A Roadmap To Develop Enterprise Security Architecture
A Roadmap To Develop Enterprise Security Architecture
A Roadmap To Develop Enterprise Security Architecture
Copyright © 2009 by the Institute of Electrical and Electronics Engineers, Inc. All rights reserved.
Cyber crime has skyrocketed over the past few years, x IT Security Risk Management, process
shifting from crimes of notoriety to far more serious and criteria. Are derived from the
crimes for financial gain [1]. Attackers have become Business strategy and requirements.
much more sophisticated in perpetrating and x A set of Baseline Controls is generated
concealing cyber crimes, typically operating in stealth based on the Security Policy, Directives,
mode with a goal of avoiding detection altogether [1]. and Standards etc. By Baseline Controls
The security architecture depicts an approach to we understand mandatory minimum
map the system’s stakeholders’ conceptual goals to a standards for the organization. Input
logical view for security, which is set of security comes from the legal/regulatory
policy and standards, security architecture, and risk environment, Benchmarking and
management domains [7]. Architects can learn how to published security “good practice” etc.
design reusable security services that make it simpler x Additional controls are derived from the
for developers to build security into their systems. Risk management process.
Once security concerns are embedded in test plans and x The security Architecture is the
use cases, and aligned with business goals, the overall embodiment of the baseline and the
burden on defining demand for security services does additional security controls. It can also be
not solely fall on the information security team, and defined to include the policies, directives,
the development and operations staff has far greater standards and the risk management
organizational support for the demands of extra initial process.
time and expense required to build a more robust x Some organizations use the term solution
system. architecture to refer to the specific
The Figure 1 illustrates the following propositions implementations derived from the
(starting at the top-left) [8]: reference architecture.
The Figure 1 reflects the different interpretations of
Security Architecture identified by the members of
security working group.
3. Security Services
Security services provide confidentiality, integrity,
and availability services for the platform. Security
services are implemented as protection services, such
as authentication and authorization, detection services,
such as monitoring and auditing, and response
services, such as incident response and forensics [4].
These services have served as the goals and objectives
for information security programs for many years, but
Figure 1. Security Architecture dependency and they do not provide an actionable plan as such. This
relationship document describes a way to map these security
services into overall enterprise security architecture.
x Designing security architecture should be
a response to Business strategy and 4. Stakeholders
requirements.
x The IT Strategy should be a response to A client with a material stake in the systems
the Business strategy and requirements. development and operations, including business users,
x The IT Reference Architecture(s) should customers, legal team, and so on can be named as a
be a response to the IT Strategy and stakeholder. The stakeholders business and risk goals
Governance. The reference architecture drive the overall security architecture. While it may
will usually address multiple platforms. initially appear that enterprise security does not have
x The Reference Security Architecture(s) is many allies, there may be more than expected. The
part of the IT Architecture even if it is challenge for enterprise security groups is to identify
published as a separate document. stakeholders in the enterprise that have a stake in the
system’s security posture and to educate them about
the actual risks and available countermeasures; finally inventory of the work being done by the security
giving the stakeholders’ their own, custom metrics, community. Rather, it is list of key initiatives that are
tools and process they can bring to bear on the planned or are currently under way to address the most
problem. Architects can learn how to design reusable pressing risks in this roadmap.
security services that make it simpler for developers to
build security into their systems. Once security 6.1. Security Information and Event
concerns are embedded in test plans and use cases, and Management
aligned with business goals, the overall burden on
defining demand for security services does not solely Security Information and Event Management is a
fall on the information security team, and the central system to provide enterprise-wide security
development and operations staff has far greater monitoring. It improves the ability to identify complex
organizational support for the demands of extra initial cyber attacks and reduced time and cost to investigate
time and expense required to build a more robust security incidents.
system.
6.2. Enterprise Vulnerability and Threat
5. Strategic Objectives Management
The high-level strategies outlined in this section
The Enterprise Vulnerability and Threat
collectively define where enterprise needs to be to
Management can be described as a central system that
appropriately manage cyber security risks [5]. The
provides ongoing vulnerability assessments of all
strategic outcomes can be classified into three broad
information technology assets enterprise finds and
categories:
remediate problems before they are exploited by
x Improved Situational Awareness – Outcomes in
hackers. It creates Inventory of all technology assets.
this category will help the enterprise obtain a better
A risk management centric approach allows the
understanding of its risk posture. They also will
security architecture to be agile in responding to
give the state the ability to measure its risk posture
business needs. Risk is a function of threats exploiting
with rigorous performance metrics.
vulnerabilities against assets. The threats and
x Proactive Risk Management – Outcomes in this vulnerabilities may be mitigated by deploying
category will make employees and enterprise countermeasures. The risk management process
leaders more aware of security threats. Also, they implements risk assessment to ensure the enterprise’s
will garner the executive support needed for risk exposure is in line with risk tolerance goals. This
Enterprise Security Program to thrive long-term. does not mean that behavior is uniformly risk averse or
Finally, they include various types of preventive risk seeking. The system should take on the
controls. appropriate level of risk based on business goals. The
x Robust Crisis and Security Incident Management – role of the security architecture is not to steer the
Outcomes in this category will help the enterprise business away from risk, but rather to educate their
manage security events more efficiently and business partners about the risks they are taking and
effectively, thereby minimizing damage. provide countermeasures that enable the business to
take as much risk as suits their goals.
