INFOSECFORCE

The Invisible Person .

The Security Architect

INFOSECFORCE

Application Security
BILL ROSS
15 Sept 2008

Balancing security controls to business requirements

BILL ROSS

INFOSECFORCE

Critical Reason for ISA Excellence

Undeclared global cyber war

We are in a CYBER War and corporations and governments are being clobbered by
an invisible enemy that, at times, seems to own numerous private networks.
Information Security Teams across the globe are fighting the good fight and win and
lose in this battle. Every year thousands of articles and conferences across the
globe address this challenge and when one reads the literature and attends the
meetings, one gleans that a core weapon is missing in the discussion:
Cohesive risk and business based information security architecture
Systematically and strategically planned and executed
An Information Security Architect with a Ninja war fighting spirit

Will the real Information Security Architect step out of the shadows and
reveal him/her self so we all know who and what we are?
INFOSECFORCE 2012

INFOSECFORCE

Searching for YETI ?

The Invisible Person

The Security
Architect

INFOSECFORCE

The ISA brief objectives

Background:
Invisible person thought piece written 8/12/2012 posted on ONLY two blogs
almost 600 global requests.

Purpose:

Discuss definition and roles of an information security architect (ISA)?

Is there a problem ?

Examine possible industry ISA interpretations ?

Review information security models ?

System Security Architecture Implementation Models ?

Not the Big Bang Theory

Expected outcome:

Enhanced awareness of the an ISA roles and responsibilities

More writings and better certifications and definitions

More securely built applications and infrastructure

INFOSECFORCE

Acronyms glossary

ISA. Information Security Architect or Information Security Architecture

ISC. Information Security Community
SABSA. Sherwood Applied Business Security Architecture
OSA. Open Security Architecture
TAFIM. Technical Architecture Framework for Information Management
TRM. Technical Reference Model
EA. Enterprise Architecture
GISAA. Global Information Security Architecture Association
JD. Job description
ISSAP. Information Security Systems Architect Professional
ISO. International Standards Organization
IEEE. Institute of Electrical and Electronic Engineers
OPERA. Open Protocol Enabling Risk Aggregation
NIST. National Institute of Standards and Technology

INFOSECFORCE

Personal ISA experiences

Have built Security Architectures/plans/road maps, designed

strategies, hired Security Architects and mentored them BUT I am
not a true architect . Just like to cobble things together.
Enthralled by TAFIM in the 1990s
Built the Tactical Collection Framework for Central American Wars
Integrated the Air Force SOF and regular USAF Intelligence architectures
Base lined the technical architecture for the global Army Material
Command
For CSC, managed deploying JP Morgans first global security architecture
Built the security technical road map for the Federal Reserve IT
Appointed someone as the Federal Reserves first security architect
Hired the security architect for the Northrop VITA contract
Hired by AXA Tech as the Security Architect
Defined strategy for the Information Risk Architecture Framework (IRAF)
Security Architect for AIG at United Guaranty Corporation
Wrote The Invisible Person . the Security Architect
Sherwood Applied Business Security Architecture Trained
SAIC Information Assurance Architect

INFOSECFORCE

The Origins of Architecture

Mans primordial need to scream build

Architecture has its origins in the building of towns and cities, and everyone
understands this sense of the word, so it makes sense to begin by examining the
meaning of architecture in this traditional context.
Architecture is a set of rules and conventions by which we create buildings that
serve the purposes for which we intend them, both functionally and
aesthetically.
Architecture is founded upon an understanding of the requirements that it must fulfil.
These needs are expressed in terms of function, aesthetics, culture, government
policies and civil priorities.
Architecture is also both driven and constrained by a number of specific factors.

IT Enterprise Architecture Evolution

IT Architect

INFOSECFORCE

Background analyses

Why over 600 global requests for the paper in two years ?

Two Possible Reasons Why

INFOSECFORCE

Egregious data breaches this year

Which should not be on this list?

Source http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

INFOSECFORCE

Will anything stop them ?

