Enterprise Security Architecture - PowerPoint PPT Presentation

1 / 24
About This Presentation

Enterprise Security Architecture


Enterprise Security Architecture. Enterprise Security Architecture ... TD Bank of Canada ... to name a few. Lockdown 2004 - Enterprise Security Architecture ... – PowerPoint PPT presentation

Number of Views:210
Avg rating:3.0/5.0
Slides: 25
Provided by: stefa84


Transcript and Presenter's Notes

Title: Enterprise Security Architecture

Enterprise Security Architecture
  • Stefan Wahe
  • UW - Dept of Information Technology Security
  • Stefan.Wahe_at_doit.wisc.edu

  • What is Enterprise Security Architecture (ESA)?
  • What is NAC?
  • Enterprise Security Program
  • NACs Vision of Enterprise Security Architecture
  • Overview
  • Governance
  • Architecture
  • Operations
  • Reference Links

Enterprise Security Architecture
  • Enterprise security architecture provides the
    conceptual design of network security
    infrastructure, related security mechanisms, and
    related security policies and procedures
  • Enterprise security architecture link components
    of the security infrastructure as a cohesive unit
  • The goal of this cohesive unit is to protect
    corporate information
  • SANS One Approach to Enterprise Security

The Network Applications Consortium?
  • The Network Applications Consortium founded 1990
  • Mission Statement Promote member collaboration
    and influence the strategic direction of vendors
    developing virtual-enterprise application and
    infrastructure technologies
  • Goals and Objectives Provide members with the
    tools for radically improving the delivery of
    agile IT infrastructure in support of business
    objectives. NACs dedication to resolving the
    strategic issues and objectives facing member
    organizations, the Consortium maintains an
    ongoing focus on the following strategic
  • Continually aligning the strategic initiatives of
    NAC with the strategic direction of members
  • Influencing the information technology industry
    and promoting ongoing collaboration and knowledge
    sharing among members, vendors, and other
    industry thought leaders
  • Improving application and infrastructure
    interoperability, integration, and manageability
    across the heterogeneous, virtual-enterprise
    computing environment

NAC Member Organizations
  • University of Wisconsin
  • Boeing Company
  • Bechtel
  • Principal Financial Group
  • State Farm Insurance
  • GlaxcoSmithKline
  • Lawrence Livermore National Laboratory
  • TD Bank of Canada
  • to name a few

Enterprise Security Program
  • NAC identified Enterprise Security Architecture
    as part of an overall Enterprise Security Program
  • Program drivers are
  • Business Opportunities
  • Business Requirements
  • Compliance
  • Threats

Enterprise Security Program
  • Program Management consists of
  • Requirements
  • Risk Management
  • Strategy
  • Planning
  • Ongoing Program Assessment
  • Education Awareness

Enterprise Security Program
  • Governance consists of
  • Principles
  • Policies
  • Standards, Guidelines and Procedures
  • Enforcement
  • Ongoing Assessment

Enterprise Security Program
  • Architecture consists of
  • Conceptual Framework
  • Conceptual Architecture
  • Logical Architecture
  • Physical Architecture
  • Design
  • Development

Enterprise Security Program
  • Operations consists of
  • Incident Management
  • Vulnerability Management
  • Compliance
  • Administration
  • Deployment

Enterprise Security Program
ESA - Overview
  • In NACs vision of ESA there is a strong linkage
    between governance, technology architecture and
  • That linkage is provided via
  • The policy framework as part of the governance
  • The policy-driven security architecture
    framework, which develop the technology
    architecture and operations model

ESA - Governance
  • Identify
  • Principles follow the securing of information
    technology assets of the enterprise
  • Principles provide the highest level of guidance
    for the security governance process itself and
    technology architecture and operations
  • Authorize
  • Enforcement of the guiding principles through the
    creation of policies
  • The control domains represent the highest-level
    identification of policy
  • Implement
  • The authorized courses of action
  • The results are the technical standards,
    guidelines and procedures that govern information
    technology security

ESA - Governance
  • Enforcement
  • Built into the technical standards and procedures
  • Requirements for separate enforcement processes
    triggered ex - as a result of security-related
  • Ongoing Assessment
  • Respond to change business models change, new
    technologies are developed and new legislation is
    passed ex - when business products and services
    are offered directly to the consumer through
    web-based front ends

