enterprise security architecture

19
Enterprise Security Architecture Jeff Murphy Interim Information Security Officer University at Buffalo [email protected]

Upload: jeff-murphy

Post on 08-Aug-2015

40 views

Category:

Internet


1 download

TRANSCRIPT

Enterprise Security Architecture

Jeff MurphyInterim Information Security Officer

University at [email protected]

GovernanceOversight

Policy, Compliance and Audit

Operations

Overall Architecture

GovernanceFour main functions

1. Establish accountability relationship structures, and2. Resource allocation at a strategic level, priority setting, make broad funding

decisions based on risk appetite3. Conflict resolution4. Assurance

Governance

Composition

CIO, CSO, CRO, CPOKey Business Owners, Macro Information OwnersHR

Overview

Board

CEO

Audit

CIO

CSO CRO

CPO

Compliance

Policy, Compliance and Audit

Key to the success of any security program

Policy: Aligns security to business culture

Compliance: Aligns security to legal environment

Audit: If you can’t measure it, you can’t manage it

Policy, Compliance and Audit

Key to the success of any security program

Removes conflicts of interest

Ok, on to the nuts and bolts

Business leadership is key to security being effective,

technology is key to security being useful

Ok, on to the nuts and bolts

“We depend more and more on computer systems that are

undependable” Leslie Lamport

It’s about the data – not the device!

Security Operations

Key areas:

SLA, SDLC, DR/BCChange Management, CMDBIncident ManagementForensics and InvestigationsEvent ManagementIDM

Security Operations - SDLC

SDLC – too often security is not integrated into the process.

Security is a young discipline comparatively

You must include security in the design process

Security Operations – DR/BC

DR/BC is important. Downtime is money lost, especially in the financial sector!

You must test, test, test.

Decide how much risk you can accept, and then design your infrastructure accordingly.

Security Operations – CM/CMDB

Change management is important.

It mitigates mistakes.

A CMDB is needed in order to assess change risk in today’s complex environments.

Security Operations – Incidents

Manage your incidents with a repeatable process

Rapid, practiced response is needed to reduce your exposure

Forensics must be unimpeachable

If you can’t do it internally, do it externally.

Security Is About People

In the “old days” hackers just walked into your systems

Now things are fairly well hardened and it takes persistence and effort

Thieves want low-effort high-reward

Instead of breaking in, they just ask for an invitation

Security Is About Automation

Security costs you

Rarely does it add to your bottom line

“The only reasonable answer to the challenges of

compliance, security and configuration management is

to automate the tasks.”SC Magazine 2010

 

Where Does It Fail In Practice

IT is often busy adjusting to new opportunities, there is too much information. Security is often equated to IT but shouldn’t be.

Target Corp had no CSO, IT ignored vendor warnings (outsourced event management), didn’t understand the risk of granting third parties access to internal network.

Security Architecture was an after thought.

Where Does It Fail In Practice

That went well for them, don’t you think?

Always Question Your Assumptions

???