Defense in Depth Cyber = Securitys Maginot Line ?

Sample : 1216 organizations, 63 countries, 20 industries, 67 Billion spent on security

Did the Security Architecture Fail ?

Source: http://www2.fireeye.com/rs/fireye/images/fireeye-real-world-assessment.pdf

INFOSECFORCE

ISA Operational report

Current indicators
Information Security Architect and Information Security Architecture
The Information Security Community (ISC) does not yet have a consistent and
recognized universal definition defining what an ISA is BUT we are possibly gaining on it.
Now being integrated sometimes in IT standard frameworks for what an ISA should
accomplish. (EA, TOGAF, DoDAF, Zackman)
Security community standards and certifications ISA (SABSA, OSA, ISC2, Huxham )

As such, wide ranging ISA job descriptions

Given the lack of an ISA standard, the Security
Architect sometimes struggles in his role as what he/she
thinks he/she should do is not what the company thinks
they hired him for.

SOURCE: http://securityarchitecture.com/docs/Security_Management_Frameworks.pdf

Note about Enterprise Architecture

INFOSECFORCE

ISA challenge ?

Working on to good
Relentless attacks hurting INFOSEC reputation
Focus on frameworks like NIST and PCI versus architecting and engineering
Enterprise Architecture, TOGAF and ISO 27001 just now integrating SABSA
Multiple IT and then Security Architecture frameworks . Overwhelming
Various interpretations of what an Information Security Architect is
Scant references in the trades of the importance of integrating security
SABSA and ISC2 certs but need Engineering equivalents
SABSA the closest thing to ISA champion (like early ITIL mostly offshore)
No true professional organization like The Global Information Security Architect
Association (GISAA)
Forthcoming and relentless Cyber Attacks

INFOSECFORCE

Various ISA job descriptions

JDs exemplify organizational ISA Soul Searching

1.Extremely technical in one or two security technologies such as Firewalls or
intrusion detection devices.
2. Extremely technical on all aspects of security but cannot connect the architecture
to business requirements and the overall strategy. Could install a HIDS or even a
firewall but the person did not design a strategy on how these systems could
operationally and tactically integrate as part of the intrusion detection framework.
3. Extremely technical engineer and strategists who also has a holistic view of the
business objectives and the requirements definition process.
4. Highly technical and can combine all aspects of risk management and business
requirements into a cohesive strategy and technical plan.
5. Calling the security director or security manager the security architect

INFOSECFORCE

Likelihood of succeeding as an ISA

Great High Medium

Extremely technical in one or two technologies like firewalls

Extremely technical in all things security technology but no

business acumen
Extremely technical engineer and strategists who also has a
holistic view of the business objectives and the requirements
definition process.

Low

Highly technical and can combine all aspects of risk management

and business requirements into a cohesive strategy
and technical plan.

Calling the security director or security manager the security

architect

10 years experience in information security

SABSA, TOGAF, OSA, Brackman trained and certified

Highly experienced in one of these frameworks NIST, SANS, ISO

27001, COBIT, Cyber Security Framework, PCI, FTI, FISMA, DIACAP,
RMF

ITIL, CISSP, GIAC, EE, DISA

INFOSECFORCE

Who ya gonna call ?

Optimum ISA Job Description

An information security architect should have at least 10 years experience in

information security and at one point in his/her career should have had hands on
technical experience in anything from help desk support to being a UNIX or data
base administrator. This person should have extensive knowledge of security
platforms, has managed acquisition efforts, identity access management, cyber
warfare, and governance as it is translated from security standards and policies
into an operational technical environment that is aligned with the core business
processes be they financial institutions like JP Morgan or e-commerce giants like
Amazon or Best Buy. This person should have served on the front lines of cyber
battles such as NIMDA, LUZ or APT. Optimally, the person is ITIL certified, has an
EE degree, is a visionary, and understands security support business objectives.
Ultimately, the Security Architect is a perfect blend of a highly skilled security
engineer, a governance and policy expert, an enterprise architect, and a business
savvy professional with a Ninja spirit.

