Post on 13-Dec-2014
description
Business Operation
Support Services
(BOSS)
Data Governance
Operational Risk
Management
Compliance
Security and Risk
Management
Presentation Services
Information Services
Infrastructure Services
Facility Security
Asset
Handling
Controlled Physical
Access
Information Technology
Operation & Support
(ITOS)
Application Services
Service Support
Configuration Management
Problem ManagementIncident Management
Change Management Release
Management
Service Delivery
Policies and Standards
Data Protection
Audit Planning
Reference Architecture Version 2.0
Guiding Principlesq Define protections that enable trust in the cloud.
q Develop cross-platform capabilities and patterns for proprietary and open-source providers.
q Will facilitate trusted and efficient access, administration and resiliency to the customer/consumer.
q Provide direction to secure information that is protected by regulations.
q The Architecture must facilitate proper and efficient identification, authentication, authorization,
administration and auditability.
q Centralize security policy, maintenance operation and oversight functions.
q Access to information must be secure yet still easy to obtain.
q Delegate or Federate access control where appropriate.
q Must be easy to adopt and consume, supporting the design of security patterns
q The Architecture must be elastic, flexible and resilient supporting multi-tenant, multi-landlord platforms
q The architecture must address and support multiple levels of protection, including network, operating
system, and application security needs.
High Level Use Cases
Co-Chairs: Jairo Orea, Yaron Levi, Dan Logan.
Team: Richard Austin, Frank Simorjay, Yaron Levi, Jon-Michael Brook,
Jarrod Stenberg, Ken Trant, Earle Humphreys, Vern Williams
Date: 02/25/2013
SABSA
ITIL v3
JERICHO
Independent
Audits
Third-Party
Audits
Internal
Audits
Contact/Authority
Maintenance
Information System Regulatory
MappingIntellectual Property Protection
Data Ownership /
Stewardship
Data
Classification
Handling / Labeling /
Security Policy
Secure Disposal of
Data
Data Governance
Risk
Assessments
Non-
Production
Data
Rules for Information
Leakage Prevention
Information
Leakage
Metadata
Technical Security
StandardsData/Asset Classification
BarriersElectronic
Surveillance
Physical
AuthenticationSecurity Patrols
Business
Impact Analysis
TOGAF
Data
SoftwareHardware
Information Technology
Resiliency
Capacity PlanningSoftware
ManagementPhysical Inventory
Automated Asset
Discovery
Configuration
Management
Emergency
Changes
Planned Changes
Project
Changes
Scheduling
Operational
Chages
Service
Provisioning
Approval
Workflow
Change
Review
Board
Security Incident
Response
Automated
Ticketing
Self-Service Ticketing
Event
Classifiation
Root Cause
Analysis
Source Code
Management
Trend
Analysis
Problem
Resolution
Testing
Build
Version
Control
Availability
Management
Resiliency
Analysis
Capacity Planning
Service Level
Management
Objectives Internal SLAs
External SLAs
Vendor Management
OLAs
Service Dashboard
Asset Management
Service
Costing
Operational
Bugdeting
Investment
Budgeting
Charge
Back
Connectivity & Delivery
Abstraction
Integration MiddlewareProgramming Interfaces
Knowledge Management
Presentation Modality
Presentation Platform
Service Support
Configuration
Rules
(Metadata)
Service
Events
Service DeliveryService
CatalogSLAs OLAs
ContractsRecovery
Plans
Business Continuity
DomainContainer
Process or
SolutionData
Human Resources
Security
Crisis
Management
Background
Screening
Employment
Agreements
Employee
Termination
Governance Risk &
CompliancePolicy Management
IT Risk
Management
Compliance
Management
Technical Awareness and Training
InfoSec
ManagementCapability
Mapping
Risk Portfolio
Management
Risk
Dashboard
Vendor
Management
Audit
Management
Residual Risk Management
Best
practices
Trend
AnalysisBenchmarking
Job
Descriptions
Roles and
Responsibilities
Employee Code of Conduct
IT Operation
Resource
Management
Segregation
of Duties
PMO Portfolio
Management
Maturity
Model
Roadmap
IT Governance
Architectrure
Governance
Standards and
Guidelines
Project
Mgmnt
Clear Desk Policy
Strategy Alignment
Data Loss Prevention
Network (Data in Transit)
End-Point(Data in Use)
Server(Data at Rest)
Intellectual Property
Protection
Intellectual
Property
Digital Rights
Management
Cryptographic Services
Threat and Vulnerability Management
Patch
Management
Compliance Testing
Databases
Signature
ServicesPKI
Data-in-Transit
Encryption (Transitory, Fixed)
Privilege Management Infrastructure
Identity ManagementDomain Unique
IdentifierFederated IDM
Identity
Provisioning
Attribute
Provisioning
Authentication ServicesSAML
Token
Risk Based
Auth
OTPSmart
Card
Multifactor
Password
Management
Authorization Services
Policy
EnforcementPolicy Definition
Policy
Mangement
Principal Data
Management
Resource Data
ManagementXACML
Network
Authentication
Biometrics
Single Sign OnMiddleware
AuthenticationWS-Security
Privilege Usage Management
Servers Network
Vulnerability Management
