Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

Security architecture

224 Aufrufe

Veröffentlicht am

A comprehensive enterprise security architecture for IT systems: threat&risk modelling, processes, monitoring, data, governance.

Veröffentlicht in: Serviceleistungen
  • Als Erste(r) kommentieren

  • Gehören Sie zu den Ersten, denen das gefällt!

Security architecture

  1. 1. A security enterprise architecture for SOA George Georgovassilis
  2. 2. 2 What is SOA? - Applications expose functionality as services - Services are composable - Services implement APIs, are discoverable, consume and modify resources and have a runtime behaviour - Service APIs and resources are subject to security considerations: who is allowed to do what?
  3. 3. 3 A SOA platform - Runtime environment for deploying, configuring, monitoring and operating IT services - Operational quality - Security quality - Out of scope: build process (dependency management, pen- test, static code analysis of deployment artefacts)
  4. 4. 4 Applicable security practices - TOGAF 21.3 Guidance on Security for the Architecture Domains - ISO/IEC 17799:2005 establishing security practices - OWASP
  5. 5. 5 SOA platform aspects People & processes Business continuity Technology Services Governance
  6. 6. 6 Security aspects: business continuity - Policies must be enforceable - Cost and complexity manageable - Risk management - Contingency plans - Availability, scalability - Graceful service degradation - Low MTTR - DR class
  7. 7. 7 Security aspects: people & proccesses - HR and operational policies and processes documented, maintained - Personnel training, vetting - Monitoring access, interactions, auditing - Change management - IAM (identity, roles, ownership, channels) - ISO, security architect
  8. 8. 8 Security aspects: technology - Facility management - Certification chain for hardware, OS, middleware - Monitoring - Change management, patch management - Access control
  9. 9. 9 Security aspects: services - SDLC: deployment and configuration validation - Certification chain for dependencies, build tools - Monitoring - Change management, patch management - Access control
  10. 10. 10 Security aspects: governance - Audits, assurance - Security drills - Penetration tests - Post mortems - Actionable recommendations - Risk management
  11. 11. 11 Deliverables - Security policy, roles, asset ownership, data classification, system criticality classification - Risk/threat analysis & mitigation - Acknowledgement of laws & regulations - Operational procedures, change management, data lifecycle - Roadmap - Signoff
  12. 12. 12 management network application network Deployment context Computing hardware OS Virtualisation Container middleware Services Monitoring Fulfillment CIMDB IAM Service discovery API gateway WAF Antivirus external network Clients Clients Storage Ephemeral storage Gateway Gateway VPN 2FA Backup Management Storage
  13. 13. 13 Example: provisioning VM Requester Standard Change Issue tracking FulfillmentClient IAM Virtualization CIMDB

×