INFOSECFORCE

SAN think

Can you build a Defense in Depth architecture without an architect ?

Of course, you are not going to get very far with an architectural approach to Defense in Depth
without an architect. Unfortunately, the industry is still unclear as to exactly what an

IT Security Architect is.

The concept is, however, starting to mature.
(ISC)2 organization has created an ISSAP (Information Systems Security Architecture
Professional) certification[2].
SABSA organization has three levels of certifications for Security Architects: Foundation,
Practitioner, and Master.
There are job opportunities for positions labeled as "Security Architects," although many times
they sound more like engineers than architects.
Though specific knowledge about systems and networks is important, an architect should have

the ability to assemble and disassemble pieces of knowledge to/from a whole.

Stephen Northcutt, J. Michael Butler and the GIAC Advisory Board

INFOSECFORCE

ISA Certification syllabuses

Two prime ISA Certifications

SABSA

SABSA cont,

ISC 2 ISSAP

Define enterprise security architecture,

its role, objectives and benefits
Describe the SABSA model,
architecture matrix, service management
matrix and terminology
Describe SABSA principles, framework,
approach and lifecycle
Use business goals and objectives to
engineer information security
requirements
Create a business attributes taxonomy
Apply key architectural defence-indepth concepts
Explain security engineering principles,
methods and techniques
Use an architected approach to design
an integrated compliance framework
Describe and design appropriate policy
architecture
Define security architecture value
proposition,
Use SABSA to create an holistic
framework to align and integrate
standards

Describe roles, responsibilities,

decision-making and organisational
structure
Explain the integration of SABSA into a
service management environment
Define Security Services
Describe the placement of security
services within ICT Infrastructure
Create a SABSA Trust Model
Describe and model security
associations intra-domain and interdomain
Explain temporal factors in security and
sequence security services
Determine an appropriate start-up
approach for SABSA Architecture
Apply SABSA Foundation level
competencies to the benefit of your
organisation

Access Control Systems and

Methodology
Communications & Network
Security
Cryptography
Security Architecture Analysis
Technology Related Business
Continuity Planning (BCP) &
Disaster Recovery Planning
(DRP)
Physical Security Considerations
NOTE: ISSAP capitalizes on
CISSP training

INFOSECFORCE

The GARTNER View is EA Focused

INFOSECFORCE

Whats will it take?

Being a Successful Information Security Architect

Unless the security architecture can address a wide range of operational requirements and provide
real business support and business enablement, rather than just focusing upon security, then it is
likely that it will fail to deliver what the business expects and needs.
Common phenomenon throughout the information systems industry,
Being a successful security architect means thinking in business terms at all times,
You always need to have in mind the questions: Why are you doing this? What are you
trying to achieve in business terms here? Otherwise you will lose the thread and finish up
making all the classic mistakes.
Do not understand strategic architecture, and who think that it is all to do with
technology.
Buy-in and sponsorship from senior management
Enterprise architecture cannot be achieved unless the most senior decision-makers are
on your side.
Creating this environment of acceptance and support is probably one of the most difficult
tasks that you will face in the early stages of your work.
Source SABSA

INFOSECFORCE

ISA challenge summary

ISA Situation
Onslaught of cyber attacks costing millions in damages and loss of consumer
trust
Numerous interpretations of ISA limit organizational success in ISA
While improving, need more global awareness of the essential importance of
Building Security In
SABSA and ISSAP good but not good enough
Standards like NIST and PCI good but not nearly good enough

Action Plan
Bring the ISA out of the Shadows or redefine what an ISA is
Industry and government ISA punctuation greatly needed
Need to create an ISO or IEEE level standard
Make it an engineering science as is an EE degree
Trades like SC, CISO, Information Week and companies like RSA, Symantec,
Verizon, need to champion ISA
Somehow, someway create GISAA

