Building secure apps and systems requires upfront and close coordination among many groups.
In this slidecast, George Hulme discusses how enterprise architects can drive that coordination and effect the required change that depends on it.
Five Essential Practices for Security-Aware Enterprise Architecture
1. Five Essential Enterprise
Architecture Practices to Create the
Security-Aware Enterprise
Presented by
2. The Enterprise Architect is :
Ideally Positioned to Help
Improve IT Security.
Security efforts need to help the business achieve its
objectives while reducing risk, whether the
enterprise wants to:
Launch a new Web site.
Create a database.
Build a collaboration platform.
Embrace mobility.
Move to Cloud computing.
Presented by
3. Everything with which the Enterprise Architect
is charged speaks directly to business
alignment–across technologies, workflows
and roles!
Presented by
4. The Enterprise Architect’s
Charges* Include: :
Supporting enterprise goals.
Helping build and support business processes.
Enhancing organizational structure and culture.
Designing sustainable IT systems and applications.
*All of which must be done with security in mind.
Presented by
5. Business Alignment Falters When
!
Security is Bolted on, not Built in.
Despite the importance of IT security in keeping data
and enterprise systems secure and ensuring that the
enterprise operates within regulatory compliance
requirements, the tendency is to add security onto systems
after they‘ve been built.
Or worse, after they‘ve been deployed.
Presented by
6. The High Cost of Failure !
Generally, it is much more difficult to add security to a
system after it has been designed or once deployed than it is
to build it right to begin with.
Worse yet, bolt-on approaches are more likely to lead to
costly security failures, such as breaches:
High Price of a Security Failure
Cost of a data breach $214 per compromised record
Average cost per data breach event $7.2 million
Source: Ponemon Institute U.S. Cost of a Data Breach report, 2011
Presented by
7. Driving Coordination, Effecting Change
Building inherently secure applications and systems requires
tight, open and upfront coordination among many groups.
Enterprise architects are in the position to drive that
coordination and effect the required change that depends on it.
Because their work is so integral to business alignment−and to
driving the agility the enterprise requires to deliver better
business service–enterprise architects have a firm
understanding of how systems are being deployed, as well as
knowledge of the business objectives behind these systems.
Presented by
8. Thus: :
The enterprise architect can drive value in aligning security
teams, quality assurance teams, developers, the office of the
CIO, and business managers and executives.
All those parties — in conjunction with the enterprise architect
— must work together to ensure that the focus and resources
necessary to maintain a secure IT posture are in place.
Presented by
9. Still, This Won’t Be Easy . . . …
This may be the first time all of these groups work together early
in the solutions creation process. Expect tension. For instance:
Security teams may request certain controls that could seem
onerous to others involved in the effort (including enterprise IT
architects).
Developers may view security as a roadblock at times–and
shun its input.
Presented by
10. Taking the Lead, Breaking Bad Habits
59 percent of enterprise development teams are not
following quality and security processes "rigorously"
:
when developing new software.
26 percent have few or no secure software
development processes.
Only 48 percent claim to follow audit procedures
rigorously.
More than 70 percent felt that there was insufficient
security guidance for key technology models such as
cloud, virtualization, mobile devices and mainframes.
Presented by Source: Creative Intellect Consulting, “The State of Secure Application Lifecycle Management.” The report was
based on a survey of software development, IT and information security professionals around the world.
11. ―We‘d like to see organizations taking a multi-faceted
”
approach to tackling the…security challenge.
‗Secure by Design and Practice‘ should be the call to action
adopted by organizations to address the software security
challenge more directly.‖
—Bola Rotibi, founder of Creative Intellect Consulting
Presented by
12. Five Essential Enterprise Architecture
Practices to Create
the Security-Aware Enterprise
1. Get executive sponsorship.
2. Foster a collaborative environment.
3. Pick, at first, easily attainable projects.
Presented by
4. Evaluate security risks during planning & design.
5. Build security processes into workflow.
13. Step 1: Get Executive Sponsorship
In order for enterprise architects to get security, operations
and other teams to work cohesively together, it‘s helpful to
insert executive leadership into the process, so they can set
business objectives and expectations across teams. Should
security processes or communications break down, executive
leadership can reiterate those processes‘ importance to the
business.
Without such political cover, efforts can quickly fray and
fall apart.
Presented by
14. Step 1: Get Executive Sponsorship
Setting the stage for the integration of security through the
development process will change how new initiatives are built,
and how the operations work together. Win political
sponsorship to get started by:
Showing business leaders the threats against the company.
