ESA for Business

PowerPoint Presentation

Enterprise Security Architecture A Business ApproachM. M. VeeraragalooMarch 2016

AgendaStrategy and PlanningRisk and OpportunityBusiness Context and RequirementsArchitectural Strategies Internet of Things / EverythingCloudBi-ModalDigitisation / DisruptorsBring Your Own Identity (BYOID)Choose Your Own Device (CYOD)

Strategy and Planning

Strategy and Planning

Does Enterprise Architecture Drive the Strategy?Source: Enterprise Architecture as a Strategy

Source: TOGAF Capability Framework

Source: FEAF

Source: Gartner

All Enterprise Architectures refer to the Strategy and how it will be driving this Strategy within the organisation4

Architecture Supports StrategyEvery morning in Africa, a Gazelle wakes up . It knows it must run faster than the fastest lion. or it will be killed.

Business View Survival StrategyWhen the sun comes up in Africa, it doesnt matter what shape you are:If you want to survive, what matters is that youd better be running!Every morning in Africa, a Lion wakes up. It knows it must run faster than the slowest Gazelle . or it will die of starvation.Is it better to be a Lion or a Gazelle?

5

Strategy and PlanningSecurity in Context? Legacy of Security as a Restraint

The Business Prevention Department

Security is Complex to Define

Security Does not exist in Isolation

SECURE has no intrinsic meaningTo much emphasis on TechnologySilo Approach to Security

The Legacy of Security within the Organisation 6

Strategy and PlanningEnterprise Security Architecture?

Layered Framework

Integrated System Approach

Security meets the Needs of Business

7

Strategy and PlanningFeatureAdvantagesChairman / Board ViewBusiness-DrivenValue-AssuredProtects shareholder valueRisk FocusedPrioritised and ProportionalOptimizes shareholder risk & aligns with risk appetiteComprehensiveScalable ScopeAddresses all shareholder concernsModularAgilityEnables flexibility to meet dynamic market & economic conditionsOpen SourceFree use, StandardGuarantees perpetuity of return on investmentAuditableDemonstrates ComplianceDemonstrates compliance to regulators & external auditorsTransparentTwo Way TraceabilitySupports market transparency & disclosure

Enterprise Security Architecture Framework?

Requires a ESA that can cater for different views from a CXO perspective8

Strategy and PlanningFeatureAdvantagesCEO ViewBusiness-DrivenValue-AssuredProtects corporate reputationRisk FocusedPrioritised and ProportionalMeets corporate governance requirementsComprehensiveScalable ScopeMeets enterprise-wide requirementsModularAgilityEnables fast time to market with business solutionsOpen SourceFree use, StandardProvides assurance through industry standardAuditableDemonstrates ComplianceEnsures a smooth & successful external & regulatory audit processTransparentTwo Way TraceabilityProvides a clear view of expenditure and value returned


Strategy and PlanningFeatureAdvantagesCFO ViewBusiness-DrivenValue-AssuredEnsures efficient return on investmentRisk FocusedPrioritised and ProportionalImproves predictability & consistencyComprehensiveScalable ScopeSupports scalable, granular budgetingModularAgilityFacilitates effective management of capital & operational costsOpen SourceFree use, StandardEliminates expensive & on-going license feesAuditableDemonstrates ComplianceMinimizes cost of management time dealing with audit processesTransparentTwo Way TraceabilityEnables full audit ability for effectiveness of expenditure


Strategy and PlanningFeatureAdvantagesCOO ViewBusiness-DrivenValue-AssuredFocuses on performance managementRisk FocusedPrioritised and ProportionalEnables process improvementComprehensiveScalable ScopeProvides end-to-end process coverageModularAgilityIntegrates legacy and future environmentsOpen SourceFree use, StandardSimplifies recruitment and trainingAuditableDemonstrates ComplianceMinimises adverse effect of audit findings on performance targetsTransparentTwo Way TraceabilityMeasures efficiency & effectiveness of processes & resources


Strategy and PlanningFeatureAdvantagesCRO ViewBusiness-DrivenValue-AssuredEnables flexible fit with industry regulationsRisk FocusedPrioritised and ProportionalSupports enterprise risk & opportunity managementComprehensiveScalable ScopeEnables a fully-integrated risk management strategyModularAgilityEnables incrementally increasing maturityOpen SourceFree use, StandardProvides global acceptability for auditors & regulatorsAuditableDemonstrates ComplianceEnsures that compliance risk is effectively managedTransparentTwo Way TraceabilityDemonstrates current state, desired state of compliance levels