6. Security process
6.3 Baseline Policies, Procedures, and
The Enterprise Security Office and the Information
Standards
Security Council identified certain security objectives
and specific projects as “high priority.” In general,
Baseline Policies, Procedures, and Standards
these are areas where our current security controls are
demonstrate enterprise security policy and standard
lax or have not been applied consistently across the
framework. They are clear security baselines for all
enterprise, resulting in an unacceptable level of risk. In
government entities and policy-based foundation to
many cases, the security community has developed
measure results. They introduce consistent application
formal projects to address pressing concerns. In others,
of security controls across the enterprise.
security projects are still in the planning stages.
The security policy describes all security standards
This section outlines security projects that the
in the system [4]. Security standards should be
security community believes are high priority in a
prescriptive guidance for people building and
security architecture roadmap. It is not a complete
operating systems, and should be backed by reusable
services wherever practical [4]. This is very important, Costs are reduced through the sharing of staff and
it is no longer acceptable for enterprise security to expensive forensic investigation tools.
exclusively function as an arbiter; security in the
enterprise needs architecture and design advocates, and 7. Conclusions
backing at runtime. Security policy and standards are
not end goals in themselves, they need to be backed by We present the Enterprise Security architecture
a governance model that ensures they are in use, and roadmap. This roadmap sets priorities for management,
that it is practically possible to build, deploy, and control, and protection of the enterprise’s information
operate systems based on their intent. In practice this assets.
means that the security architecture must define The strategic objectives grouped into the following
reusable security services that allow developers to not 3 categories:
be security experts yet still build a secure system. x Improved situational awareness, which
includes continuous system monitoring
and continuous assessment of controls
6.4. Security Awareness for Employees
x Proactive risk management, such as
solidly articulated requirements and
Security Awareness for Employees is ongoing and ongoing security training
comprehensive security awareness program for all x Robust crisis and security incident
enterprise employees. It provides better awareness of management, which allows critical
security threats capable of impacting enterprise services to continue uninterrupted in a
operations and also provides Common baseline of crisis.
knowledge for all employees. With Security This roadmap also outlines key initiatives that have
Awareness for Employees fewer security incidents been prioritized for delivery:
caused by employee mistakes
x Security Information and Event
Management: provide enterprise-wide
6.5. Identity and Access Management security monitoring
x Enterprise Vulnerability and Threat
Identity and Access Management provide Management: provide ongoing
centralized and streamlined access control solution for vulnerability assessments of all
enterprise. Uniform and repeatable access control information technology assets
processes cause better security. Providing all access x Baseline Policies, Procedures, and
through a single user ID and password provide better Standards: complete enterprise security
experience for users of enterprise [6]. Leveraging an policy and standard framework
external access control solution reduce costs to
x Security Awareness for Employees:
develop new systems.
ongoing and comprehensive security
awareness program for all state employees
6.6. Enterprise Business Continuity Program x Security Awareness for Government
Leaders: annual security awareness event
Enterprise Business Continuity Program is ongoing for government leaders and policymakers
continuity program to address unanticipated x Identity and Access Management:
disruptions to enterprise services. By this program centralized and streamlined access control
recovery of critical services during a crisis become solution for state government
faster and the costs through leveraging shared recovery x Enterprise Business Continuity Program:
environment is reduced. It provides better ability to ongoing continuity program to address
share staff during times of crisis through adoption of a unanticipated disruptions to government
common plan format and tools. services
x Enterprise Security Incident Management:
6.7. Enterprise Security Incident Management enterprise-wide approach to record,
identify, and manage information security
incidents
Enterprise Security Incident Management is
Strong executive commitment and support are
enterprise-wide approach to record, identify, and
crucial to the implementation of this roadmap.
manage information security incidents. It provides Successful implementation will ensure information is
ability to limit damage through information sharing.
both protected and available, and that critical services
are available when needed. Security architecture is not
a static process. You can’t “set it and forget it.”
8. References
[1] CSI/FBI Computer Crime and Security Survey, 2006
http://i.cmpnet.com/gocsi/db_area/pdfs/fbi/FBI2006.pd
f , Accessed 16 January 2009