NUS-ISS Learning Day 2019-Architecting security in the digital age
1. Architecting Security in the Digital
Age
#ISSLearningDay
Tan Eng Tsze, Principal Lecturer & Consultant,
Digital Strategy & Leadership Practice, NUS-ISS
2 Aug 2019
[TOTAL SLIDES = 46]
1
2. Objectives
#ISSLearningDay
Upon completion of this session, you will be able to understand:
Security Architecture
A Business-driven approach to Architect Security
Adaptive Security Architecture
Security Governance
Profile of a Good Security Architect
2
3. Agenda
Security Architecture Overview
• Business Driven Approach to Architect Security
• Adaptive Security Architecture
• Security Governance
• Profile of a Good Security Architect
#ISSLearningDay 3
5. Common Approach to Security (1) –
Piecemeal Approach
#ISSLearningDay
Piecemeal Approach: Most
organisations approach
security from a project by
project basis and security
solutions are installed on a
Tactical basis and results in
mixture of solutions and no
assurance that collectively
they will be effective
against cyber threats
5
6. Common Approach to Security (2) – Compliance
Perspective
#ISSLearningDay
How many of us mistakenly believe that securing our information systems requires little more
than working from a checklist of technical and procedural controls and applying the right security
measures from the list? It’s like if your checklist includes all the components needed to build a
plane, do you have a plane?
Cybersecurity Frameworks
6
7. Common Approach to Security (3) – Lack of
Traceability to Business Objectives / Drivers
• A global financial-services company left cybersecurity investments mainly to the discretion of the
chief information-security officer (CISO), within certain budget constraints. The security team was
isolated from business leaders, and resulting controls were not focused on the information that the
business felt was most important to protect.
• A healthcare provider made patient data its only priority. Other areas were neglected, such as
confidential financial data relevant to big-dollar negotiations and protections against other risks
such as alterations to internal data.
• A global mining concern focused on protecting its production and exploration data but failed to
separate proprietary information from information that could be reconstructed from public sources.
Thus, broadly available information was being protected using resources that could have been
shifted to high-value data like internal communications on business negotiations.
#ISSLearningDay
Bottom line: Is your Security supporting the Business? Does your Security knows what
are the Organisation’s CROWN Jewels (Assets) that are important to protect?
7
8. What is at Risk?
#ISSLearningDay
• Reputation, Brand, Image
• Trust
• Competitive Advantage
• Market & Investor Confidence
• Relationships with business partners
• Customer Retention & Growth
• Business Continuity & Resilience
• Ability to offer, fulfill transactions
Think Security is Expensive? Insecurity costs much more!
8
10. A Unified Enterprise-wide approach to
Cybersecurity - involving the Business,
the Risk, IT and
Cybersecurity groups
#ISSLearningDay
10
11. Security in the Digital Age
#ISSLearningDay
From To
Shift the Security Perspective
Bolt-On/Preventative Only Security Business Driven Security
Technical Problem Business Problem
Objective is IT Security Objective is Business Continuity /
Resilience
One Size Fits all Security Practices Security is the implementation of
layered controls that meet agreed
business requirements and address risks
Tactical, Ad hoc approach Holistic, Enterprise-wide, Integrated,
Adaptive approach
Expense Investment
Perimeter Security Security through Prevention, Detection,
Response and Predictive
11
12. Security Program: The Objective
Develop an Enterprise Security Program that
…
Enables and Supports your Organisation’s Business Strategies and
Objectives and clearly communicate
these Linkages and demonstrates the Business Benefits as they are
realised
#ISSLearningDay
12
13. Common Questions: How do we…?
#ISSLearningDay
How do we ensure
all our Security Controls
are Integrated and working
Effectively Together to
Optimise Value?
How do we use best practice
frameworks effectively when
one size does not fit all?
How do we know if
we are managing risk
in the right areas and
to an acceptable level?
How do we ensure
Security supports
the business?
Are we spending too much
on security or on the right
things?
13
14. ARCHITECTING Security in the Digital Age
#ISSLearningDay
Source: SABSA
Source: Integrating Risk and Security within a TOGAF EA
14
15. Security as a Cross-Cutting Concern in
Enterprise Architecture
#ISSLearningDay
Business
Application
Data
Technology
SECURITY
Security By Design
Architecting Security
15
16. Integrating Risk & Security Within TOGAF EA
#ISSLearningDay
Enterprise Security ArchitectureEnterprise Architecture Business Drivers / Business Objectives
Security Principles
Risk Appetite
Key Risk Areas / Business Impact
Security Resource Plan
Applicable Law and Regulation Register
Applicable Control Framework Register
Security Domain Model
Security Policy Architecture
Trust Framework
Risk Assessment
Business Risk Model / Risk Register
Security Services Catalogue
Security Classification
Data Quality
Identity &
Access Mgt
Continuity
Management
Security
Intelligence
Etc.
