security patterns how to make security arch easy to consume
DESCRIPTION
A challenge security professionals often face is ensuring security is aligned with the business strategy. Enterprise Security Architecture can solve that problem, but to do so you need a way to make it easy for the rest of IT to follow the security architecture. Security Patterns is one solution to that problem.TRANSCRIPT
Security Patterns: How to Make Security Architecture Easy to Consume
Enterprise Risk/Security Management ConferenceEnterprise Risk/Security Management Conference
Jeff L. Johnson, CISSPInsurance AmericasE i S i A hiMinneapolis, MN – 06.10.2010www.ing.com
Enterprise Security Architect
Security Architecture Roadmap
Business Goals
Market Trends Security Architecture
Information Security Management Business Goals
Architecture RoadmapThe future state of theManagement
Capabilities Matrix
The future state of the enterprise security program
Capabilities Matrix
S it P tt
2
Security Patterns
ING Insurance Americas
8th Largest Co. in the World1
Dutch Origins107 000 employees107,000 employees40 countries
10,000 Employees29 mil Customers500+ Applicationspp3,000+ Servers
2nd largest provider of Pensions15,000 Employees
Retirement - Insurance - Investments 3 www.ing.com/us
1 FORTUNE 2009 Global 500 List
Define - Step 3Customers Drive Business Goals
Easy to Use – Transparent – Compliant
4
Define - Step 3Market Trends
Competitors Legal Regulations Technology
5
Define - Step 3Architecture Frameworks
Togaf, Zachman, SABSA etcSABSA, etc.
Challenges
• Complex
• Sequential Process
• Time to Value
• Resources
6
ISM Structure
Risk AreaRisk Area
Building BlockBuilding Block
Building Block
Component ComponentBuilding Block
Component
Component
ComponentControl Control
7
Define - Step 3Risk Areas and Building Blocks
User Access Platform Security
IT Resilience Change Management
Sourcing Security Monitoring
User Access Management
OS Hardening Hardware Infrastructure Resilience
Change Management Vendor Management Security Event Monitoring
Segregation of Duties Network Hardening Business and Generic Application Resilience
Separation of Environments
Supplier Management Security Incident Management
Info. Access Restrictions
Generic App. & DB Security
Data Centre Resilience System Plan.& Acceptance
Technical State Compliance
Business App. Security Security & Penetration Testing
Workstation & Mob. Devices Hardening
Identify & Access Management
Devices Hardening
Foundation
Information Asset Classification
Configuration Management
IT-ArchitectureAsset Ownership Op. Procedures & Responsibilities
Compliance with ING Policies
Security Awareness
8
Define - Step 3Risk Area, Building Blocks and Components
Platform Securityy
OS Hardening
Network Hardening
Business Applications Security
Generic App. & DB Security
Business App. S it
Critical Impact Assets
High Impact Security
Workstation & Mob. Devices
Hardening
Assets
Medium Impact Assets
Low Impact Assets
9
Building Block, Components and Controls
Business Applications Platform Security Controls overview
Critical Impact Assets
Critical Impact Assets
Applications Security
Platform Security Controls overviewNo Control criteria Dependency1 Asset Ownership
2 Information Asset Classification 1
High Impact Assets
3 Manufacturer Supported Asset 1+2
4 OSG Documented & Approved 1+2
5 OSG Implemented 1+2
Medium Impact Assets
6 Application of Security Patches 1+2
7 Tech. Vulnerability Management 1+2
8 Manufacturer Support Tooling 1+2
9 S it A t & Ri k A l i 1 2
Low Impact Assets
9 Security Assessment & Risk Analysis 1+2
10 Data Protection 1+2
10
Capabilities Matrix
Current State
11
Security Architecture Roadmap
Business Goals
Market Trends Security Architecture
Information Security Management Business Goals
Architecture RoadmapThe future state of theManagement
Capabilities Matrix
The future state of the enterprise security program
Capabilities Matrix
S it P tt
12
Security Patterns
Security Patterns
A Security Pattern is a well-understood solutionto a rec rring information sec rit problemto a recurring information security problem
Time to Value ∗ Easy ∗ Build Once, Use Many
Cookbooks are a collection ofl t d it ttrelated security patterns
13
Security Pattern Framework
Open Security Architecture
• Security Patterns Catalog
• Based on Capabilities and ISM
• Prioritize - security projects and operational needs
14
Data Protection Security Pattern Example
Controls
• Media Labeling
• Information Leakage
• Continuous MonitoringContinuous Monitoring
• Use of Cryptography
• Etc.
15
Data Protection Security Pattern Example
• Guidance on data protection
• Repeatable and Consumable steps for end users
• Maps to industry standards and enterprise capabilitiescapabilities
16
Security Architecture Roadmap
Business Goals
Market Trends Security Architecture
Information Security Management Business Goals
Architecture RoadmapThe future state of theManagement
Capabilities Matrix
The future state of the enterprise security program
Capabilities Matrix
S it P tt
17
Security Patterns
References
• Open Security Architecturewww.opensecurityarchitecture.org
• Security Patternshttp://www.securitypatterns.org/
• The Open Grouphttp://www.opengroup.org/security/gsp.htm
• A Survey on Security Patternshttp://www.nii.ac.jp/pi/n5/5_35.pdf
• Data Security Pattern from OSAhttp://www.opensecurityarchitecture.org/cms/library/patternlandscape/259-pattern-data-security
18
p p y