Strategy and PlanningFeatureAdvantagesCIO ViewBusiness-DrivenValue-AssuredEnables a digital information-age businessRisk FocusedPrioritised and ProportionalIdentifies information exploitation opportunitiesComprehensiveScalable ScopeSustains through-life information architectureModularAgilityEnables technology-neutral information management strategiesOpen SourceFree use, StandardProvides a future-proof framework for information managementAuditableDemonstrates ComplianceFacilitates smooth & successful audits of systems & processesTransparentTwo Way TraceabilityEncourages fully integrated people-process-technology solutions


Strategy and PlanningFeatureAdvantagesCISO ViewBusiness-DrivenValue-AssuredFacilitates alignment of security strategy with business goalsRisk FocusedPrioritised and ProportionalFacilitates prioritization of security and risk-control solutionsComprehensiveScalable ScopeEnsures all business security & control concerns are addressedModularAgilityEnables a project-focused approach to security developmentOpen SourceFree use, StandardProvides a sustainable framework for security integrationAuditableDemonstrates ComplianceSupports security, risk & opportunity review processesTransparentTwo Way TraceabilityProvides traceability of business-aligned security implementations


Strategy and PlanningFeatureAdvantagesCTO / Architect ViewBusiness-DrivenValue-AssuredLeverages the full power of information technologyRisk FocusedPrioritised and ProportionalManages information system riskComprehensiveScalable ScopeApplies at any project size or level of complexityModularAgilityProvides a holistic and integrated architectural approachOpen SourceFree use, StandardAvoids vendor-dependence and lock-inAuditableDemonstrates ComplianceImproves relationship and interactions with auditors & reviewersTransparentTwo Way TraceabilityVerifies justification and completeness of technical solutions


Strategy and PlanningSherwood Applied Business Security Architecture (SABSA)

SABSA META MODEL

SABSA Matrix

SABSA and TOGAF

Risk and Opportunity

Risk and OpportunityRegulatory Drivers for Operational Risk ManagementBASEL II, SOX, Corporate Governance, PCI, HIPAAISO 31000 Improved planning through provision of information for decision-makingRisk Management Strategic, operational and business imperativeRisk Analysis Measures Risk ElementsValuing assets, Identifying threats, Quantifying business impacts, Identifying vulnerabilitiesIssues with Threat-driven ApproachTechnical threats are not well understood by stakeholdersImpact-based ApproachProvides a good view of business criticalityOperational Risk SABSA ApproachBusiness enablement is achieved through excellence in operational processes, people and technical systems

Risk and Opportunity

SABSA Risk & Opportunity Model

Business Context and Requirements

Business Context and RequirementsBusiness-Driven means never losing site of the organisations goals, objectives, success factors and targets.Ensuring that the security strategy demonstrably supports, enhances and protects this.Contextual Architecture LayerFull Set of Requirements, including conflicts in Business Strategy, Risks & PrioritiesConceptual Architecture LayerResolve these conflicts by delivering an appropriate, measurable security strategyBusiness Driven Architecture

Business Context and RequirementsEach Organisations Business Needs are UniqueMeaningful traceability is enabled by credible abstraction from business context (assets, goals & objectives) to a business security contextBusiness Driven Architecture

Business Context and RequirementsAn Attribute is a conceptual abstraction of a real business requirement (the goals, objectives, drivers, targets, and assets confirmed as part of the business contextual architecture)The Attributes Profiling technique enables any unique set of business requirements to be engineered as a standardised and re-usable set of specificationsThe Attributes are modeled into a normalised language that articulates requirements and measures performance in a way that is instinctive to all stakeholdersDefining Business Attributes

Business Context and RequirementsAttributes can be tangible or intangibleEach attribute requires a meaningful name and detailed definition customised specifically for a particular organisationEach attribute requires a measurement approach and metric to be defined during the SABSA Strategy & Planning phase to set performance targets for securityAttributes must be validated (and preferably created) by senior management & the business stake-holders by report, interview or facilitated workshopThe performance targets are then used as the basis for reporting and/or SLAs in the SABSA Manage & Measure phasePowerful requirements engineering techniquePopulates the vital missing link between business requirements and technology / process designAttributes Profiling Rules & Features

Business Context and RequirementsSample Taxonomy of Attributes

Architectural Strategies

Architectural StrategiesDefine the Business Drivers for the IndustryDriver #Business DriversBD1Protecting the reputation of the Organization, ensuring that it is perceived as competent in its sectorBD2Providing support to the claims made by the Organization about its competence to carry out its intended functions BD3Protecting the trust that exists in business relationships and propagating that trust across remote electronic business communications links and distributed information systems BD4Maintaining the confidence of other key parties in their relationships with the OrganizationBD5Maintaining the operational capability of the Organizations systemsBD6Maintaining the continuity of service delivery, including the ability to meet the requirements of service level agreements where these existBD7Maintaining the accuracy of informationBD8Maintaining the ability to governBD9Preventing losses through financial fraud