ISA

INFOSECFORCE

The eloquent designs

The IT and Security Architecture Designs thinking and planning

Source: http://antifan-real.deviantart.com/art/Grand-Universe-17189369

INFOSECFORCE

SABSA Eloquent design

INFOSECFORCE

SABSA Eloquent design matrix

INFOSECFORCE

Source:

ISA Landscape by OSA

http://www.opensecurityarchitecture.org

INFOSECFORCE

Source:

PCI OSA Pattern

http://www.opensecurityarchitecture.org/cms/library/patternlandscape/315-sp-026-pci-full

INFOSECFORCE

Server OSA Pattern

INFOSECFORCE

TOGAF development process

Source: http://www.opengroup.org/subjectareas/enterprise/togaf

INFOSECFORCE

Huxham Security Framework

INFOSECFORCE

INFOSECFORCE baseline

INFOSECFORCE

MAKING IT REAL .yikes

Implementing a framework or
enterprise improvements

INFOSECFORCE

NIST RMF

SANS
Top 20

COBIT
NIST CSF

Security
Engineering
&
Architecture

PCI

HIPPA

OPERA

ISO 27001

UCF

SOX

INFOSECFORCE

Fundamental Enterprise Security

Architecture Planning Issue

Enterprise Security Architecture Asynchronous Planning

Information security solutions are often designed, acquired and installed on a
tactical basis.
A requirement is identified, a specification is developed and a solution is
sought to meet that situation.
Strategic dimension Not considered
Mixture of technical solutions on an ad hoc basis, each independently
designed and specified and with no guarantee that they will be compatible and
inter-operable.
No analysis of the long-term costs, especially the operational costs which
make up a large proportion of the total cost of ownership, no strategy that can
be identifiably said to support the goals of the business.

Source: SABSA

INFOSECFORCE

Enterprise Security Architecture

Planning Solution

Security Architecture Planning is the missing piece of the puzzle

Development of an enterprise security architecture which is business-driven
A structured inter-relationship between the technical and procedural solutions to
support the long-term needs of the business.
Must provide a rational framework within which decisions can be made based on
an understanding of the business requirements, including:

Source: SABSA

The need for cost reduction

Modularity
Scalability
Ease of component re-use
Operability
Usability
Inter-operability both internally and externally
Integration with the enterprise IT architecture and its legacy systems.

INFOSECFORCE

Security Architecture Approach

Holistic Approach
Mistake = believing that building security into information systems is simply a matter of
referring to a checklist of technical and procedural controls and applying the appropriate
security measures on the list.

Car example
A car is a good example of a complex system. It has many sub-systems, which in turn have
sub-systems, and eventually a very large number components. Designing and building a
car needs a systems-engineering approach.

Architecture system approach

Do you understand the requirements?

Do you have a design philosophy?
Do you have all of the components?
Do these components work together?
Do they form an integrated system?
Does the system run smoothly
Are you assured that it is properly assembled?
Is the system properly tuned?
Do you operate the system correctly
Do you maintain the system?

Are PCI, NIST,

SANS Top 20,
DIACAP
architectures

INFOSECFORCE

Implementation tool and designs

Keeping it simple
System security plan that defines risk, architecture and controls
Control framework of your choosing such as NIST CSF, PCI and etc
Plan, Build, Deploy, and Operate Project Plan
Risk management analysis (process and technology gaps)
SABSA framework sheet establishing overall situational awareness
OSA patterns
High level engineering design
Detailed engineering design
Excruciating detailed test plans
Implementation plan
Policy, process and procedures
Certification and accreditation
Continuous control monitoring plan
Production security

INFOSECFORCE

Architect/Engineer/Implement?

