This document discusses building an information security architecture aligned with business objectives. It emphasizes establishing trust models and security domains to understand information flows and define appropriate controls at boundaries. This helps prioritize security efforts, automate baseline protections, and allow resources to focus on higher business risks. Defining controls based on trust and authority relationships can improve security posture while enabling productivity, innovation and business flexibility.
2. The on-going promotion of security…
• Increasing threats
• Complex Vulnerabilities
• Large, intricate
solutions required
Copyright 2007 – Seccuris Inc.
3. We‘re sucked into acting on
generic justifications!
After implementing large, intricate solutions we have:
• Increased our workload
• Impacted productivity and innovation in the environment
Copyright 2007 – Seccuris Inc.
4. The internal challenge…
What do we hear most from IT & IT Security
Departments regarding support?
• We are under resourced
• We are fighting a loosing battle
• The “business” is making our
jobs harder
We are misaligned with the business!
Copyright 2007 – Seccuris Inc.
6. Our key issue…
We are using Security to undermine
the business
• How many organizations business is
information security?
• Not Many.
• Information Security enables the business to operate
effectively with a properly managed (balanced) risk
profile.
Copyright 2007 – Seccuris Inc.
7. Our key issue…
We are using Security to undermine
the business
• How many organizations business need
information security?
Copyright 2007 – Seccuris Inc.
8. Our key issue…
Every business requires
Trust & Relationships
• Information Security
ensures:
• Trust is maintained
appropriately for the
level of risk
• Relationships are protected
and “assured” (AIC)
Copyright 2007 – Seccuris Inc.
10. Why are we undermining the business?
Current approach to security
solutions undermine:
business productivity
benefits of new technologies
Copyright 2007 – Seccuris Inc.
11. Undermining the Business
We implement solutions that focus on security,
not on business
Prevent systems to interface other
systems
FW, IDS/IPS Solutions
Restrict user abilities within the
application
Application & Database controls
Authorize access to information systems
& services
Web filtering / Instant Messaging
Control / SSL VPN
Copyright 2007 – Seccuris Inc.
12. Undermining the Business
We build unnecessary conflict into our
projects and environment
• Being on the “Same Team” is seen as a conflict
• Why is being on the “Same Team” an issue?
• Who is really accepting the risk?
Copyright 2007 – Seccuris Inc.
13. Undermining the Business
We implement solutions without
Justification, Prioritization & Completeness
Lacking processes such as:
• Business Requirements for Information Sharing
• Privacy and Security Requirements Definition
• Solution Design Reviews
• Environment Validation & Health Checks
• Incident Handling & Forensic Investigation
• Business Risk acceptance for implemented solutions
Copyright 2007 – Seccuris Inc.
14. Undermining the Business
We implement solutions without
Justification, Prioritization & Completeness
Lacking processes such as:
• Business Requirements for Information Sharing
• Privacy and Security Requirements Definition
• Solution Design Reviews
• Environment Validation & Health Checks
• Incident Handling & Forensic Investigation
• Business Risk acceptance for implemented solutions
Copyright 2007 – Seccuris Inc.
15. Undermining the Business
Are we undermining the benefits of new
technologies?
• Enterprise Storage & Backup Solutions
• Remote Access
• VOIP
• Virtualization
Copyright 2007 – Seccuris Inc.
16. Improving enablement of the business
An
Information Security Framework
aligns
controls and solutions
enabling
business objectives
AND US!
Copyright 2007 – Seccuris Inc.
17. SABSA: Enterprise Security Framework
Focuses on:
• Establishing Business Context
• Developing a Business Risk Model
• Developing a Conceptual Trust Model
• Developing a Security Domain Model
• Understanding business priorities, environment gaps
and key strategies to move forward
Copyright 2007 – Seccuris Inc.
18. SABSA: Enterprise Security Framework
Focuses on:
• Establishing Business Context
• Developing a Business Risk Model
• Developing a Conceptual Trust Model
• Developing a Security Domain Model
• Understanding business priorities, environment gaps
and key strategies to move forward
Copyright 2007 – Seccuris Inc.
19. Developing a Conceptual Trust Model
To secure the organization:
• Identify entities involved with the organization
• Define information flowing between business entities
• Assess the assurance required to establish trust
Copyright 2007 – Seccuris Inc.
