Enterprise Security Architecture

1
Enterprise Security Architecture

• Stefan Wahe
• UW - Dept of Information Technology Security
• Stefan.Wahe_at_doit.wisc.edu

2
Outline

• What is Enterprise Security Architecture (ESA)?
• What is NAC?
• Enterprise Security Program
• NACs Vision of Enterprise Security Architecture
• Overview
• Governance
• Architecture
• Operations
• Reference Links

3
Enterprise Security Architecture

• Enterprise security architecture provides the
  conceptual design of network security
  infrastructure, related security mechanisms, and
  related security policies and procedures
• Enterprise security architecture link components
  of the security infrastructure as a cohesive unit
• The goal of this cohesive unit is to protect
  corporate information
• SANS One Approach to Enterprise Security
  Architecture

4
The Network Applications Consortium?

• The Network Applications Consortium founded 1990
• Mission Statement Promote member collaboration
  and influence the strategic direction of vendors
  developing virtual-enterprise application and
  infrastructure technologies
• Goals and Objectives Provide members with the
  tools for radically improving the delivery of
  agile IT infrastructure in support of business
  objectives. NACs dedication to resolving the
  strategic issues and objectives facing member
  organizations, the Consortium maintains an
  ongoing focus on the following strategic
  objectives
• Continually aligning the strategic initiatives of
  NAC with the strategic direction of members
• Influencing the information technology industry
  and promoting ongoing collaboration and knowledge
  sharing among members, vendors, and other
  industry thought leaders
• Improving application and infrastructure
  interoperability, integration, and manageability
  across the heterogeneous, virtual-enterprise
  computing environment

5
NAC Member Organizations

• University of Wisconsin
• Boeing Company
• Bechtel
• Principal Financial Group
• State Farm Insurance
• GlaxcoSmithKline
• Lawrence Livermore National Laboratory
• TD Bank of Canada
• to name a few

6
Enterprise Security Program

• NAC identified Enterprise Security Architecture
  as part of an overall Enterprise Security Program
• Program drivers are
• Business Opportunities
• Business Requirements
• Compliance
• Threats

7
Enterprise Security Program

• Program Management consists of
• Requirements
• Risk Management
• Strategy
• Planning
• Ongoing Program Assessment
• Education Awareness

8
Enterprise Security Program

• Governance consists of
• Principles
• Policies
• Standards, Guidelines and Procedures
• Enforcement
• Ongoing Assessment

9
Enterprise Security Program

• Architecture consists of
• Conceptual Framework
• Conceptual Architecture
• Logical Architecture
• Physical Architecture
• Design
• Development

10
Enterprise Security Program

• Operations consists of
• Incident Management
• Vulnerability Management
• Compliance
• Administration
• Deployment

11
Enterprise Security Program
12
ESA - Overview

• In NACs vision of ESA there is a strong linkage
  between governance, technology architecture and
  operations.
• That linkage is provided via
• The policy framework as part of the governance
  model
• The policy-driven security architecture
  framework, which develop the technology
  architecture and operations model

13
ESA - Governance

• Identify
• Principles follow the securing of information
  technology assets of the enterprise
• Principles provide the highest level of guidance
  for the security governance process itself and
  technology architecture and operations
• Authorize
• Enforcement of the guiding principles through the
  creation of policies
• The control domains represent the highest-level
  identification of policy
• Implement
• The authorized courses of action
• The results are the technical standards,
  guidelines and procedures that govern information
  technology security

14
ESA - Governance

• Enforcement
• Built into the technical standards and procedures
• Requirements for separate enforcement processes
  triggered ex - as a result of security-related
  events
• Ongoing Assessment
• Respond to change business models change, new
  technologies are developed and new legislation is
  passed ex - when business products and services
  are offered directly to the consumer through
  web-based front ends

15
ESA - Governance

• The Policy Framework Principles
• The basic identified assumptions, beliefs,
  theories, and values guiding the use and
  management of technology within an organization
• Organization specific business, legal and
  technical principles
• Principles Template include Security by Design,
  Managed Risk, Usability and Manageability,
  Defense in Depth, Simplicity, Resilience,
  Integrity and Enforced Policy

