Remember that most serious threats are
  home-made.
        Network Vulnerabilities
• External (WAN / MAN) layer:
   – the usual suspects (at component level, 3rd party operator
     level, DDoS, DNS, etc.
   – the other side: business pressure, dependency patterns,
     loss of knowledge, SLA deficiencies
• First line internal (LAN, Extranet) layer:
   – the usual suspects (at perimeter): hacks, DoS, scan & hit,
     hijack etc. etc.  refer to CERTs and others for detailed
     operational info
   – the other side: increasing admin effort, LAN / firewall /
     perimeter cost spiralling, IDS and other requires rework,
     regulatory requires extended logging...
        Network Vulnerabilities
• Second line internal (LAN, Intranet) layer:
   – the usual suspects: sniff & run, social, spam, virii / worms
     / spybots etc.  general human error or breach of
     confidence
   – the other side: HR side pressure, forced errors,
     underfunding, architectural weaknesses
• Third line internal (Core, management info, critical
  financials) layer:
   – the usual suspects: inside jobs, former employees, support
     staff
   – the other side: top mgmt unaware, lack of training, inbuilt
     weaknesses (e.g. mgrs´ notebooks or PDA / phone)
Network Vulnerabilities
                              3rd Party Networks



                             LAN / WAN Infrastr.



 diminishing influence and                         increasing risk and
        awareness                  USER              reduced control




                                 Physical
                                 Surroundings

                              3rd Party
                              Managed Services
       Network Vulnerabilities
• Analysis step 1: assume user-centric
  perspective
• Analysis step 2: review tiers / lines of defence
• Analysis step 3: review user involvement,
  awareness and understanding
• Analysis step 4: reconcile threat scenario with
  user view
            Web Environments
• Rising importance of Internet-enabled business
  processes:
   – complex opt-in / opt-out user interaction
   – user choice re. connecting device(s)
   – pervasive access paradigm (802.11x, 802.16 etc.) is replacing
     monitored access
• Typical business problems arising:
   – transaction ownership (responsibility for different stages
   – managed services / outsourced services in the chain
   – roaming employment patterns
            Web Environments
• Application Layer
   – convergence towards XML and similar standards
   – seamless data continuum across traditional Office, Comms,
     Transaction apps
   – increased entropy in business data use*
• Network Layer
   – uplink / downlink diversity
   – tunnels and other devices replace controlled networks
   – weakest link in the chain is often predominant
• Physical Security
   – end user side = wide range of threats to physical security
   – provider side = probably secure, but no transparency
              Risk Analysis
• Analysis Phase: assess likelihood of material
  threats or threat scenarios
• Use stats and other empirical data as
  appropriate
• Avoid the risk list approach: expect the
  unexpected
• User operational risk categories (e. g. Basel
  II) where possible
              Risk Analysis
• in security risk analysis, some predefined
  weightings may exist
• not all security-related events / threats have
  the same significance – depending on
  prevention and existing environments
• Many attacks or security events have clear
  prerequisites, e.g. Microsoft environment
            Impact Analysis
• Business impact is often neglected: what
  does a security threat mean for balance
  sheet, P/L and reputation?
• Impact analysis in business terms is a
  requirement in many regulatory frameworks
• Technology impact is distinct and different
  from business impact
• Impact is a time-dependent concept
            Impact Analysis
• Use impact analysis concepts from standard
  BCM frameworks: PAS 56, ISO 17799,
  NFPA 1600, GPG and others
• calculate types of potential damage over
  time, or use best estimate
• ensure direct liaison with business process
  owners who have bottom line responsibility
Impact Analysis
                      BUSINESS LAYER: BALANCE SHEET
           CORE       AND P/L IMPACT

                         Applications, ERP, databases,
          internal       Interbank etc.
          systems


                               LAN / WAN, Components,
   Networks and internal
                               Cabling / WLAN etc.
      infrastructure


   external interfaces and
  service providers, usually
       customer-facing
                       Impact Analysis
                                          Big Bang

      1400000
      1200000
      1000000
                                                           Going Concern Level
EUR




       800000
       600000                                              Materiality Level
       400000                                              Big Bang
       200000
            0
                  24
                       48
                            72
                                 96



                                       3 ks
                                       4 ks
                                       m s
                                               0
              e




                                      6 nths

                                              s
                                      3 eek
             m




                                           12




                                            th
                                           ee
                                           ee




                                                     Time (not to scale)
           Ti




                                         on
                                        w
                                        w
                                        w
                                         o
                                       m
                                      2
                Impact Analysis
                              Sudden Death

