Академический Документы
Профессиональный Документы
Культура Документы
1
Often a Thorny, Unresolved Issue
2
A recent (horror) Story
Query from a Project Lead:
3
Another Recent Story
Request from a Project Lead:
Lead: Brian, we are going live with this Web Portal in three
months. We need you to help us document security and
disaster recovery procedures
4
Still Another Recent Story
Dismissal from a Project Lead:
Quality Guy: Did we seek them out and they declined? Did they
seek us out and we declined?
6
The End Result (Just Desserts)
Inadequate
Security
Incompatible Need to
Architecture Retrofit
Cost and/or
Vulnerability
and/or
Growth
Limitations
7
OK, WiseguyWhats the Answer?
8
1. Frameworks & Standards
Architecture
Framework
(TOGAF)
Secure App Site Relevant
Dev Secure App
Framework Dev
(SABSA) Standards
Foundations
http://pubs.opengroup.org/architecture/togaf8-doc/arch/ http://www.sabsa-institute.org/home.aspx
9
1A. TOGAF Security Architecture
Asset Protection
Availability
Administration
10
1A1. TOGAF Security Architecture
Phases
Architecture
Implementation
Change
Governance
Management
11
1B. SABSA Secure Application
Development
12
1B1. SABSA Security Matrix
13
1C1. Site Relevant Process & Standards
14
1C2. Site Relevant Process & Standards
15
2. Security Architecture Governance
Security
Governance
Enterprise Security IT Risk/Compliance
Architecture Management
Thought Leadership /
Direction
Architectural Compliance Assurance
Review/Guidance
Application Security
CoE
16
3. Application Security Risk Management
17
3a. Application Security Risk Management
Risk Tier Applicability Security
Extreme Internet facing transactional Strongest identification,
Risk applications, especially of a authentication, access
financial nature. control, PKI encryption vs
SSL, storage encryption.
Continuous vulnerability
testing.
High Risk Applications that handle financial Strong identity
data; privacy regulated data; authentication, access
intellectual property; company control, SSL, storage
sensitive or restricted data. encryption, and standard
Internet facing or not. vulnerability testing.
Moderate Other core business applications; Baseline security controls
Risk non-transactional Internet facing
apps
Low Risk All others Baseline security controls
18
4. Application Project Security Architects
19
4a. A More Whimsical Diagram
20
5. Security Architect as a Consultant
Do This! Not This!
21
The CISOs Challenge
Balancing Protection, Compliance, Enablement, Productivity, Profitability
Business Enablement InfoRisk/Security Effectiveness
Establish IT Security
Architecture Governance
Be a Consultant, not an
Enforcer
23
The End! Thank you!
24