21. Developing a Conceptual Trust Model
SABSA – Example Trust Model
5. Partner Organizations
5a. Partner 1 5b. Partner 2
TH9. Financial, Client Personal,
TH10. Financial, Client Personal,
Business Confidential
Business Confidential
Information
Information
6. Our Organization
7. Executive Management
1. Clients
8. General
4. Integrated Suppliers/
TH1. Financial. Personal,
Management
7a. Board Executive
Partners TH8. Intellectual Property,
Health
Financial, Employee / Client Personal,
Information
Employee / Client Personal Health
1a. Target Clients
Information
4a.
4 Outsourced
Delivery (IT)
9. Organizational Units
TH2. Client Confidential
TH7 Intellectual Property, 1b. Industry
Information
9a. Business 9b. Service
Financial, Employee / Client Personal,
4b. Outsourced Partners
Employee / Client Personal Health Administration Delivery
Delivery Information, Compliance
(Business/Program) Audits,
10. Independent Sales TH3. Financial, Performance
11. Sales Agencies Status Information
Offices
TH4. Public
Information
2. Other Stakeholders
TH6. Intellectual TH5. Compliance
Property Audits, 2a. Industry Groups 2b. Media
Sensitive
Information
3. General Suppliers
3c. External
3a. Vendors &
3b. Suppliers Regulators
Contractors
(e.g. PCI)
Copyright 2007 – Seccuris Inc.
22. Conceptual Trust Model:
Define Information Sharing
Financial, Personal & Health Information
Intellectual Property, Financial Information, Audit Reports
Copyright 2007 – Seccuris Inc.
23. Conceptual Trust Model:
Define Trust Requirements
Our organization provides services to our clients that
must remain confidential
from other internal business units / employees,
as well as external entities.
Copyright 2007 – Seccuris Inc.
24. Conceptual Trust Model:
Define Trust Requirements
Clients provide confidential personal, financial and
health information that must remain confidential
from other internal entities, as well as external entities.
i.e. Payment Card Information
Copyright 2007 – Seccuris Inc.
25. Conceptual Trust Model:
Define Trust Requirements
Our organization shares intellectual property relevant to the
business services provided as well as Financial, Personal and Health
information regarding our employees and our clients
that must remain confidential from non-involved internal entities,
as well as non-involved (contractually bound) external entities.
Copyright 2007 – Seccuris Inc.
26. Conceptual Trust Model:
Define Trust Requirements
Integrated Suppliers share intellectual property relevant to the
business services provided as well as Financial, Personal and
Health information regarding our employees and clients that
must remain confidential from our clients (direct), non-involved internal
entities, as well as external entities.
Copyright 2007 – Seccuris Inc.
27. Developing a Security Domain Model
The security domain model defines three major
elements:
1. Structure and scope of the security domains
within the Organization
2. Interrelationships to external security domains
3. Who is the Authority for the Domain
Copyright 2007 – Seccuris Inc.
28. Developing a Security Domain Model
D1. Our Organization
D3. Executive Management
D3a. Board
D2. Organizational Units
Executive
D3a. Business
D4. General D3b. Program
D2a. Business DR1 D12. Clients
Enablement D3b. Program
Management Services
Enablement
s
D2a. Business D2b. Service
Services Services
Services
Administration General Delivery
D16.
Suppliers DR2
DR7 D5. Independent
Sales Offices DR3
D11. General
General
Suppliers
Suppliers
D6. Sales Agencies
DR4
DR6
ASD
DR5
(IT)
ASD
D10. Integrated
(IT)
Suppliers
ASD
(Business)
(IT)
ASD
Other D9. Integrated
(IT)
Other
Governments Suppliers
D7. Partner
Governments
(IT)
Organizations
D8. Other
Stakeholders
Copyright 2007 – Seccuris Inc.
29. Developing a Security Domain Model
D1. Our Organization
D2. Organizational Units
D3a. Business D3b.
D3b Program
D2a.
D2a Business DR1 D12. Clients
Enablement D3b. Program
Services
Enablement
s
D2a. Business D2b. Service
Services Services
Services
Administration General Delivery
D16.
DR3
Suppliers
ASD
(IT)
ASD
D10. Integrated
(IT)
Suppliers
(Business)
Copyright 2007 – Seccuris Inc.
30. Security Domain Model: Authority & Scope
Domain Authority: Our CIO
Our organization encompasses all management
(executive and general), Organizational Units and
Sales (Independent and Agency) entities owned
and legally controlled by our organization.
Copyright 2007 – Seccuris Inc.
31. Security Domain Model: Authority & Scope
Domain Authority: Org Unit President
Organizational Units encompass the specific
Business Administration and Service Delivery
Functions for each unique OU entity.
(Including IT Services & Functions)
Copyright 2007 – Seccuris Inc.