Application Infrastructure DB
Penetration Testing
Internal External
Threat ManagementSource Code Scanning Risk Taxonomy
Infrastructure Protection Services Server
Anti-
Virus
HIPS /
HIDS
Host
Firewall
End-PointAnti-Virus, Anti-Spam,
Anti-MalwareHIPS /HIDS
Host
Firewall
Data-at-Rest Encryption(DB, File, SAN, Desktop,
Mobile)
Media
Lockdown
Hardware Based
Trusted Assets
Forensic ToolsInventory Control
Content
Filtering
ApplicationXML Applicance Application Firewall
Secure Messaging Secure Collaboration
Network
Firewall Content
Filtering
NIPS /
NIDS
Link Layer Network Security
Wireless
Protection
User Directory Services
Active
Directory
Services
LDAP
Repositories
X.500
Repositories
DBMS
Repositories
Registry
Services
Location
Services
Federated
Services
Reporting Services
Dashboard Reporting ToolsData Mining Business Intelligence
Virtual
Directory
Services
Security Monitoring
Risk Management
GRC RA BIA
DR & BC
PlansVRA TVM
Availability
ServicesNetwork
Services
Storage
Services
Development Process
Configuration
Management
Database
(CMDB)
Knowledge
Repository
Change
Logs
Meta
Directory
Services
Internal Infrastructure
Servers
End-Points
Virtual Infrastructure
BOSS
SaaS,
PaaS, IaaS
Identity Verification
DPI
Session
Events
Authorization
Events
Authentication
EventsApplication
Events
Network
EventsComputer
Events
Risk
Assessments
Audit
Findings
Data
ClassificationProcess
Ownership
HR Data
(Employees &
Contractors)
Business
Strategy
HIPS
Database
Events
ACLs CRLs Compliance
Monitoring
NIPS
Events
DLP
EVents
Transformation Services
NIPS
Events
Privilege
Usage Events
eDiscovery
Events
ITOSPMO Strategy
Problem Management
Incident Management
CMDBKnowledge Management
ServiceManagement
ChangeManagement
Roadmap
Security Monitoring ServicesSIEM
Platform
Event
Mining
Database
Monitoring
Application
Monitoring
End-Point
Monitoring
Event
Correlation
SOC Portal
Market Threat
Intelligence Counter
Threat
Management
Cloud
Monitoring
Honey
Pot
Journaling
Managed Security
Services
Knowledge
Base
Branding
ProtectionAnti-Phishing
Legal ServicesContracts E-Discovery
Internal Investigations
Forensic
Analysis
Data lifecycle managementData
De-Identification
Life cycle
managementData Seeding
Data TaggingMeta Data
Control
Journaling
Data Obscuring
Data Masking
eSignature(Unstructured data)
Key ManagementSymmetric
Keys
Asymmetric
Keys
Role
Management
Keystroke/Session
Logging
Privilege Usage
Gateway
Password
Vaulting
Resource
Protection
DRP
Plan
Management
Test
Management
Contractors
Network
Virtualizaton
External
(VLAN)
Internal
(VNIC)
Application Virtualization
Desktop “Client” Virtualization
Local
Remote
Session-
Based
VM-Based
(VDI)
Server Virtualization
Virtual Machines (Hosted Based)
Hardware-AssistedParavirtualizationFull
Storage Virtualization
<<insert Jairo’s content>
Network Address
Space
VirtualizationIPv4 IPv6
OS
VIrtualization
TPM
Virtualization
Server
Application
Streaming
Block-Based VirtualizationHost-Based
Storage
Device-
Based
Network-Based
LVM
LUN
LDM Appliance
Switched
File-Based Virtualization
Database
Virtualization
Virtual
Memory
Client
Application
Streaming
Mobile Device
Virtualization
Smartcard
Virtualization
Virtual
Workspaces
Data Discovery
Obligation
Remediation
Exceptions Self Assessment
Program
Mgmnt
Best Practices &
Regulatory correlation
Image Management
Out of the Box (OTB) AutZ
Application Performance
Monitoring
Security Knowledge Lifecycle
Security
Design
Patterns
Real-time internetwork defense (SCAP)
Cross Cloud Security Incident
Response
User Behavior &
Profile Patterns
Black Listing Filtering
Self-Service
Security
Code Review
Application
Vulnerability
Scanning
Stress and
Volume
Testing
Attack
Patterns
Real
Time
Filtering
Software Quality Assurance
Security Application
Framwrok - ACEGI
Code
Samples
Risk Management Framework
Employee
Awareness
Security Job
Aids
Security
FAQ
Orphan Incident Management
Secure Build
Compliance Monitoring
Service Discovery
OTB AutN
Mobile Devices Desktops
Portable Devices
Smart AppliancesMedical Devices Handwriting
(ICR)
Speech Recognition
(IVR)Company
ownedThird-Party Public Kiosk
Consumer Service Platform
Social
MediaColaboration
Enterprise Service Platform
B2B B2C
B2E B2M
Search E-Mail P2Pe-Readers
Rules for
Data Retention
Information Security
Policies
Independent Risk Management
Operational Security Baselines Job Aid Guidelines Role Based Awareness
Business
Assessment
Technical
Assessment
Data-in-use Encryption (Memory)
Incident Response Legal
Preparation
Key Risk Indicators
Fixed Devices
Mobile Device Management
Equipment
Maintenance
Data
Segregation
Input
Validation
Planning Testing
Environmental Risk ManagementPhysical Security
Equipment
Location
Power
Redundancy
Network
Segmentation
Authoritative
Time Source
White Listing
White
Listing
Operational Risk Committee
End Point
Entitlement Review
Sensitive File
Protection
Behavioral Malware Prevention
Hypervisor Governance and Compliance
Vertical Isolation
Behavioral Malware Prevention
Behavioral
Malware
Prevention
Secure Sandbox