Enterprise Security Architecture - PowerPoint PPT Presentation

1 / 24
About This Presentation
Title:

Enterprise Security Architecture

Description:

Enterprise Security Architecture. Enterprise Security Architecture ... TD Bank of Canada ... to name a few. Lockdown 2004 - Enterprise Security Architecture ... – PowerPoint PPT presentation

Number of Views:211
Avg rating:3.0/5.0
Slides: 25
Provided by: stefa84
Category:

less

Transcript and Presenter's Notes

Title: Enterprise Security Architecture


1
Enterprise Security Architecture
  • Stefan Wahe
  • UW - Dept of Information Technology Security
  • Stefan.Wahe_at_doit.wisc.edu

2
Outline
  • What is Enterprise Security Architecture (ESA)?
  • What is NAC?
  • Enterprise Security Program
  • NACs Vision of Enterprise Security Architecture
  • Overview
  • Governance
  • Architecture
  • Operations
  • Reference Links

3
Enterprise Security Architecture
  • Enterprise security architecture provides the
    conceptual design of network security
    infrastructure, related security mechanisms, and
    related security policies and procedures
  • Enterprise security architecture link components
    of the security infrastructure as a cohesive unit
  • The goal of this cohesive unit is to protect
    corporate information
  • SANS One Approach to Enterprise Security
    Architecture

4
The Network Applications Consortium?
  • The Network Applications Consortium founded 1990
  • Mission Statement Promote member collaboration
    and influence the strategic direction of vendors
    developing virtual-enterprise application and
    infrastructure technologies
  • Goals and Objectives Provide members with the
    tools for radically improving the delivery of
    agile IT infrastructure in support of business
    objectives. NACs dedication to resolving the
    strategic issues and objectives facing member
    organizations, the Consortium maintains an
    ongoing focus on the following strategic
    objectives
  • Continually aligning the strategic initiatives of
    NAC with the strategic direction of members
  • Influencing the information technology industry
    and promoting ongoing collaboration and knowledge
    sharing among members, vendors, and other
    industry thought leaders
  • Improving application and infrastructure
    interoperability, integration, and manageability
    across the heterogeneous, virtual-enterprise
    computing environment

5
NAC Member Organizations
  • University of Wisconsin
  • Boeing Company
  • Bechtel
  • Principal Financial Group
  • State Farm Insurance
  • GlaxcoSmithKline
  • Lawrence Livermore National Laboratory
  • TD Bank of Canada
  • to name a few

6
Enterprise Security Program
  • NAC identified Enterprise Security Architecture
    as part of an overall Enterprise Security Program
  • Program drivers are
  • Business Opportunities
  • Business Requirements
  • Compliance
  • Threats

7
Enterprise Security Program
  • Program Management consists of
  • Requirements
  • Risk Management
  • Strategy
  • Planning
  • Ongoing Program Assessment
  • Education Awareness

8
Enterprise Security Program
  • Governance consists of
  • Principles
  • Policies
  • Standards, Guidelines and Procedures
  • Enforcement
  • Ongoing Assessment

9
Enterprise Security Program
  • Architecture consists of
  • Conceptual Framework
  • Conceptual Architecture
  • Logical Architecture
  • Physical Architecture
  • Design
  • Development

10
Enterprise Security Program
  • Operations consists of
  • Incident Management
  • Vulnerability Management
  • Compliance
  • Administration
  • Deployment

11
Enterprise Security Program
12
ESA - Overview
  • In NACs vision of ESA there is a strong linkage
    between governance, technology architecture and
    operations.
  • That linkage is provided via
  • The policy framework as part of the governance
    model
  • The policy-driven security architecture
    framework, which develop the technology
    architecture and operations model

13
ESA - Governance
  • Identify
  • Principles follow the securing of information
    technology assets of the enterprise
  • Principles provide the highest level of guidance
    for the security governance process itself and
    technology architecture and operations
  • Authorize
  • Enforcement of the guiding principles through the
    creation of policies
  • The control domains represent the highest-level
    identification of policy
  • Implement
  • The authorized courses of action
  • The results are the technical standards,
    guidelines and procedures that govern information
    technology security

14
ESA - Governance
  • Enforcement
  • Built into the technical standards and procedures
  • Requirements for separate enforcement processes
    triggered ex - as a result of security-related
    events
  • Ongoing Assessment
  • Respond to change business models change, new
    technologies are developed and new legislation is
    passed ex - when business products and services
    are offered directly to the consumer through
    web-based front ends