Enterprise
Risk
Management
Information
Security
Management
Security Standards
Risk Mitigation Plan
Security Audit
Security Training & Awareness
Business Attribute Profile
Control Objectives / Security Objectives
Security
Monitoring
Compliance
Management
Source: Integrating Risk and Security within a TOGAF Enterprise Architecture, The Open Group
16
17. Agenda
• Security Architecture Overview
Business Driven Approach to Architect Security
• Adaptive Security Architecture
• Security Governance
• Profile of a Good Security Architect
#ISSLearningDay 17
18. Business-Driven Security Architecture
#ISSLearningDay
An organisation needs security
controls that are:
Directly Traceable to Business
Goals and Objectives
Driven by Business Requirements
Are appropriate to both the
Business Risks and organisation’s
Risk Appetite
Meet Legal, Regulatory and
Policy Compliance requirements
by Design
The challenge in developing the security
architecture is to balance between
Usability, Risk and Cost
Effective Security
18
19. SABSA – Sherwood Applied Business Security
Architecture
#ISSLearningDay
World’s Leading
Security Architecture
– Official and De Facto
Standard
Free-use Enterprise
Security Architecture
Methodology &
Framework
Formal Regulated
Professional Institute
19
20. SABSA – Taking a Top-Down Business-driven
Approach to Architect Security
#ISSLearningDay
20
21. The SABSA Matrix
#ISSLearningDay
Logical
Process Maps
& Services
Domain Maps
Entity & Trust
Framework
Calendar &
Timetable
Physical
ICT
Infrastructure
Human
Interface
Processing
Schedule
Component
Locator
Tools &
Standards
Personnel
Management
Tools & Standards
Step Timing
& Sequencing
Tools
Service
Management
Service
Delivery
Management
Process
Delivery
Management
Management of
Environment
Personnel
Management
Time &
Performance
Management
Information
Assets
Data
Assets
ICT
Components
Process
Mechanisms
Process Tools
& Standards
Assets
(What)
Process
(How)
Location
(Where)
People
(Who)
Time
(When)
Contextual
Business
Decisions
Business
Processes
Business
Geography
Business
Governance
Business
Time
Dependence
Conceptual
Business
Knowledge &
Risk Strategy
Strategies for
Process
Assurance
Domain
Framework
Roles &
Responsibilities
Time
Management
Framework
Motivation
(Why)
Business
Risk
Risk
Management
Objectives
Risk
Management
Policies
Risk
Management
Practices
Risk Management
Tools &
Standards
Operational
Risk
Management
Business
Design
Build
Operate
21
ARCHITECT
22. A worked example
#ISSLearningDay
77 million customer details
stolen
Service down for X days
Costed USD $250 million
One of the largest Data Security breaches to hit console gamers!
Happened in 2011
77 million customer accounts were compromised and prevented from accessing
the service
Outage lasted for 23 days
Result of “External Intrusion” on Company’s Network
Costed USD $250 million as the company worked to clean up the mess and
reinforce its defenses
MISSION: “a company that provides customers with Kando – to move them
emotionally – and inspires and fulfils their curiosity.”
22
24. The SABSA Approach
#ISSLearningDay
Security Service
Identify Security Services to provide required control objectives
Control Objective
Define Control Objectives to mitigate the identified threats to acceptable levels
Impact Analysis
Use Qualitative or Quantitative methods to define impact of the realization of the threat on the
identified business objectives
Threat Analysis
Perform threat analysis Identify actual threats to business attributes /
business drivers
Business Attribute
Translate Drivers into Business Security
Attributes
Security Attributes are provided by the SABSA
framework
Business Driver
Identify the Business Drivers / Objectives Prioritise Drivers
24
25. Understand the Business and its Risks -
Contextual and Conceptual Security Architecture
#ISSLearningDay
• Business Strategy
• Business Processes and Functions
• Organisational Structure – Personnel, Geographical, Partnerships
• Budgets, Technical Constraints, Time Dependencies
Gather, Assess and Analyse Business Requirements
• Use the Business Attributes database to describes the business in terms
of Strategy, related Assets, Business Goals and Objectives -> Business
Attribute Profile
Describe the Business Requirements
• Perform a Threat Analysis on the business Assets, Goals and Objectives
• Define the Business Impact of the realization of the threats
• Identify Technical and Procedural Vulnerabilities
Analyse the Business Risks
25
26. SABSA – Business Attribute Profile
#ISSLearningDay
Business Attributes
Management
Attributes