32. Security Domain Model: Authority & Scope
Domain Authority: Integrated Supplier
Integrated Suppliers (Business) encompass any
specific external entity controlling one or many
smaller entities that provide outsourced business
functions to any specific Organizational Unit.
Copyright 2007 – Seccuris Inc.
33. Security Domain Model: Authority & Scope
Domain Authority: Client (Individual)
Clients encompass both specific target clients
as well as industry partners relevant to our
organizations service offerings.
Copyright 2007 – Seccuris Inc.
34. Using Trust & Relationships
The tools we have used:
• Entity Diagram Relationships
• Trust Relationship Diagram Trust
• Security Domain Diagram Authorities
• Boundary Control Inventory
Copyright 2007 – Seccuris Inc.
35. Defining Boundary Controls
DR# Boundary Description Boundary Controls
DR3 Our Organization interacting with Organizational
•Contracts/Agreements
Integrated Suppliers (Business)
•Service Level Agreement
•Internal Policy (InfoSec)
•Industry Compliance
Requirements
•Legislation, regulations, and acts
Technical
•Firewall / ACLs
•Segmented VLANs for Supplier
•Intrusion Prevention Systems
(NIDS)
•Intrusion Prevention Systems
(HIDS)
Copyright 2007 – Seccuris Inc.
37. Defining Boundary Controls
Review defined boundary controls:
• What relationships have the most complex control
requirements? Prioritization
• What relationships lack controls? Completeness
• How many boundaries share common controls?
Justification
Copyright 2007 – Seccuris Inc.
38. Improving your Security Program
How do you use Trust and Security Domain Models to
improve your Information Security posture?
What should we think about when implementing:
• IDS / IPS
• Database Security
• Web filtering / Instant Messaging Control / SSL VPN
Copyright 2007 – Seccuris Inc.
39. Defend your boundaries
• Focus on Automated Policy Enforcement on clearly understood boundaries
where information sharing requirements are well defined.
• Free resources to focus on higher level business risks
• Restrictive Firewalls / IPS / UTM / Content Filtering
Copyright 2007 – Seccuris Inc.
40. Defend your boundaries
D1. Our Organization
D3. Executive Management
D3a. Board
D2. Organizational Units
Executive
D3a. Business
D4. General D3b. Program
D2a. Business DR1 D12. Clients
Enablement D3b. Program
Management Services
Enablement
s
D2a. Business D2b. Service
Services Services
Services
Administration General Delivery
D16.
Suppliers
DR2
DR7 D5. Independent
DR3
Sales Offices
D11. General
General
Suppliers
Suppliers
D6. Sales Agencies
DR4
DR6
ASD
DR5 (IT)
ASD
D10. Integrated
(IT)
Suppliers
ASD
(Business)
(IT)
ASD
Other D9. Integrated
(IT)
Other
Governments Suppliers
D7. Partner
Governments
(IT)
Organizations
D8. Other
Stakeholders
Copyright 2007 – Seccuris Inc.
41. Protect your core
• Focus verbose detective tools within boundaries to allow for
business focused investigation to occur
• Generic DB attack from the outside world
• Automated Block – Move on
• Generic DB attack from the inside world
• Review Block – Monitor / Investigate / Respond
• IDS/IPS / Database Security Controls / Investigative Process
Copyright 2007 – Seccuris Inc.
43. Enable your business
Build strategies that align with
Trust and Information Sharing requirements
• Using Trust Modeling and Security Domains we clearly know:
• What is at stake
• To what level we must protect the relationship and information
• Who decides what risk level is acceptable
• Who accepts the residual risk
Copyright 2007 – Seccuris Inc.
44. Enable your business with an
Information Security Framework
• Improve visibility to security boundaries and identify Trust issues
• Free to focus on building new solutions enabling information sharing
• Demonstrates linkages between the business and chosen strategy &
solutions
• Prioritizes implementation of controls
Copyright 2007 – Seccuris Inc.
45. Conclusion
We can implement solutions with
Justification, Prioritization & Completeness
Seccuris will assist with:
• Strategy & Framework
•Process Development
• Solution Creation & Validation
• Implementation
• Monitoring & Response
Copyright 2007 – Seccuris Inc.
46. Thanks
Michael Legary, CSA, CISSP, CISM, CISA, CCSA, CPP, GCIH, PCI-QSA
Founder & CIO
Seccuris Inc.
Email: Michael.Legary@seccuris.com
Direct: 204-255-4490
Main: 204-255-4136
Fax: 204-942-6705
Copyright 2007 – Seccuris Inc.