1600000
1400000
1200000
                                             Going Concern Level
1000000
 800000                                      Materiality Level
 600000                                      Sudden Death
 400000
 200000
      0
                              we 0
      24
           48
                72
                     96




                                    s
                             3 eks
                             4 eks
                           3 eks
                           6 nths

                             m s
                                 12




                                 th
                          1 2 n th
                               on
                              we
                              we

                              o
                              o
                             m
                             m
                          2
                         Impact Analysis
                                                      Poison Dart

2500000

2000000
                                                                                          Going Concern Level
1500000
                                                                                          Materiality Level
1000000                                                                                   Poison Dart

 500000

      0
          24   48   72   96   12
                                0                ks            ks    ks    s     s    s
                                            ee            ee       ee on th on th nth
                                        w             w          w                  o
                                    2             3             4 3m 6m            m
                                                                               1 2
          Step-by-Step Life Cycle
• Phase 1 (Analysis): Threats, Risks, Business Impact
• Phase 2 (Analysis): Business Case, Strategy
• Phase 3 (Implementation): Framework – ISO Areas, CobiT
  Baseline
• Phase 4 (Implementation): Detailed Implementation, Project
  Management
• Phase 5 (Verification): Closure (?) – No More Than A
  Gateway
• Phase 6 (Verification): Internal Review, Audit and
  Compliance
            Business Case
• Potential damage (and associated cost) vs.
  required security investment
• Non-technical assessment of available
  options: focus on the money side
• The business case is not about the best
  available technology – it´s more pragmatic
• Assume that the 80% solution will be
  selected
               Business Case
• Talking business means managerial discretion: all
  solutions are politically loaded
• Given that there is no perfect security, aim for the
  maximum of security at reasonable cost
• Assume that strategy (see below) is a living thing
• Assume continuous improvement / maturity cycle
  for security management
                                Business Case
                                                                                  D

      EUR
                                                                        P1

                                                                                Going Concern Line




        C0                                              P0




                                                                                      C

                                                   t0                                     t
where P1 = P1 (t) and C = GC; P1 therefore shows the „point of no return“ where business cannot continue
                                   Business Case
       high
                                                                         Potential Damage
        Cost / Performance




                                                                         Security Investment


                                                                 Security investment is subject to a
                                                                 cost-benefit view: how much should
                                                                 be invested in IT security to obtain a)
                                                                 adequate protection, and b) keep cost
                                                                 at a reasonable level?




