Information Security Architecture: Building Security Into Your Organziation

Information Security Architecture
Building Security into your Organization

The on-going promotion of security…

• Increasing threats

• Complex Vulnerabilities

• Large, intricate
solutions required

Copyright 2007 – Seccuris Inc.

We‘re sucked into acting on
generic justifications!

After implementing large, intricate solutions we have:
• Increased our workload
• Impacted productivity and innovation in the environment

The internal challenge…

What do we hear most from IT & IT Security
Departments regarding support?

• We are under resourced
• We are fighting a loosing battle
• The “business” is making our
jobs harder

We are misaligned with the business!

Our key issue…

We are using Security to undermine
the business

• How many organizations business is
information security?
• Not Many.
• Information Security enables the business to operate
effectively with a properly managed (balanced) risk
profile.


Our key issue…

We are using Security to undermine
the business

• How many organizations business need
information security?


Our key issue…

Every business requires
Trust & Relationships

• Information Security
ensures:
• Trust is maintained
appropriately for the
level of risk
• Relationships are protected
and “assured” (AIC)


Our key issue…

• Implementing solutions without understanding
Trust requirements impacts:

• Productivity
• Innovation
• Flexibility


Why are we undermining the business?

Current approach to security
solutions undermine:

business productivity

benefits of new technologies


Undermining the Business

We implement solutions that focus on security,
not on business
Prevent systems to interface other
systems
FW, IDS/IPS Solutions

Restrict user abilities within the
application
Application & Database controls

Authorize access to information systems
& services
Web filtering / Instant Messaging
Control / SSL VPN


We build unnecessary conflict into our
projects and environment

• Being on the “Same Team” is seen as a conflict
• Why is being on the “Same Team” an issue?
• Who is really accepting the risk?


We implement solutions without
Justification, Prioritization & Completeness

Lacking processes such as:
• Business Requirements for Information Sharing
• Privacy and Security Requirements Definition
• Solution Design Reviews
• Environment Validation & Health Checks
• Incident Handling & Forensic Investigation
• Business Risk acceptance for implemented solutions



Are we undermining the benefits of new
technologies?

• Enterprise Storage & Backup Solutions
• Remote Access
• VOIP
• Virtualization


Improving enablement of the business
An
Information Security Framework
aligns
controls and solutions
enabling
business objectives
AND US!


SABSA: Enterprise Security Framework

Focuses on:

• Establishing Business Context
• Developing a Business Risk Model
• Developing a Conceptual Trust Model
• Developing a Security Domain Model
• Understanding business priorities, environment gaps
and key strategies to move forward


Developing a Conceptual Trust Model

To secure the organization:
• Identify entities involved with the organization
• Define information flowing between business entities
• Assess the assurance required to establish trust


SABSA – Example Trust Model

5. Partner Organizations

5a. Partner 1 5b. Partner 2

TH9. Financial, Client Personal,
TH10. Financial, Client Personal,
Business Confidential
Business Confidential
Information
Information

6. Our Organization

7. Executive Management
1. Clients
8. General
4. Integrated Suppliers/
TH1. Financial. Personal,
Management
7a. Board Executive
Partners TH8. Intellectual Property,
Health
Financial, Employee / Client Personal,
Information
Employee / Client Personal Health
1a. Target Clients
Information
4a.
4 Outsourced
Delivery (IT)
9. Organizational Units
TH2. Client Confidential
TH7 Intellectual Property, 1b. Industry
Information
9a. Business 9b. Service
Financial, Employee / Client Personal,
4b. Outsourced Partners
Employee / Client Personal Health Administration Delivery
Delivery Information, Compliance
(Business/Program) Audits,

10. Independent Sales TH3. Financial, Performance
11. Sales Agencies Status Information
Offices
TH4. Public
Information

2. Other Stakeholders

TH6. Intellectual TH5. Compliance
Property Audits, 2a. Industry Groups 2b. Media
Sensitive
Information

3. General Suppliers

3c. External
3a. Vendors &
3b. Suppliers Regulators
Contractors
(e.g. PCI)


Conceptual Trust Model:
Define Information Sharing
Financial, Personal & Health Information

Intellectual Property, Financial Information, Audit Reports


Define Trust Requirements
Our organization provides services to our clients that
must remain confidential
from other internal business units / employees,
as well as external entities.


Clients provide confidential personal, financial and
health information that must remain confidential
from other internal entities, as well as external entities.
i.e. Payment Card Information



Our organization shares intellectual property relevant to the
business services provided as well as Financial, Personal and Health
information regarding our employees and our clients
that must remain confidential from non-involved internal entities,
as well as non-involved (contractually bound) external entities.



Integrated Suppliers share intellectual property relevant to the
business services provided as well as Financial, Personal and
Health information regarding our employees and clients that
must remain confidential from our clients (direct), non-involved internal
entities, as well as external entities.