User
Attributes
Operational
Attributes
Risk Management
Attributes
Technical Strategy
Attributes
Flexible / Adaptable
Scalable
Upgradeable
Usable
Accessible
Cost-Effective
Efficient
Reliable
Inter-Operable
Trustworthy
Reputable
Business Strategy
Attributes
Credible
Confident
Crime-Free
Insurable
Compliant
Confidential
Private
Controlled
Liability Managed
Admissible
Resolvable
Available
Legal / Regulatory
Attributes
EnforceableError-Free
Non-Repudiable
Accountable
Auditable
Traceable
Integrity-Assured
Assurable
Authorised
Governable
Business-Enabled
Protected
Independently Secure
Measured
Legacy-Sensitive
Migratable
Flexibly Secure
Productive
COTS / GOTS
Simple
Providing Investment
Re-use
Supportable
Automated
Standards Compliant
Architecturally Open
Future-Proof
Capturing New Risks Multi-Sourced
Extendible
Maintainable
Consistent
Accurate
Current
Supported
Access-controlled
In our sole possession
Change-managed
Informed
Owned
Identified
Authenticated
Time-bound
Timely
Providing Good Stewardship
and Custody
Assuring Honesty
Educated & Aware
Motivated
RecoverableDuty Segregated
Detectable
Brand Enhancing
Competent
Transparent
Responsive
Anonymous Continuous
Monitored
Legal
Regulated
Providing Return
on Investment
Enabling time-to-market
Culture-sensitive
To prompt your thinking on business strategies, business drivers,
business assets, goals and objectives
Key tool for conceptualizing the business assets that need protection
in an information security architecture
Engineering technique for modeling Business Requirements into
normalized, measurable, demonstrable, reusable, reportable form
Attributes must be validated (and preferably created) by senior
management & the business stakeholders by report, interview or
facilitated workshop
Measurable to define performance targets and risk appetite
26
27. A worked example – Business Drivers
#ISSLearningDay
Business
Driver
Business
Attributes
Threats
Prioritised
Business
Impact
Data
Protection
Legislation
Access-Controlled
Compliant
Protected
Private
Customer data is disclosed to
internal users through
inappropriate access controls
Staff leak customer information
to unauthorized third parties
Customer information is
disclosed in transit to third-party
processor
Sensitive customer data is
disclosed to unauthorized
parties
Wide loss of
customer
confidence
Company
brand damage
Prosecution
by the
regulators
27
28. A worked example – Control Objectives
#ISSLearningDay
Control Objectives: Protect Customer Information
Business Attributes: Access-Controlled, Compliant, Protected, Private
People
Training and Awareness for all Staff on
Data Protection
Technology
Identity Management
Authentication and Authorisation
Database and Network Encryption to
protect personal data in storage and
transit
Auditing and Logging of access to
sensitive personal data
Operations, Process & Procedures
User Access Management
Monitoring User Access Levels and User
Activity particularly Third Parties
Incident Response for Data Breach
Governance
Nominated Data Protection Officer
Data Protection Policies, Standards and
Procedures
Third Party Risk Management Framework
Data Protection Assurance
Compliant
Access-controlled
Protected
Private
28
29. Logical Security Architecture – What does it look
like?
#ISSLearningDay
Business
Attribute Profile
•Select Business Attributes (
mapped to business drivers)
•Define enterprise specific
business attributes, a
measurement approach,
metrics and targets
Control
Objectives
•Derive control objectives from
the Business Attribute Profile
and the Business Risk Model
developed at the Conceptual
Layer
Security
Strategies
•Define appropriate security
strategies based on the
business process model, the
Business Attributes profile, the
control objectives and the
assessment of the current
state of security
Security Services
•Layered model of security
services including
•Prevention
•Containment
•Detection and Notification
•Event Collection and
Tracking
•Recovery
•Assurance
Business
Attribute
Profile
Control
Objectives
Security
Strategies
Security
Services
29
30. A worked example – Security Services
#ISSLearningDay
Security
Services
Security
Services
Identity Management Tools
Authentication
Access Control
Authorisation
Auditing
Storage Encryption
Link Encryption
Breach
Security Management
Incident Management
Policies, Standards, Procedures,
Guidelines
Training & Awareness
Proactive Reviews
Third Party Management
Frameworks
30
31. A worked example – Physical Security
Architecture
#ISSLearningDay
31
32. Security Architecture Deliverables – what do you
get?