     low                          Risk                      high

    Investment higher                        potential damage
   than potential damage     TARGET       will occur with a
                                             high probability
                      Strategy
• As a result of the business case and the reasoning
  behind it, formulate strategy as follows:
   – go for major weaknesses and aim at the 80% level of
     IT security
   – design a scalable architecture that addresses threats
     from simple to advanced
   – cover as much business impact as possible in the first
     round
   – leave enough room for continuous improvement, do
     not commit to technology „dead ends“
                   Strategy
• This is a broadband approach, perhaps neglecting
  the detail. However, the maximum cover at
  minimum cost is what business wants
• Architecture sets the scene, but should be no more
  than an enabler for detailed solutions
• The objective is to win the war, not individual
  battles against specific enemies
• Business will tell you that your resources are
  limited. Using them wisely is the strategist´s
  secret.
          Step-by-Step Life Cycle
• Phase 1 (Analysis): Threats, Risks, Business Impact
• Phase 2 (Analysis): Business Case, Strategy
• Phase 3 (Implementation): Framework – ISO Areas,
  CobiT Baseline
• Phase 4 (Implementation): Detailed Implementation, Project
  Management
• Phase 5 (Verification): Closure (?) – No More Than A
  Gateway
• Phase 6 (Verification): Internal Review, Audit and
  Compliance
      Policies and Procedures
• Security Policy: monolithic document
  defining the framework
• Include business objectives, organisational
  objectives, „tone from the top“
• Make people feel they´re doing the right
  thing when living IT security in day-to-day
  business
      Policies and Procedures
• The security policy may look trivial to IT
  security experts...
• ... but not to users – how many times have
  you had to explain security basics to
  unsuspecting users?
• The security policy is designed to evoke
  security-conscious behaviour, more than
  anything else
       Policies and Procedures
• Procedures always refer to the security
  policy.
• Procedures detail tasks, responsibilities and
  individual solutions
• Recommend template-based approach for
  security-related procedures
• Balance control density with control
  objectives: don´t over-regulate.
Policies and Procedures
Policies and Procedures
            Procedural Level
• Critical business activities / IT services
• QoS indicators and agreed quality
• Use layered model to identify security-
  related interfaces
• Apply defence-in-depth, but don´t over-
  engineer the procedures
      CobiT Security Baseline
• use as baseline document for security
  controls
• use mappings against ISO 17799 where
  appropriate
• use mappings against other local security
  standards for detailed requirements
         Step-by-Step Life Cycle
• Phase 1 (Analysis): Threats, Risks, Business Impact
• Phase 2 (Analysis): Business Case, Strategy
• Phase 3 (Implementation): Framework – ISO Areas, CobiT
  Baseline
• Phase 4 (Implementation): Detailed Implementation,
  Project Management
• Phase 5 (Verification): Closure (?) – No More Than A
  Gateway
• Phase 6 (Verification): Internal Review, Audit and
  Compliance
             Security Toolbox
•   Firewalls and Related Technology
•   Virtual Private Networking (VPN)
•   Intrusion Detection
•   Signatures, Encryption, File Integrity
•   Mobile Security
             Security Toolbox
•   Firewalls and Related Technology
•   Virtual Private Networking (VPN)
•   Intrusion Detection
•   Signatures, Encryption, File Integrity
•   Mobile Security
              Firewalls etc.
• FW have become much more intelligent,
  but certainly more complex to administer
• „Seamless“ array of fw / DMZ still difficult
  to handle
• Critical issues are (still) in configuration
  management and administrative effort
• Essential as first line despite occasional
  capacity problems
              Firewalls etc.
• Main risk is the „de-zoning“ of mobile units
  no longer under the FW regime
• Home users, unauthorised users and other
  organisational problems cannot be covered
  by FW / DMZ
• Long history and relative success breed
  careless behaviour in the presence of FW /
  DMZ arrangements
             Security Toolbox
•   Firewalls and Related Technology
•   Virtual Private Networking (VPN)
•   Intrusion Detection
•   Signatures, Encryption, File Integrity
•   Mobile Security
                    VPN
• Tunnels and virtual networks have matured
  to a level of very high security, but this
  works both ways
• Combined VPN / signature / token solutions
  most convenient and widespread
• Escrow / retrieval problem still unsolved for
  encrypted VPN comms
• Available from most major distributors
                   VPN
• Providing access through VPN tunnels
  raises the question of end point (user)
  security
• Control issues around mobile device
  security (see below) when granting tunnel
  access
• Restrictive handling required, preferably
  with a (more expensive) token solution
             Security Toolbox
•   Firewalls and Related Technology
•   Virtual Private Networking (VPN)
•   Intrusion Detection
•   Signatures, Encryption, File Integrity
•   Mobile Security
           Intrusion Detection
• Host-based or network-based „packaged“
  solutions have reached a high level of maturity
• Deploy HDS / NDS in accordance with data
  classification (ISO or other)
• Performance trade-off still difficult for larger
  environments
• Does the environment / data QoS actually require
  intrusion detection?
          Intrusion Detection
• Regulatory background (logging,
  monitoring etc.) often requires HDS / NDS
  to be deployed on a large scale
• Beware of honeypots and other bait – illegal
  in many European countries
• What is intrusive? Ensure clear and
  unambiguous guidelines for logging and
  escalation
             Security Toolbox
•   Firewalls and Related Technology
•   Virtual Private Networking (VPN)
•   Intrusion Detection
•   Signatures, Encryption, File Integrity
•   Mobile Security
               Integrity Tools
• Signatures now central to many second line of
  defence strategies
• Legal background firmly established
• Authenticity problem is taking on a new
  significance (high-powered transactions, spam,
  Outlook address snatching etc.)