Demonstrating how integrating security into a product or
application from the start can reduce risk.
Demonstrating areas where cost of securing systems can be
reduced through integrating security processes with design.
Presented by
15. Step 1: Get Executive Sponsorship
This level of sponsorship should be easier today than it was
just a few years ago, as security is reporting less often to
the CIO‘s office and increasingly to the board of directors.
That‘s a level of recognition for their work that can‘t be
ignored by any other groups associated with a project:
Presented by
16. Step 1: Get Executive Sponsorship
The Changing Reporting Structure for CISOs/Equivalent
Information Security Leaders
Source: PricewaterhouseCoopers LLP: 2011 Global State of Information Security Survey
* This calculation measures the difference between response levels over a three-year period from 2007 to 2010.
Presented by
17. Step 2: Foster a Collaborative
Environment, Starting with the
Security Team
Encourage information security‘s involvement as an enabler.
Engage with the CISO‘s office as a consultative resource to
evaluate the business risk of new initiatives and have the staff
propose alternatives for reducing that risk.
Presented by
18. Step 2: Foster a Collaborative
Environment, Starting with the
Security Team
What would collaboration entail?
Example: A new application is to be built. The enterprise
architect can bring the security team into the picture during the
design phase to evaluate access controls, secure architecture
and deployment, and how such things as data
encryption, digital certificates and other components could be
built to optimize security and regulatory compliance for this
effort and to apply to future efforts as part of a wider EA
Presented by
blueprint.
19. ―Most organizations‘ enterprise IT architects find that they
”
are constantly battling with the information
security groups rather than truly consulting with them.‖
—CISO at regional healthcare provider.
They translate IT security personnel’s natural caution as
meaning that the group default is to just say no.
Presented by
20. Step 3: Start with Easily
Attainable Projects
As this is probably the first time that groups ranging from
security to development have collaborated from the start of
a project, it‘s advisable that the initial project not be a
major business initiative. An easy win, or a couple of easier
wins, in the beginning will help teams to learn how to work
together and get processes right, and build a foundation of
credibility and trust.
Presented by
21. Step 3: Start with Easily
Attainable Projects
Consider small-in-scope projects, such as a focused
departmental initiative. Examples include helping a team
build security into the initial design of:
A mobile application for a select group of field workers.
A new database for emerging market customers.
A new e-commerce application dedicated to a particular
segment of B-to-B clients.
Presented by
22. ―Whenever trying to effect organizational change, it's
”
always smart to start smaller, perfect those processes,
and then apply them more broadly over time.‖
— Pete Lindstrom, Research Director at the market
research firm Spire Security.
Presented by
23. Step 4: Evaluate Risks During
Planning & Design
Enterprise architects should focus on ensuring that the
group lets the security team do what it does best: find and
evaluate risk. If it's a database front-end being deployed on
tablets, as a simple example, have the security team do the
vetting and report back to the enterprise architect and the team
for remediation.
Presented by
24. Step 4: Evaluate Risks During
Planning & Design
To rank risks and develop ways to mitigate them,
ask the following questions: ?
How might the deployment of new technologies potentially
introduce vulnerabilities and compromise workloads?
How is the data being collected and/or access classified?
What job roles are permitted access?
What credentials will be used for authentication?
Has the application code had a security review?
What industry or government regulations come into play?
Presented by
25. Step 5: Build Security Processes
Into Workflow
Over time, the practice of designing security into new
initiatives will become part of the organizational fabric.
Security, operations and the enterprise architect‘s office will
learn how to work effectively together.
Processes will be put into place that will improve the overall
IT security of the organization.
Checkpoints will be put into place so that the risk posture of
new initiatives can be evaluated as they move from design
through production.
After a few successes and lessons learned, the processes and
Presented by
procedures put into place can be used throughout the
organization on all new initiatives.
26. In Conclusion: :
Security coordination driven from the enterprise architect will:
Help align security with business objectives.
Secure new initiatives more cost-effectively.
Develop successful security processes that can be replicated
throughout the organization.
Lead to a decline in the risk of data breaches.
Lead to an increase in regulatory compliance.
Presented by
27. The End-State: :
―I firmly believe that having an enterprise architect who is a
partner of the information security group (and vice versa)
removes a number of barriers to the design and deployment of
new solutions and allows them to be delivered quickly within
policy guidelines and with acceptable levels of risk.‖
—Enterprise architect, global engineering company
Presented by