Implementing a framework or a system

BUILD

PLAN

Define:
- Feasibility
- Business case
- Initial risk
assessment
- Requirements
- Security CIA
- Charter
- System type
- System security
plan
- Baseline

DEPLOY

Define:

Define:

- EA Architecture
plan
- System risk level
- Applicable security
control requirements
- High level design
- Detailed design
- Functional design

- Test, test, test

- Acceptance
- Procedure
- Process
- CONOPS
- Certify and attest

OPERATE

Define:
- Vulnerability mgt
- Pent Test mgt
- Continuous
logging and
monitoring
- Compliance plan
PCI/SOX
- Patch mgt
- Security CIA
- Change mgt
- Incident response

INFOSECFORCE

SLCMP and the SDLC The Dance

BUILD

PLAN

Statement of need
for new business
process,
application or
technology

INFOSEC participation
in feasibility analyses,
no documentation
required

Functional
requirements
document
designed

Design and
technical
architecture
developed

Code
development

Deploy

1 st phase 2 nd phase
prod testing prod testing

OPERATE

QA

INFOSEC architecture
document created based
on data security
categorization, policy,
application functionality
and risk and vulnerability
assessments

Build the System Security Plan

based on NIST 800-53 control
guidelines. Preliminary risk and
vulnerability assessment done.
Measures requirements against
policy and provides functional
adjustments. Security
requirements stated based on
preliminary risk and vulnerability
assessments. If necessary,
requirements document
adjusted

Integrate controls
and create detailed
application security
test plan defining
testing tools,
timelines, remedial
action processes and
testers. Gain
approval from project
manager.

Pre prod

Prod

Post Prod

Create final
risk
acceptance
document

Ongoing pen
tests,
vulnerability
assessments,
risk
management

Application and
infrastructure
penetration testing
Server cert
First phase
application security
testing. Once code
begins solidifying,
use soft tools such as
AppScan or Spi
Dynamics for high
level testing.
Feedback findings to
developers for code
correction

Second phase app security

testing using formalized
process to decompile code
as much as possible to
determine if code has
organic exposures violating
policy, security design, and
the security architecture.
Correct findings and provide
to developers to fix or define
mitigating controls. Aspect
security has expertise in
this area

Third phase app

security test which
follows phase one
testing process.
Used as final
verification that
code is stable
from INFOSEC
perspective

**

Security certification
and accreditation should
be finalized

INFOSECFORCE

The ISA does not exist after all

Paradigm shift (ed)

ISA
ISA Not an architect after all
Engineer defining and implementing security requirements
Implementing the security components of an enterprise architect
solution
Integrated and symbiotic with the enterprise architecture
Security processes that run on the infrastructure and something the
business enterprise can not do without
It is a senior engineer that guides the construction and implementation of the
security components

INFOSECFORCE

Invisible person conclusion

We are at war
A Security Architect can define strategies to defeat the aggressors.
The IT industry governance boards (ISO . IEEE) needs to standardize its
doctrine and strategy to define the ISA
Organizations need to hire the right people for ISA jobs
Reduce confusing the Senior Security Engineers with the roles and
responsibilities of an Information Security Architect.
While they are complimentary in nature, the roles are different.
Ultimately though . is the discussion over . Incorporate ISA into the EA
solution for consistent and seamless IT architecture and operational builds?

INFOSECFORCE

Contact information
INFOSECFORCE

Application
Security
15 Sept 2008

Balancing security controls to business requirements

BILL ROSS

Marion Ross, INFOSECFORCE llc, President

Phone:804-387-9253
Bill Ross, INFOSECFORCE llc, Security Process Architect
Phone: 804-855-4988
Email: INFOSECFORCE@YAHOO.com

INFOSECFORCE

Enterprise Security Architecture

Ad hoc, not integrated not planned and costly

Information security solutions often designed, acquired and installed on a tactical basis.

No strategic dimension

Organization builds up a mixture of technical solutions on an ad hoc basis

No guarantee that they will be compatible and inter-operable.

Solution is to base decisions on business requirements, including:

The need for cost reduction

Modularity
Scalability
Ease of component re-use
Operability
Usability
Security is business
Inter-operability both internally and externally
Integration with the enterprise IT architecture and its legacy systems.
Source: http://www.intigrow.com/enterprise-security-architecture-design.html