• PKI-based signatures (preferably „qualified“ in
  the legal sense) desirable, but organisationally
  difficult
               Integrity Tools
• Encryption and signatures = two sides of the same
  equation
• Encrypted data traffic now standard, but requires
  complementary signatures (cover both
  confidentiality and integrity)
• Mature discipline: most products provide state-of-
  the-art algorithms and convenience
• In order to authenticate the transaction, all
  integrity components have to be present
                  Integrity Tools
• Other integrity tools (watermark, Digital Rights
  Management etc.) highly controversial
• Consider the „moral dimension“ of using integrity checks:
  what purpose does it serve?
• Traditional approaches, particularly (water-) marking, still
  face known technical problems in terms of resilience
• Pervasive / ubiquitous computing still offers enough
  loopholes to circumvent DRM / copy protect
• As a rule, attacker has unlimited time to crack integrity
  protection mechanisms
                  Integrity Tools
• While data integrity is one of the central third line of
  defence tools, suggested solutions „have an interest“
• DRM and IPR protection appear to be dominant
  objectives, as opposed to „value-free“ integrity protection
• Current toolsets support withholding / restricting rather
  than non-repudiation and authenticity
• The elegance of classic PKI / asymmetric cryptography
  and signatures has not been reached again
• „Quick fix“ mentality in technical solutions to integrity
  problems
             Security Toolbox
•   Firewalls and Related Technology
•   Virtual Private Networking (VPN)
•   Intrusion Detection
•   Signatures, Encryption, File Integrity
•   Mobile Security
             Mobile Security
• Major challenge to the defence-in-depth paradigm
  (no depth, but width)
• Exponential growth in classes of mobile devices
  and device functionality
• Likely to become the single most important
  security problem of the 2000´s / 2010´s
• Transition from portable to wearable
• Much more accessible to wider circles of users
  with limited security awareness
                Mobile Security
• Desktop PC: in a physically controlled, logically secured
  environment  transitioned to notebook PC with limited
  logical control (loopholes) and no physical control
• Notebook PC: transitioned to PDA  very weak logical
  control, no physical control
• PDA: transitioned to mobile phone  very weak logical
  control, security problems at operating system level, user
  security problems
• Mobile phone: transitioning to push devices (Blackberries)
   strong logical control, no physical control
                Mobile Security
• „Ease of use“ mantra blinds users to security issues
• Blackberries etc. have pushed ubiquitous computing
  towards the managerial classes, with predictable security
  consequences
• New generation of mobile phones has pushed affordable
  mobile power towards unsuspecting users, with equally
  predictable security consequences
• Provider push opens up all sorts of auto-config issues not
  covered in traditional security architectures
          Step-by-Step Life Cycle
• Phase 1 (Analysis): Threats, Risks, Business Impact
• Phase 2 (Analysis): Business Case, Strategy
• Phase 3 (Implementation): Framework – ISO Areas, CobiT
  Baseline
• Phase 4 (Implementation): Detailed Implementation, Project
  Management
• Phase 5 (Verification): Closure (?) – No More Than A
  Gateway
• Phase 6 (Verification): Internal Review, Audit and
  Compliance
                        Closure
• Enterprise Security Architecture – set of building blocks to
  be deployed with a defined purpose and a business case
• Implementation should be followed by closure (as
  mandated by most project management methodologies)
• In a maturity model, closure is the end of an individual
  cycle. Architecture must remain flexible
• No more than a „quality gateway“ – determine whether
  current state is sufficiently well developed to reach next
  maturity level
                    Closure
• Apply state machine model: prior state seen as
  secure, check new state after implementation
• New state / new maturity level should be more
  secure than previous level
• Do not permit „temporary weaknesses“ in
  environments under construction
• Architecture provides spinal chord for ongoing
  improvement
          Step-by-Step Life Cycle
• Phase 1 (Analysis): Threats, Risks, Business Impact
• Phase 2 (Analysis): Business Case, Strategy
• Phase 3 (Implementation): Framework – ISO Areas, CobiT
  Baseline
• Phase 4 (Implementation): Detailed Implementation, Project
  Management
• Phase 5 (Verification): Closure (?) – No More Than A
  Gateway
• Phase 6 (Verification): Internal Review, Audit and
  Compliance
             Security Audit
• Three-tiered approach preferred:
  – control self-assessment
  – independent internal audit
  – independent external audit
• Have independent auditors define the
  criteria for security architecture
• No wishful thinking!
            Security Audit
• Follow ISO 17799 Chapter 12:
  „independent“ means just that
• Audit should consider technology case and
  business case. The concept of „reasonable“
  security is to be applied.
• Establish relevance of individual findings
  and recommendations.
              Security Audit
• Audit the life cycle, not only current state
• Review improvement / maturity path over time
• With growing maturity, more reliance may be
  placed on control self-assessment
• Regulatory environment requires more
  comprehensive external audit
• Allow yourself the luxury of frequent and in-depth
  external confirmation of what you think – it just
  looks better.
                  Summary
• Security Architecture: Managerial
  Framework 
• Corporate (security) governance: Rules of
  Engagement 
• Linking Management and Infrastructure:
  Two Worlds Apart? 
• Useful Standards: A Starting Point for
  Designing a Security Architecture 
                     Summary
• Process and Infrastructure: Architecture is
  Dynamic, Not Static 
• Step-By-Step Life Cycle for an Enterprise
  Security Architecture
   –   Phase 1: Threats, Risks, Business Impact 
   –   Phase 2: Business Case, Strategy 
   –   Phase 3: Framework – ISO Areas, CobiT Baseline 
   –   Phase 4: Implementation, Project Management 
   –   Phase 5: Closure (?) – No More Than A Gateway 
   –   Phase 6: Internal Review, Audit and Compliance 

								
To top