ESA - Governance
  • The Policy Framework Principles
  • The basic identified assumptions, beliefs,
    theories, and values guiding the use and
    management of technology within an organization
  • Organization specific business, legal and
    technical principles
  • Principles Template include Security by Design,
    Managed Risk, Usability and Manageability,
    Defense in Depth, Simplicity, Resilience,
    Integrity and Enforced Policy

ESA - Governance
  • The Policy Framework Policy
  • Policies authorize and define a program of
    actions adopted by an organization to govern the
    use of technology in specific areas of management
  • Policies are a security governance tool used to
    enforce an organizations guiding principles,
    while adhering to legal and business principles
    for establishing and maintaining policy through
    standards, guidelines and procedures

ESA - Governance
  • The Policy Framework Policy
  • Policy Framework Templates
  • NIST 800-XX Policy Framework Template
  • Computer Usage Guidelines
  • Acceptable Use Policy
  • Special Access Policy
  • Special Access Guidelines Agreement
  • Computer Network Hook-up Policy
  • Escalation Procedures for Security Incidents
  • Security Incident Handling Procedures
  • Third Party Network Connections Policy
  • ISO 17799 - A Framework and Template for Policy
    Driven Security
  • SANS Security Policy Project

ESA - Governance
  • The Policy Framework Standards, Guidelines and
  • Policies are implemented through technical
    standards, guidelines and procedures, which NAC
    distinguishes as follows
  • Standards are mandatory directives
  • Guidelines are recommended best practices
  • Procedures describe how to comply with the
    standard or guideline

ESA - Architecture
  • Conceptual Framework generic framework for
    policy-based management of security services
  • Conceptual Architecture conceptual structure
    for management of decision making and policy
    enforcement across a broad set of security
  • Logical Architecture provides more detail on
    the various logical components necessary to
    deliver each security service
  • Physical Architecture identifies specific
    products, showing their placement and
    connectivity relationships required to deliver
    the necessary functionality, performance and

ESA - Architecture
  • Design and Development
  • Range from overall process guidelines to specific
    guides, templates, and tools
  • Include design patterns, code samples, reusable
    libraries, and testing tools
  • Aimed at effective utilization of ESA and
    effective integration into the ESA environment

ESA Operations
  • Security Operations defines the processes
    required for operational support of a
    policy-driven security environment
  • Administration, compliance, and vulnerability
    management processes required to ensure that the
    technology as deployed conforms to policy and
    provides adequate protection to control the level
    of risk to the environment
  • The administration, event, and incident
    management processes required to enforce policy
    on the users of the environment

ESA Operations
  • Asset Management - a component and process for
    maintaining the inventory of hardware and
    software assets required to support device
    administration, compliance monitoring,
    vulnerability scanning and other aspects of
    security operations. Though not strictly an ESA
    component, it is a key dependency of security
  • Administration process for securing the
    organizations operational digital assets against
    accidental or unauthorized modification or
  • Compliance process for ensuring that the
    deployed technology conforms to the
    organizations policies, procedures and

ESA Operations
  • Vulnerability Management process for
    identifying high-risk infrastructure components,
    assessing their vulnerabilities, and taking the
    appropriate actions to control the level of risk
    to the operational environment
  • Event Management process for day-to-day
    management of the security-related events
    generated by a variety of devices across the
    operational environment, including security,
    network, storage and host devices
  • Incident Management process for responding to
    security-related events that indicate a violation
    or imminent threat of violation of security policy

References Links
  • Corporate Governance Task Forces Call to Action
    - http//www.cyberpartnership.org/InfoSecGov4_04.p
  • ISO/IEC 177992000 Code of Practice for
    Information Security Management -
  • Network Application Consortiums Enterprise
    Security Architecture A Framework and Template
    for Policy Driven Security - http//www.netapps.or
  • NIST Security Self Assessment Guide -
  • SANS Security Policy Project - http//www.sans.org
  • Email Stefan.Wahe_at_doit.wisc.edu
Write a Comment
User Comments (0)
About PowerShow.com