Architecture in the Business Context

Business needs and technical resources determine what Security and Management technology and functionality your organization should deploy. To establish the best Security and Management implementation, you need to consider not only all the components that make up a Security and Management solution and how those components interact with the other elements of your IT infrastructure. But you also need to examine the business processes and technical complexity that your organization can currently support. The Security and Management solution pattern comprises three stages of evolution that correspond to business needs in order of maturity. The solution patterns three stages are: Identify, Protect, and Predict. Each stage builds on the previous stage in terms of business requirements and technical complexity. All solution patterns require security; the Security and Management solution pattern provides the foundation for this requirement. The model begins with enabling authentication and secure remote access; it progresses to single sign-on and role-based authorization, supplying always-on access remotely.

Security and Management

The Security and Management solution pattern represents infrastructure layer security for the entire IT infrastructure. The security elements described here provide the foundation for security infrastructure on which you can layer security measures within applications and other solution patterns. To address this overall security foundation, this solution pattern covers authentication and authorization, asset protection, access mechanisms, and predictive defenses. The solution pattern supports the platform by providing a safe and trusted environment on which to build and grow the business. It provides contextual and automated encryption of sensitive data and the ability to mitigate vulnerabilities. In the platform context, the Security and Management solution pattern focuses on automated policy management, enforcement, and remediation across the organization. It covers how to protect information and the infrastructure from malware, worms, or malicious attacks while enforcing secured access to resources. It also includes proactive security by mandating explicit policies and control enforcement. Integrated and correlated reports across the enterprise support compliance monitoring. This solution pattern involves tracking all security-related incidents and measuring their impact according to established business and risk management policies. Architectural prerequisites: Infrastructure and Management, IT Process. Architectural recommendations: Cloud, User Experience. Solution patterns it enables: Integrated Communications, ECM and Collaboration, Business Intelligence, Web and Social Computing, and SOA and BPM.

The diagrams on this poster illustrate how the Security and Management solution pattern is manifested to enable security in other solution patterns throughout three stages. These views show architectural prerequisites for Security and Management at each stage. In addition, you can see architectural recommendations for a mature Security and Management implementation.

Users

STAGE 1 STAGE 2 STAGE 3

To protect employees by providing

User Experience Stage 1:

flexible access and strong security. The protection mechanism runs in background and does not interfere with the user's work. The user is assured of working in a protected environment.

To sustain a seamless and protected

Personal

User Experience Stage 2:

Comprehensive

interactive experience for employees across different devices and clients by providing assistance and guidance on how to resolve security issues and suppress threats to the end user on the Internet, intranet, and extranet.

To provide contextual usabilitywhat the end

user expects and what the security function delivers. To provide role-based secure access to the corporate environment.

User Experience Stage 3:

Contextual

User Experience

Familiar and Intuitive

Unified Communications

SOA & BPM

Web and Social Computing

ECM and Collaboration

Business Intelligence

LOB Systems

LOB Systems

LOB Systems

LOB Systems

Data and Management

Security and Management Stage 1:

Identify

To comprehensively deploy and manage patches and AV updates on directory and endpoint servers and desktop clients. To optimize hardware and storage investments to ensure seamless, secure access to directory services during and after network outages.

Security and Management Stage 2:

Protect

To enable clustering and data replication to keep the Security and Identity environment highly available. To provide failover support to improve service levels and ensure business continuity.

Security and Management Stage 3:

To provide service-level monitoring of security and identity servers. To monitor and manage policies to accelerate diagnosis and response of servers with automated resolution. To optimize network bandwidth for deployment of updates and server synchronization.

Predict

Security and Management

Infrastructure and Management Stage 1:

Efficient Infrastructure

Infrastructure and Management Stage 2:

To comprehensively deploy and manage updates on mobile devices.

Intelligent Infrastructure

Infrastructure and Management Stage 3:

Automated Infrastructure

Infrastructure and Management

IT Process Stage 1:

Define

IT Process Stage 2:

Report

IT Process Stage 3:

Correlate Balance

IT Process Cloud
To measure security metrics and perform event analysis and correlation in real time to establish appropriate policies, procedures, and controls.

To identify cloud-based services

that align with internal security and regulatory requirements. To identify risks and evaluate cloud-based services to determine how well the services align with internal security and regulatory requirements.