BD33Ensuring that security services can be extended to all user locations, to all interface types and across all network types that will be used to support deliveryBD34Maximize the economic advantage of the Enterprise Security ArchitectureBD35Security services to be supported through electronic communications, without the need for physical transfer of documents or storage media.BD36System security solutions should as far as possible comply with internal and external standards and best practicesBD37The Security Architecture should be independent of any specific vendor or product, and should be capable of supporting multiple products from multiple vendorsBD38The Security Architecture must remain compatible with new technical solutions as these evolve and become available, and with new business requirements as these emerge, with a minimum of redesignBD39The Security Architecture must be able to be adapted to counter new threats and vulnerabilities as they are discovered

BD40Ensure that the required internal and external cultural shift is achieved to support the Security ArchitectureBD41Ensuring accurate information is available when neededBD42Minimise the risk of loss of key customer relationshipsBD43Minimize the risk of excessive loading on insurance premiums due to negligence on the Organizations behalf or lack of due diligence

Architectural StrategiesDefine the Business Attributes for the IndustryBusiness AttributeBusiness Attribute DefinitionSuggested Measurement ApproachMetric TypeUser AttributesAccessibleInformation to which the user is entitled to gain access should be easily found and accessed by that user.Search tree depth necessary to find the information SoftAccurateThe information provided to users should be accurate within a range that has been preagreed upon as being applicable to the service being delivered. Acceptance testing on key data to demonstrate compliance with design rules HardAnonymousFor certain specialized types of service, the anonymity of the user should be protected. Rigorous proof of system functionality Red team reviewHardSoft

Business Attribute integrated with Measurements for the Industry

Architectural StrategiesIntegrate the Business Drivers and Business Attributes for the IndustryBusiness Attribute integrated with Measurements for the IndustryBusiness AttributeBusiness DriverBusiness Attribute DefinitionMeasurement ApproachMetric Performance TargetUser AttributesAccessible5Information to which the user is entitled to gain access should be easily found and accessed by that user.Search tree depth necessary to find the information SoftAccurate7The information provided to users should be accurate within a range that has been preagreed upon as being applicable to the service being delivered. Acceptance testing on key data to demonstrate compliance with design rules HardAnonymous4For certain specialized types of service, the anonymity of the user should be protected. Rigorous proof of system functionality Red team reviewHardSoft


Architectural StrategiesInternet of Things / Everything

ConfidentialityIntegrityAvailibilitySafety

The IoT comprises an ecosystem that includes things, communication, applications and data analysisAs IoT use grows, ensuring IoT device authentication is crucial. A lack of authentication standards for most IoT devices has led to highly customized authentication methods in the industry. 36


Cloud Computing

Data Sovereignty Are you allowed to store your data outside of the country what laws allow / deny this?Data Protection Data Privacy, Data Location, Data Management and Protection, Tenancy37



AgileSource: An Enterprise Architecture Practitioners Notes: Volume 3 Solution Level ArchitectureEnterprise Security ArchitectureBimodal

Architectural StrategiesDigitisation / DisruptorsDigital Disruptors

Source: Gartner 2015

Digital business is the creation of new business designs that not only connect people and businesses, but also connect people and businesses with things todrive revenue and efficiency. Digital business helps to eliminate barriers that now exist among industry segments, while creating new value chains andbusiness opportunities that traditional businesses cannot offer.40

Architectural StrategiesDigitisation / DisruptorsDigital Disruptors

Risk & Opportunity

Business Drivers & Business AttributesSolution GranularitySecure by Design

Maintaining effective security starts with knowing what effect you need to achieve. This means you need to start by focusing on risk. Through risk assessment and risk management practices we can identify the critical outcomes for the enterprise and transform those outcomes into security tactics.41

Architectural StrategiesBring Your Own Identity (BYOID)

Security Risk? or Business Advantage?What is the Business Value? Is it part of the Corporate Strategy? Loss of Control vs Cost

Identity and Access Management accessing anything from anywhere42

Architectural StrategiesBYODCYODEmployees appreciate using the device with which they are the most comfortable with.Requires employees to choose from a list of preapproved devices.Mobile Protection StrategyData Management on the DeviceData Backup PolicyPersonal Data vs. Business dataUser Acceptance PolicyLack of support and application consistency across all platformsIncreased threat of mobile malwareUser Awareness and TrainingPolicies Agile enough?

Business Models

Secure byDesignSecure byDesignSecure byDesignSecure byDesign

Cloud ServicesBimodal Services

Digital DisruptorsIoT

Green ITBYOD CYODBYOIDBig Data

The Journey is the Reward ~ Chinese Proverb