16
ESA - Governance

• The Policy Framework Policy
• Policies authorize and define a program of
  actions adopted by an organization to govern the
  use of technology in specific areas of management
  control
• Policies are a security governance tool used to
  enforce an organizations guiding principles,
  while adhering to legal and business principles
  for establishing and maintaining policy through
  standards, guidelines and procedures

17
ESA - Governance

• The Policy Framework Policy
• Policy Framework Templates
• NIST 800-XX Policy Framework Template
• Computer Usage Guidelines
• Acceptable Use Policy
• Special Access Policy
• Special Access Guidelines Agreement
• Computer Network Hook-up Policy
• Escalation Procedures for Security Incidents
• Security Incident Handling Procedures
• Third Party Network Connections Policy
• ISO 17799 - A Framework and Template for Policy
  Driven Security
• SANS Security Policy Project

18
ESA - Governance

• The Policy Framework Standards, Guidelines and
  Procedures
• Policies are implemented through technical
  standards, guidelines and procedures, which NAC
  distinguishes as follows
• Standards are mandatory directives
• Guidelines are recommended best practices
• Procedures describe how to comply with the
  standard or guideline

19
ESA - Architecture

• Conceptual Framework generic framework for
  policy-based management of security services
• Conceptual Architecture conceptual structure
  for management of decision making and policy
  enforcement across a broad set of security
  services
• Logical Architecture provides more detail on
  the various logical components necessary to
  deliver each security service
• Physical Architecture identifies specific
  products, showing their placement and
  connectivity relationships required to deliver
  the necessary functionality, performance and
  reliability

20
ESA - Architecture

• Design and Development
• Range from overall process guidelines to specific
  guides, templates, and tools
• Include design patterns, code samples, reusable
  libraries, and testing tools
• Aimed at effective utilization of ESA and
  effective integration into the ESA environment

21
ESA Operations

• Security Operations defines the processes
  required for operational support of a
  policy-driven security environment
• Administration, compliance, and vulnerability
  management processes required to ensure that the
  technology as deployed conforms to policy and
  provides adequate protection to control the level
  of risk to the environment
• The administration, event, and incident
  management processes required to enforce policy
  on the users of the environment

22
ESA Operations

• Asset Management - a component and process for
  maintaining the inventory of hardware and
  software assets required to support device
  administration, compliance monitoring,
  vulnerability scanning and other aspects of
  security operations. Though not strictly an ESA
  component, it is a key dependency of security
  operations
• Administration process for securing the
  organizations operational digital assets against
  accidental or unauthorized modification or
  disclosure
• Compliance process for ensuring that the
  deployed technology conforms to the
  organizations policies, procedures and
  architecture

23
ESA Operations

• Vulnerability Management process for
  identifying high-risk infrastructure components,
  assessing their vulnerabilities, and taking the
  appropriate actions to control the level of risk
  to the operational environment
• Event Management process for day-to-day
  management of the security-related events
  generated by a variety of devices across the
  operational environment, including security,
  network, storage and host devices
• Incident Management process for responding to
  security-related events that indicate a violation
  or imminent threat of violation of security policy

24
References Links

• Corporate Governance Task Forces Call to Action
  - http//www.cyberpartnership.org/InfoSecGov4_04.p
  df
• ISO/IEC 177992000 Code of Practice for
  Information Security Management -
  http//csrc.nist.gov/publications/secpubs/otherpub
  s/reviso-faq.pdf
• Network Application Consortiums Enterprise
  Security Architecture A Framework and Template
  for Policy Driven Security - http//www.netapps.or
  g
• NIST Security Self Assessment Guide -
  http//csrc.nist.gov/publications/nistpubs/800-26/
  sp800-26.pdf
• SANS Security Policy Project - http//www.sans.org
  /resources/policies
• Email Stefan.Wahe_at_doit.wisc.edu