15
ESA - Governance
  • The Policy Framework Principles
  • The basic identified assumptions, beliefs,
    theories, and values guiding the use and
    management of technology within an organization
  • Organization specific business, legal and
    technical principles
  • Principles Template include Security by Design,
    Managed Risk, Usability and Manageability,
    Defense in Depth, Simplicity, Resilience,
    Integrity and Enforced Policy

16
ESA - Governance
  • The Policy Framework Policy
  • Policies authorize and define a program of
    actions adopted by an organization to govern the
    use of technology in specific areas of management
    control
  • Policies are a security governance tool used to
    enforce an organizations guiding principles,
    while adhering to legal and business principles
    for establishing and maintaining policy through
    standards, guidelines and procedures

17
ESA - Governance
  • The Policy Framework Policy
  • Policy Framework Templates
  • NIST 800-XX Policy Framework Template
  • Computer Usage Guidelines
  • Acceptable Use Policy
  • Special Access Policy
  • Special Access Guidelines Agreement
  • Computer Network Hook-up Policy
  • Escalation Procedures for Security Incidents
  • Security Incident Handling Procedures
  • Third Party Network Connections Policy
  • ISO 17799 - A Framework and Template for Policy
    Driven Security
  • SANS Security Policy Project

18
ESA - Governance
  • The Policy Framework Standards, Guidelines and
    Procedures
  • Policies are implemented through technical
    standards, guidelines and procedures, which NAC
    distinguishes as follows
  • Standards are mandatory directives
  • Guidelines are recommended best practices
  • Procedures describe how to comply with the
    standard or guideline

19
ESA - Architecture
  • Conceptual Framework generic framework for
    policy-based management of security services
  • Conceptual Architecture conceptual structure
    for management of decision making and policy
    enforcement across a broad set of security
    services
  • Logical Architecture provides more detail on
    the various logical components necessary to
    deliver each security service
  • Physical Architecture identifies specific
    products, showing their placement and
    connectivity relationships required to deliver
    the necessary functionality, performance and
    reliability

20
ESA - Architecture
  • Design and Development
  • Range from overall process guidelines to specific
    guides, templates, and tools
  • Include design patterns, code samples, reusable
    libraries, and testing tools
  • Aimed at effective utilization of ESA and
    effective integration into the ESA environment

21
ESA Operations
  • Security Operations defines the processes
    required for operational support of a
    policy-driven security environment
  • Administration, compliance, and vulnerability
    management processes required to ensure that the
    technology as deployed conforms to policy and
    provides adequate protection to control the level
    of risk to the environment
  • The administration, event, and incident
    management processes required to enforce policy
    on the users of the environment

22
ESA Operations
  • Asset Management - a component and process for
    maintaining the inventory of hardware and
    software assets required to support device
    administration, compliance monitoring,
    vulnerability scanning and other aspects of
    security operations. Though not strictly an ESA
    component, it is a key dependency of security
    operations
  • Administration process for securing the
    organizations operational digital assets against
    accidental or unauthorized modification or
    disclosure
  • Compliance process for ensuring that the
    deployed technology conforms to the
    organizations policies, procedures and
    architecture

23
ESA Operations
  • Vulnerability Management process for
    identifying high-risk infrastructure components,
    assessing their vulnerabilities, and taking the
    appropriate actions to control the level of risk
    to the operational environment
  • Event Management process for day-to-day
    management of the security-related events
    generated by a variety of devices across the
    operational environment, including security,
    network, storage and host devices
  • Incident Management process for responding to
    security-related events that indicate a violation
    or imminent threat of violation of security policy

24
References Links
  • Corporate Governance Task Forces Call to Action
    - http//www.cyberpartnership.org/InfoSecGov4_04.p
    df
  • ISO/IEC 177992000 Code of Practice for
    Information Security Management -
    http//csrc.nist.gov/publications/secpubs/otherpub
    s/reviso-faq.pdf
  • Network Application Consortiums Enterprise
    Security Architecture A Framework and Template
    for Policy Driven Security - http//www.netapps.or
    g
  • NIST Security Self Assessment Guide -
    http//csrc.nist.gov/publications/nistpubs/800-26/
    sp800-26.pdf
  • SANS Security Policy Project - http//www.sans.org
    /resources/policies
  • Email Stefan.Wahe_at_doit.wisc.edu
Write a Comment
User Comments (0)
About PowerShow.com