Professional Documents
Culture Documents
INFOSECFORCE
Application Security
BILL ROSS
15 Sept 2008
INFOSECFORCE
Will the real Information Security Architect step out of the shadows and
reveal him/her self so we all know who and what we are?
INFOSECFORCE 2012
INFOSECFORCE
The Security
Architect
INFOSECFORCE
Background:
Invisible person thought piece written 8/12/2012 posted on ONLY two blogs
almost 600 global requests.
Purpose:
Is there a problem ?
Expected outcome:
INFOSECFORCE
Acronyms glossary
INFOSECFORCE
INFOSECFORCE
INFOSECFORCE
Background analyses
Why over 600 global requests for the paper in two years ?
INFOSECFORCE
Source http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
INFOSECFORCE
Source: http://www2.fireeye.com/rs/fireye/images/fireeye-real-world-assessment.pdf
INFOSECFORCE
Current indicators
Information Security Architect and Information Security Architecture
The Information Security Community (ISC) does not yet have a consistent and
recognized universal definition defining what an ISA is BUT we are possibly gaining on it.
Now being integrated sometimes in IT standard frameworks for what an ISA should
accomplish. (EA, TOGAF, DoDAF, Zackman)
Security community standards and certifications ISA (SABSA, OSA, ISC2, Huxham )
SOURCE: http://securityarchitecture.com/docs/Security_Management_Frameworks.pdf
INFOSECFORCE
ISA challenge ?
Working on to good
Relentless attacks hurting INFOSEC reputation
Focus on frameworks like NIST and PCI versus architecting and engineering
Enterprise Architecture, TOGAF and ISO 27001 just now integrating SABSA
Multiple IT and then Security Architecture frameworks . Overwhelming
Various interpretations of what an Information Security Architect is
Scant references in the trades of the importance of integrating security
SABSA and ISC2 certs but need Engineering equivalents
SABSA the closest thing to ISA champion (like early ITIL mostly offshore)
No true professional organization like The Global Information Security Architect
Association (GISAA)
Forthcoming and relentless Cyber Attacks
INFOSECFORCE
INFOSECFORCE
Low
INFOSECFORCE
information security and at one point in his/her career should have had hands on
technical experience in anything from help desk support to being a UNIX or data
base administrator. This person should have extensive knowledge of security
platforms, has managed acquisition efforts, identity access management, cyber
warfare, and governance as it is translated from security standards and policies
into an operational technical environment that is aligned with the core business
processes be they financial institutions like JP Morgan or e-commerce giants like
Amazon or Best Buy. This person should have served on the front lines of cyber
battles such as NIMDA, LUZ or APT. Optimally, the person is ITIL certified, has an
EE degree, is a visionary, and understands security support business objectives.
Ultimately, the Security Architect is a perfect blend of a highly skilled security
engineer, a governance and policy expert, an enterprise architect, and a business
savvy professional with a Ninja spirit.
INFOSECFORCE
SAN think
INFOSECFORCE
SABSA cont,
ISC 2 ISSAP
INFOSECFORCE
INFOSECFORCE
INFOSECFORCE
ISA Situation
Onslaught of cyber attacks costing millions in damages and loss of consumer
trust
Numerous interpretations of ISA limit organizational success in ISA
While improving, need more global awareness of the essential importance of
Building Security In
SABSA and ISSAP good but not good enough
Standards like NIST and PCI good but not nearly good enough
Action Plan
Bring the ISA out of the Shadows or redefine what an ISA is
Industry and government ISA punctuation greatly needed
Need to create an ISO or IEEE level standard
Make it an engineering science as is an EE degree
Trades like SC, CISO, Information Week and companies like RSA, Symantec,
Verizon, need to champion ISA
Somehow, someway create GISAA
ISA
INFOSECFORCE
Source: http://antifan-real.deviantart.com/art/Grand-Universe-17189369
INFOSECFORCE
INFOSECFORCE
INFOSECFORCE
Source:
http://www.opensecurityarchitecture.org
INFOSECFORCE
Source:
http://www.opensecurityarchitecture.org/cms/library/patternlandscape/315-sp-026-pci-full
INFOSECFORCE
INFOSECFORCE
Source: http://www.opengroup.org/subjectareas/enterprise/togaf
INFOSECFORCE
INFOSECFORCE
INFOSECFORCE baseline
INFOSECFORCE
Implementing a framework or
enterprise improvements
INFOSECFORCE
NIST RMF
SANS
Top 20
COBIT
NIST CSF
Security
Engineering
&
Architecture
PCI
HIPPA
OPERA
ISO 27001
UCF
SOX
INFOSECFORCE
Source: SABSA
INFOSECFORCE
Source: SABSA
INFOSECFORCE
Holistic Approach
Mistake = believing that building security into information systems is simply a matter of
referring to a checklist of technical and procedural controls and applying the appropriate
security measures on the list.