Developing a Security Domain Model

The security domain model defines three major
elements:

1. Structure and scope of the security domains
within the Organization

2. Interrelationships to external security domains

3. Who is the Authority for the Domain


D1. Our Organization
D3. Executive Management

D3a. Board

D2. Organizational Units
Executive

D3a. Business
D4. General D3b. Program
D2a. Business DR1 D12. Clients
Enablement D3b. Program
Management Services
Enablement
s
D2a. Business D2b. Service
Services Services
Services
Administration General Delivery
D16.
Suppliers DR2

DR7 D5. Independent
Sales Offices DR3

D11. General
General
Suppliers
Suppliers
D6. Sales Agencies

DR4
DR6
ASD
DR5
(IT)
ASD
D10. Integrated
(IT)
Suppliers
ASD
(Business)
(IT)
ASD
Other D9. Integrated
(IT)
Other
Governments Suppliers
D7. Partner
Governments
(IT)
Organizations
D8. Other
Stakeholders





D3a. Business D3b.
D3b Program
D2a.
D2a Business DR1 D12. Clients
Services
Enablement
s
Services Services
Services
D16.
DR3
Suppliers

ASD
(IT)
ASD
D10. Integrated
(IT)
Suppliers
(Business)


Security Domain Model: Authority & Scope

Domain Authority: Our CIO
Our organization encompasses all management
(executive and general), Organizational Units and
Sales (Independent and Agency) entities owned
and legally controlled by our organization.



Domain Authority: Org Unit President
Organizational Units encompass the specific
Business Administration and Service Delivery
Functions for each unique OU entity.
(Including IT Services & Functions)



Domain Authority: Integrated Supplier
Integrated Suppliers (Business) encompass any
specific external entity controlling one or many
smaller entities that provide outsourced business
functions to any specific Organizational Unit.



Domain Authority: Client (Individual)
Clients encompass both specific target clients
as well as industry partners relevant to our
organizations service offerings.


Using Trust & Relationships

The tools we have used:
• Entity Diagram Relationships

• Trust Relationship Diagram Trust
• Security Domain Diagram Authorities

• Boundary Control Inventory


Defining Boundary Controls

DR# Boundary Description Boundary Controls

DR3 Our Organization interacting with Organizational
•Contracts/Agreements
Integrated Suppliers (Business)
•Service Level Agreement
•Internal Policy (InfoSec)
•Industry Compliance
Requirements
•Legislation, regulations, and acts

Technical
•Firewall / ACLs
•Segmented VLANs for Supplier
•Intrusion Prevention Systems
(NIDS)
(HIDS)



DR# Boundary Description Boundary Controls

DR1 Our Organization interacting with Organizational
•Contracts/Agreements
Clients
•Internal Policy (InfoSec)
•Legislation, regulations, and acts

Technical
•Firewall / ACLs
(NIDS)
•User Account Roles (Web SVC)



Review defined boundary controls:
• What relationships have the most complex control
requirements? Prioritization

• What relationships lack controls? Completeness

• How many boundaries share common controls?

Justification


Improving your Security Program

How do you use Trust and Security Domain Models to
improve your Information Security posture?

What should we think about when implementing:
• IDS / IPS
• Database Security
• Web filtering / Instant Messaging Control / SSL VPN


Defend your boundaries

• Focus on Automated Policy Enforcement on clearly understood boundaries
where information sharing requirements are well defined.

• Free resources to focus on higher level business risks

• Restrictive Firewalls / IPS / UTM / Content Filtering


Defend your boundaries
D3. Executive Management

D3a. Board

Executive

D3a. Business
D4. General D3b. Program
D2a. Business DR1 D12. Clients
Management Services
Enablement
s
Services Services
Services
D16.
Suppliers
DR2
DR7 D5. Independent
DR3
Sales Offices

D11. General
General
Suppliers
Suppliers
D6. Sales Agencies

DR4
DR6
ASD
DR5 (IT)
ASD
D10. Integrated
(IT)
Suppliers
ASD
(Business)
(IT)
ASD
Other D9. Integrated
(IT)
Other
Governments Suppliers
D7. Partner
Governments
(IT)
Organizations
D8. Other
Stakeholders


Protect your core

• Focus verbose detective tools within boundaries to allow for
business focused investigation to occur

• Generic DB attack from the outside world
• Automated Block – Move on

• Generic DB attack from the inside world
• Review Block – Monitor / Investigate / Respond

• IDS/IPS / Database Security Controls / Investigative Process


Protect your core


Enable your business

Build strategies that align with
Trust and Information Sharing requirements

• Using Trust Modeling and Security Domains we clearly know:
• What is at stake
• To what level we must protect the relationship and information
• Who decides what risk level is acceptable
• Who accepts the residual risk


Enable your business with an
Information Security Framework

• Improve visibility to security boundaries and identify Trust issues

• Free to focus on building new solutions enabling information sharing

• Demonstrates linkages between the business and chosen strategy &
solutions

• Prioritizes implementation of controls


Conclusion
We can implement solutions with
Justification, Prioritization & Completeness
Seccuris will assist with:

• Strategy & Framework

•Process Development

• Solution Creation & Validation

• Implementation

• Monitoring & Response

Thanks

Michael Legary, CSA, CISSP, CISM, CISA, CCSA, CPP, GCIH, PCI-QSA
Founder & CIO
Seccuris Inc.

Email: Michael.Legary@seccuris.com
Direct: 204-255-4490
Main: 204-255-4136
Fax: 204-942-6705


Information Security Architecture: Building Security Into Your Organziation

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Information Security Architecture: Building Security Into Your Organziation

Similar to Information Security Architecture: Building Security Into Your Organziation (20)

More from Seccuris Inc.

More from Seccuris Inc. (10)

Recently uploaded

Recently uploaded (20)

Information Security Architecture: Building Security Into Your Organziation