Enterprise Security Architecture

Security does not mean just putting some detective control in place and done with it. Today there are lots of threat due to nature of business , the way we do business, so we need to align security needs along with business need.

Enterprise frameworks, such as Sherwood Applied Business Security Architecture (SABSA), COBIT (Control Objective for Information Technology Management & Governance ) and The Open Group Architecture Framework (TOGAF), can help achieve this goal of aligning security needs with business needs.

SABSA is a business-driven security framework for enterprises that is based on risk and opportunities associated with it. SABSA does not offer any specific control and relies on others, such as the International Organization for Standardization (ISO) or COBIT processes. It is purely a methodology to assure business alignment.

The SABSA methodology has six layers (five horizontals and one vertical). Each layer has a different purpose and view. The contextual layer is at the top and includes business requirements and goals. The second layer is the conceptual layer, which is the architecture view. Figure 1 shows the six layers of this framework.

COBIT 5, from ISACA, is “a comprehensive framework that assists enterprises in achieving their objectives for the governance and management of enterprise IT.”1 This framework includes tool sets and processes that bridge the gap between technical issues, business risk and process requirements. The goal of the COBIT 5 framework is to “create optimal value from IT by maintaining a balance between realising benefits and optimising risk levels and resource use

The COBIT framework is based on five principles (figure 3). Applying those principles to any architecture ensures business support, alignment and process optimization.3

By using a combination of the SABSA frameworks and COBIT principles, enablers and processes, a top-down architecture can be defined for every category in figure 2. As an example, when developing computer network architecture, a top-down approach from contextual to component layers can be defined using those principles and processes (figure 4).

By using SABSA, COBIT and TOGAF together, a security architecture can be defined that is aligned with business needs and addresses all the stakeholder requirements. After the architecture and the goals are defined, the TOGAF framework can be used to create the projects and steps, and monitor the implementation of the security architecture to get it to where it should be.

Using the Frameworks to Develop an Enterprise Security Architecture

The initial steps of a simplified Agile approach to initiate an enterprise security architecture program are:

• Identify business objectives, goals and strategy

• Identify business attributes that are required to achieve those goals

• Identify all the risk associated with the attributes that can prevent a business from achieving its goals

• Identify the required controls to manage the risk

• Define a program to design and implement those controls:

• Define conceptual architecture for business risk:

• Governance, policy and domain architecture

• Operational risk management architecture

• Information architecture

• Certificate management architecture

• Access control architecture

• Incident response architecture

• Application security architecture

• Web services architecture

• Communication security architecture

• Define physical architecture and map with conceptual architecture:

• Platform security

• Hardware security

• Network security

• Operating system security

• File security

• Database security, practices and procedures

• Define component architecture and map with physical architecture:

• Security standards (e.g., US National Institute of Standards and Technology [NIST], ISO)

• Security products and tools (e.g., antivirus [AV], virtual private network [VPN], firewall, wireless security, vulnerability scanner)

• Web services security (e.g., HTTP/HTTPS protocol, application program interface [API], web application firewall [WAF])

• Define operational architecture:

• Implementation guides

• Administrations

• Configuration/patch management

• Monitoring

• Logging

• Pen testing

• Access management

• Change management

• Forensics, etc.

It is that simple. After all risk is identified and assessed, then the enterprise can start designing architecture components, such as policies, user awareness, network, applications and servers.

Figure 6 depicts the simplified Agile approach to initiate an enterprise security architecture program.

Some of the business required attributes are:

• Availability—Systems need to be available to customers at all times.

• Customer privacy—Customers’ privacy needs to be ensured.

• Accuracy—Customers’ and company information must be accurate.

• Regulatory—Company is under regulation (Payment Card Industry [PCI] in this case) and must be aligned with regulatory requirements.

Some of the business risk includes:

• Not having a proper disaster recovery plan for applications (this is linked to the availability attribute)

• Vulnerability in applications (this is linked to the privacy and accuracy attributes)

• Lack of segregation of duties (SoD) (this is linked to the privacy attribute)

• Not Payment Card Industry Data Security Standard (PCI DSS) compliant (this is linked to the regulated attribute)

Some of the controls are:

• Build a disaster recovery environment for the applications (included in COBIT DSS04 processes)

• Implement vulnerability management program and application firewalls (included in COBIT DSS05 processes)

• Implement public key infrastructure (PKI) and encryption controls (included in COBIT DSS05 processes)

• Implement SoD for the areas needed (included in COBIT DSS05 processes)

• Implement PCI DSS controls

Depending on the architecture, it might have more or fewer controls.

Some example controls are:

• Procedural controls

• Risk management framework

• User awareness

• Security governance

• Security policies and standards

• Operational controls

• Asset management

• Incident management

• Vulnerability management

• Change management

• Access controls

• Event management and monitoring

• Application controls

• Application security platform (web application firewall [WAF], SIEM, advanced persistent threat [APT] security)

• Data security platform (encryption, email, database activity monitoring [DAM], data loss prevention [DLP])

• Access management (identity management [IDM], single sign-on [SSO])

• Endpoint controls

• Host security (AV, host intrusion prevention system [HIPS], patch management, configuration and vulnerability management)

• Mobile security (bring your own device [BYOD], mobile device management [MDM], network access control [NAC])

• Authentication (authentication, authorization, and accounting [AAA], two factor, privileged identity management [PIM])

• Infrastructure controls

• Distributed denial of service (DDoS), firewall, intrusion prevention system (IPS), VPN, web, email, wireless, DLP, etc.

The outcome of this phase is a maturity rating for any of the controls for current status and desired status. After the program is developed and controls are being implemented, the second phase of maturity management begins. In this phase, the ratings are updated and the management team has visibility of the progress.

Zero Trust Security Model

====

This is security strategy in today modern environmnet where user may come from various location- WFH, office locatiom, hybrid model, devices, networks,application and global enterprise infrsstructure where perimeter security (trusted nw) is not enough, this is where zero trust security model comes into pictures.

It works on below principles

1. No Trust, Always Verify : Every request is fully authenticated,authorized and encrypted before determining access. Authentication and Authorization is fully dependent on various data points including user identity, data classfication,device,application health,geolocation - WFH, hybrid model, office location.

every request is continously nd dynamiclly verified every time.

1. 
   

2. Least Privilleges : minimum access based on legitimate business purpose should be enforced. limit user services ,application accesses just in t ime ,just enogh access,risk based adaptive policies, data protection control.

3. Assume Breach

At some point , there would be breach. With this mind set , we will prepare for the worst to secure the best.

Best practices like

segregation of duties

segmentation

defence in depth

apply security at all layers

use of telemntry, analytics and intelligence to incease visibility,speed detection and respond in real time