#ISSLearningDay
• Business Drivers
• Prioritised Drivers
• Impact Assessment
Contextual Security
Architecture
• Business Attribute Profile
• Business Risk Model
• Security Domain Model
Conceptual Security
Architecture
• Security Domains and Associations
• Logical Security Services Framework
Logical Security
Architecture
• Detailed infrastructure and component solution
design
• Documented controls against control objectives
Physical &
Component Security
Architecture
OperationalSecurityControl
Framework
32
33. SABSA – Provides Traceability
#ISSLearningDay
Business Justified: Every operational or technological security element can
be justified by reference to a risk-prioritized business requirement
33
34. SABSA Top Applications
#ISSLearningDay
• Security Architecture
• Traceability & Alignment of Solutions to
Business Requirements
• Enterprise Risk & Opportunity Management
• Assurance, Compliance & Audit
• Governance & Policy Architecture
• Technical Solutions Design
• Security Service Management Framework
• Critical National Infrastructure Strategy
34
35. Benefits of Security
Architecture Approach
Provides the Strategic Roadmap and Long-term
View for security across the organisation
Enable Business-to-Security alignment
Ensure that all security models and
implementations can be traced back to business
All security controls are integrated and working
together to optimise value
Reduces ad hoc or tactical security
implementations
Establish a common “language” for information
security within organisation
#ISSLearningDay
35
36. Measuring Success in Security Architecture
#ISSLearningDay
Characteristics of a Good Security Architecture:
Strategic Alignment – aligned to the current
business strategy
Pragmatism: reflects the operating
environment of the organisation and imposes
appropriate controls to mitigate the risks
Robustness: demonstrates a thorough
development with appropriate input, review
and approval with stakeholders
Adaptive & Agile – designing a security
architecture to deal with changing legal,
regulatory and customer requirements
Driven by business
requirements rather
than technical
considerations
Good
Security
Controls
Meets regulatory
audit and
compliance
requirements by
design
Appropriate to both
the business risks
and organisation’s
risk appetite
Directly traceable
to business
objectives
36
37. Agenda
• Security Architecture Overview
• Business Driven Approach to Architect Security
Adaptive Security Architecture
• Security Governance
• Profile of a Good Security Architect
#ISSLearningDay 37
38. Adaptive Security Architecture
• Enterprises are overly dependent on
blocking and prevention mechanisms that
are decreasingly effective against
advance attacks
• Comprehensive protection requires an
adaptive protection process integrating
Predictive, Preventive, Detective and
Respond security capabilities
• An Adaptive Security Protection
Architecture requires Continuous
Monitoring
#ISSLearningDay
38
39. Agenda
• Security Architecture Overview
• Business Driven Approach to Architect Security
• Adaptive Security Architecture
Security Governance
• Profile of a Good Security Architect
#ISSLearningDay 39
40. Security Governance
#ISSLearningDay
The process of establishing and
maintaining a framework and supporting
management structure and processes to
provide assurance that information
security strategies
• are aligned with and support business
objectives
• adhere to policies, standards, and
internal controls
• provide assignment of authority and
responsibility
all in an effort to manage risk.
Source: Information Security Governance, ISACA
40
41. Agenda
• Security Architecture Overview
• Business Driven Approach to Architect Security
• Adaptive Security Architecture
• Security Governance
Profile of a Good Security Architect
#ISSLearningDay 41
42. Profile of a Good Security Architect
#ISSLearningDay
A Security Architect’s skill set is different from a designer:
Business-focused & Thinking in Business Terms at all time:
Understand business goals and objectives and how they
translate into security practices. Need to focus on security
in conjunction with business enablement.
Why are we doing this?
What are we trying to achieve in business terms here?
Holistic Enterprise Security Mindset
Proficient in Risk Management
Soft skills also important like Big Picture Thinking, Problem
Solving, Leadership, Communication, Collaboration,
Negotiation etc…
Security
42
43. Key Takeaways
The Business-Driven approach to ARCHITECT Security provides
Traceability to Business Objectives and allows you to understand the
Business and its Risks
Good Security Controls are driven by Business Requirements rather
than technical considerations or picking from a checklist of best practice
security control objectives
The need for Security Architecture to be Adaptive and Constantly
Adapting to changing Business and evolving Threats and Proactive in
Monitoring / Analytics
For Security Architecture to be successful, you also need to GOVERN the
Security
Security Architecture Thinking and Mindset…a Holistic Enterprise-Wide
View of Securing the Enterprise in the Digital Age
#ISSLearningDay
43
44. References:
1. Cyber Resilience in the Digital Age
https://www.worldgovernmentsummit.org/api/publications/document?id=24717dc
4-e97c-6578-b2f8-ff0000a7ddb6
2. What is SABSA – A Introduction
https://www.vanharen.net/Player/eKnowledge/sabsa_-_a_introduction.pdf
3. Information Security Governance: Guidance for Board of Directors and Executive
Management
https://www.isaca.org/Knowledge-Center/Research/Documents/Information-Security-
Govenance-for-Board-of-Directors-and-Executive-Management_res_Eng_0510.pdf
4. Integrating Risk and Security within a TOGAF Enterprise Architecture , The Open
Group
https://publications.opengroup.org/review/product/list/id/85/category/63/
#ISSLearningDay
44