Investigate
To define security processes to identify and measure threats, vulnerabilities, and attacks; to calculate chances of occurrence; and to measure the impact.
To implement cloud-based

Cloud Stage 1:

Cloud Stage 2:

Embed

Cloud Stage 3: To provide reports on the monitoring of threats, vulnerabilities, actual attacks, and monitor the effectiveness of existing security controls.

services that address identified risks and thoroughly satisfy internal security and regulatory requirements.

To seamlessly provide a

regulatory-compliant cloud-based environment that supports business requirements.

Stage 1: Identify
In the Identify stage, policies and privileges are managed and configured centrally across the enterprise. The organization at this stage provides stronger authentication with defined and written policies to follow and monitor for the provisioning and de-provisioning of user accounts and permissions. It also provides post-authentication endpoint assessment that is integrated with policy and identity. Information is protected through internal certificate mechanisms that support manual encryption at the file, folder, or drive level. The organization at this stage also provides role-based secure remote access to information. Access levels are defined by policy and enforced through workflow integration. At this stage, the organization has separate, uncoordinated endpoint security products. Data is inspected and classified manually at the endpoint. The IT infrastructure of the organization at this stage includes a centralized perimeter firewall. Malware protection and patch management are performed on a regular schedule. Application security products in this organization are siloed and are not tied to assessment or policy. These products provide protection thorough simple policies such as drive and folder encryption that restricts unauthorized use of information.

Stage 2: Protect
In the Protect stage, malware security, information protection, and policy are managed centrally across the enterprise (endpoints, server applications, and network). Employees have single sign-on and automatic synchronization of identity information across heterogeneous operating environments and line-of-business (LOB) applications. The organization at this stage also provides integrated digital identity management across users, certificates, and smartcards. The organization provides federated and trust-based systems that allow external entities to access internal resources securely without the need to manage the identities of those entities. Granular controls within the trusted network, including complex confidentiality conditions and restriction policies, help IT to provide end-to-end security and information protection. Organizations can provide network security through regularly scheduled discovery and classification of all data stores, server applications and endpoints, based on content. This stage has centrally managed application control and integrated solutions (such as patch or policy) for managing vulnerabilities that result from misconfiguration. The IT Infrastructure of the organization provides a single solution for universal access across all channels and resources that are tied to corporate policy. A quarantine solution for unpatched or infected computers is also provided at this stage. The existing internal certificate mechanisms are further enhanced to support a true Public Key Infrastructure (PKI).

Stage 3: Predict
In the Predict stage, organizations provide integrated and persistent information protection policies to govern internal and external trusted resources, as well as real-time enforcement. Organizations offer trusted identity affiliation and automated process to manage identity lifecycle, workflow, and advanced role-based access. Benefits of productivity applications and tools are that primary identity stores can be extended to manage access outside the enterprise, and federated, trust-based systems can be extended to Web services. Information protection is accomplished through external PKI, contextual policy-based encryption, secure remote access, user-centric identity management, and file encryption that is contextual and automated on sensitive outbound traffic within the network of trust. Advanced endpoint technology, security policy management, enforcement, and remediation are provided to protect against unknown threats across the enterprise. Contextual and automated encryption of sensitive data is provided. A reputation-based application control and vulnerability protection solution automatically discovers and guards against known vulnerability and security holes. Application security is achieved through flood resiliency and intelligent access based on role, device, and application behavior.

The business value of any technology implementation surfaces when you consider the expense and effort of integrating that technology with your entire platform. The Advaiya Platform Vision model represents IT infrastructure as interconnected components, or solution patterns, that correspond to traditional IT service offerings. In addition to describing the requirements within each solution pattern, the Platform Vision model illustrates relationships and dependencies among the solution patterns. By examining how each element of your IT platform affects the other elements, you can determine the cost effectiveness and business value of any technology decision. Your IT infrastructures technical complexity and your organizations evolutionary stage shape how you approach a technology implementation. For each solution pattern, the Platform Vision model explains how that pattern is manifested in each of three stages of maturity within both the organization and technology. By using the Platform Vision model to assess your platform and your current capabilities, you can make informed business decisions that add long-term and short-term value.

Platform Vision is presented by Advaiya, Inc. www.advaiya.com | www.platformvision.com

2009 ADVAIYA, INC. REPRODUCTION IN WHOLE OR IN PART IS PROHIBITED. S & M 1.1.0.A