IAC Secure eBiz Secu

Click here to load reader

  • date post

  • Category


  • view

  • download


Embed Size (px)



Transcript of IAC Secure eBiz Secu

  • 1. Security Architecture Challenges and Integration with EA Security and Privacy Architecture integrated with Enterprise Architecture

2. Scope

  • EA has integrated Security and Privacy into all levels of models
  • Challenge getting Security and Privacy at thePlanning Table
  • New Threats- new technologies- trends and standards- constantly changing
    • Recommendations for Security and Privacy Linked to FEA Reference Models- Marianne Carter- CA- Federal Security Specialist
      • Carter, Marianne"[email_address]
    • Technology trends and standards- Paul Patrick- BEA CSA
    • Security Development Patterns and Practices- Jon Wall-Microsoft- Federal Security Consultant
      • "Jon Wall"

3. Issues

  • Government Security and Privacy Direction are not consistent with the e-government needs
  • E-government Act provides NIST leadership on defining the standards
  • EA Reference Models do not address Security and Privacy
  • Business Case and Budgeting needs security and privacy considerations
  • Integrated and weaved everywhere

4. Challenges

  • View from System to Enterprise Perspective
  • Alignment of NIST Guidance with e-government Transformation needs
  • New Threatsconstantly evolving
  • Analyze Threats and determine countermeasures to deploy
  • Current government process not agile enough to adapt andrespond to threats and emerging technologies
  • (Security Architecture must be holistic and address key principles such as Defense in Depth..)
  • Security Architecture woven into the Strategy, Enterprise Architecture, Business Case ,and Budget Cycle.

5. Step 5:Security and Privacy with EA- Really Weaved with all other steps

  • Integrating Security and Privacy Architecture with Enterprise Architecture
  • The paper provides initial concepts needed for a Security Service Framework along with process changes that are needed for updates into the FEAF 2.0 draft. The integration of Security thinking and practices as an "aspect" of all the Enterprise Architecture is key. The paper weaves the Security Architecture process with the Enterprise Architecture.

6. CONSIDERATIONSFORDEVELOPING A SECURITY ARCHITECTURE(SA) CUSTOMER/PARTNER NEEDS BUSINESS NEEDS LEGISLATION/REGULATIONS Requirements SA SA Disaster Recovery Data Class/Retention Backup Telecomm Security Information Security Application Security Physical Security 7. Taxonomy of Standard-based Security Strategy Authorization Service Auditing Service Credential Service PKI Service Provisioning Service Security Services Authentication Service XKMS X.509 WS-Trust SAML XACML Username/Password SAML X.509 WS-Security SAML Username/Password Kerberos WS-SecureConversation SPML Liberty Alliance .Net Passport Single Sign-On Digital Certificates SAML/Kerberos Portal Integration Data Mgmt Application Server 8. Aligning Guidance & Managing Compliance Map Common EA Elements and NIST Guidance to Compliance Efforts Focus on the Common Elements Integrate Security Architecture With Common Business Goals & Infrastructure FEAF, NACIO,E-GOV 2002,others FISMA/GISRA, NIAP CC,NIST 800-37 Pervasive Principles Broad Functional Principles Detailed Principles Regulations & Legislation Business Risk Business Requirements Security Architecture 9. IntegratedSecurity Approach linked to Enterprise Architecture Government Support Needs Strategies Legal Mandates Incidents and Evaluations Business Architecture Services Layer Components Principles Policies Procedures Security Technology Research TechnicalLayer Industry Standards Security Patterns Drivers NIST Guidelines Security & Privacy Service Framework Education by Role(s) Information Center & Collaborative Zone 1 2 3 4 5 Data Reference Model 10. Best Practices

  • Externalize management of identity and policy from the application
  • Externalize policy enforcement from business logic in application code
  • Protection as close to target as possible
    • Provides context necessary for business-like decisions
  • Service-based Security Architecture
    • Open, flexible, and extensible

11. E-govSecurity Service Framework Features

  • Key Principles: Framework that is tailored to agencies unique security requirements
  • Business Line Modeling: Approach to Divide the Enterprise or Business Line into Zones with Governance Structure- Responsibilities
  • Tools to support the Modeling and Analysis of Security and Privacy and Report creation-integrate into Business Analyst Portal
  • Services Framework:
    • Define a set of services and Open Service Interfaces for component architecture(preliminary- thoughts included)
    • E-Authentication Common Services- Need to become eSecurity
    • Single Sign On through the Portal- must address the Firstgov.gov portal and related one-stop sign-ins and many of the basics must be covered!
    • Access Control by Requestor Application and Transaction Services
    • Logging of Intra/Inter Enterprise Integration messages and Legacy System database updates
  • Technical Reference Model Level:
      • Certified components- Operating Systems- similar to the existing NIST/NSA CERT program
      • Firewalls that protect the physical environment

12. Perimeter Security Authorization Role Manager-Policy Manager Audit and Analysis Authentication Manager Security- Policy and Enforcement Mgmt Intrusion Detection Define Zones&Firewalls Context-1 Portal Business Architecture . Context-X Authorization Manager Logging Service-Container Security Manager

  • Service Component Security Features
  • User Access Control
  • Enforcement Mechanism

Platform Specific Protections- TRM Elements for Service Security & Privacy Framework to Enterprise Architecture 13. Recommendation Task Force- Focused on Alignment and Integration Technology & Standards: Leadership and Action Manage Integrated Security and Privacy Changes Security and Service Models & Patterns Update EA with Securityand Privacy Process from NIST Service Security and Privacy Framework Security and Privacy Training- Analysis Competency Center Interoperability Update and Add to NIST Guidance E-gov Policies and Rules 14. To Put It Simply

  • Without security, e-business simply cannot prosper
    • Security is an essential requirementf or successfule-business
  • Vision:
    • Defense in depth
    • Focus on application-level security

15. Critical ArchitecturalIssues for Security Application Server

  • Legacy Systems with Poor Security Aspects
  • Introduction of Web Services
  • Complexity of security technology
  • Security infrastructure re-use

Custom Application 3rd-party Application Web Application Kerberos, Passwords, SAML, SPML, SSL, TLS, Tokens, WS-Policy, WS- Security, XACML, X.509 SOAP/HTTP F I R E W A L L Web Service ? Mainframe Database Web SSO Server 16. Unified Security Infrastructure Database Mainframe Web SSO Server Portal Authorization Server Security Framework Integration Server Custom Applications Third Party Applications Web Application Web Service F I R E W A L L Customers Partners Suppliers Employees 17.

  • Controls What Application Users Are Allowed To Do
    • Throughout the Application, NotJust at the Edge
    • Across Multiple Related Applications
    • Beyond Enterprise Boundaries
  • Bridges Business Logic and Security Services
    • Business Processes DriveSecurity Needs
    • Delegate Administration toBusiness Units
  • Custom Code/Integration Giving Way to Security Infrastructures

Application Security Infrastructure Security Services Application Business Policy 18. Industry Directions

  • Defense in Depth
    • Use of layers of security; not just at perimeter
  • Interoperability based on standards
    • Seldom a single security vendor in an enterprise
  • Focusing on Identity and Access Management
    • Recognition of no central identity repository
  • Security as a pervasive infrastructure
    • Based on a general-purpose, adaptable architecture
    • Adoption of Application Security
  • Security presented in language of business
    • Utilize role-based authorization
    • Consideration for context of transaction

19. Pillars of IA Core Competencies Disaster Recovery BackupInformation Assurance Telecomm Sec