Car example
A car is a good example of a complex system. It has many sub-systems, which in turn have
sub-systems, and eventually a very large number components. Designing and building a
car needs a systems-engineering approach.
INFOSECFORCE
Keeping it simple
System security plan that defines risk, architecture and controls
Control framework of your choosing such as NIST CSF, PCI and etc
Plan, Build, Deploy, and Operate Project Plan
Risk management analysis (process and technology gaps)
SABSA framework sheet establishing overall situational awareness
OSA patterns
High level engineering design
Detailed engineering design
Excruciating detailed test plans
Implementation plan
Policy, process and procedures
Certification and accreditation
Continuous control monitoring plan
Production security
INFOSECFORCE
Architect/Engineer/Implement?
PLAN
Define:
- Feasibility
- Business case
- Initial risk
assessment
- Requirements
- Security CIA
- Charter
- System type
- System security
plan
- Baseline
DEPLOY
Define:
Define:
- EA Architecture
plan
- System risk level
- Applicable security
control requirements
- High level design
- Detailed design
- Functional design
OPERATE
Define:
- Vulnerability mgt
- Pent Test mgt
- Continuous
logging and
monitoring
- Compliance plan
PCI/SOX
- Patch mgt
- Security CIA
- Change mgt
- Incident response
INFOSECFORCE
PLAN
Statement of need
for new business
process,
application or
technology
INFOSEC participation
in feasibility analyses,
no documentation
required
Functional
requirements
document
designed
Design and
technical
architecture
developed
Code
development
Deploy
1 st phase 2 nd phase
prod testing prod testing
OPERATE
QA
INFOSEC architecture
document created based
on data security
categorization, policy,
application functionality
and risk and vulnerability
assessments
Integrate controls
and create detailed
application security
test plan defining
testing tools,
timelines, remedial
action processes and
testers. Gain
approval from project
manager.
Pre prod
Prod
Post Prod
Create final
risk
acceptance
document
Ongoing pen
tests,
vulnerability
assessments,
risk
management
Application and
infrastructure
penetration testing
Server cert
First phase
application security
testing. Once code
begins solidifying,
use soft tools such as
AppScan or Spi
Dynamics for high
level testing.
Feedback findings to
developers for code
correction
**
Security certification
and accreditation should
be finalized
INFOSECFORCE
ISA
ISA Not an architect after all
Engineer defining and implementing security requirements
Implementing the security components of an enterprise architect
solution
Integrated and symbiotic with the enterprise architecture
Security processes that run on the infrastructure and something the
business enterprise can not do without
It is a senior engineer that guides the construction and implementation of the
security components
INFOSECFORCE
We are at war
A Security Architect can define strategies to defeat the aggressors.
The IT industry governance boards (ISO . IEEE) needs to standardize its
doctrine and strategy to define the ISA
Organizations need to hire the right people for ISA jobs
Reduce confusing the Senior Security Engineers with the roles and
responsibilities of an Information Security Architect.
While they are complimentary in nature, the roles are different.
Ultimately though . is the discussion over . Incorporate ISA into the EA
solution for consistent and seamless IT architecture and operational builds?
INFOSECFORCE
Contact information
INFOSECFORCE
Application
Security
15 Sept 2008
INFOSECFORCE
Information security solutions often designed, acquired and installed on a tactical basis.
No strategic dimension