Developing an Architectural Framework towards · PDF fileDeveloping an Architectural...
-
Upload
vuongkhanh -
Category
Documents
-
view
239 -
download
6
Transcript of Developing an Architectural Framework towards · PDF fileDeveloping an Architectural...
Presentation Content
Copyright © 2014 Secure Logic 2 www.securelogicgroup.com
Cyber Threat Landscape⁻ Cyber Attack and Threat Profile⁻ Cyber Threat Map
Cyber Security Counterintelligence (through) Architecture Modelling { CSCAM }⁻ Reference Architecture⁻ Network and Security Principles⁻ Data Flow
Copyright © 2014 Secure Logic 3 www.sec-logic.com
Cyber Threat Landscape⁻ Cyber Attack and Threat Profile⁻ Cyber Threat Map
Cyber Attack and Threat Profile
Copyright © 2014 Secure Logic 4 www.sec-logic.com
- Targeted Attacks vs Non-Targeted Attacks 50 : 50 ratio Attack source: Internal &External
- Top 3 Attack vectors
Compromised despite having people, processes, and technologies controls in place
Cyber Threat Landscape
“There are two types of companies: those that have been hacked and those that will be hacked.” Robert Mueller, FBI Director, speaking at the RSA Conference.
0% 2% 4% 6% 8% 10% 12% 14% 16% 18%
Loss of Confidential or Proprietaryinformation,
Denial-of-Service
Financial Fraud
Cyber Threat Map
Copyright © 2014 Secure Logic 5 www.sec-logic.com
Cyber Threat Landscape
PersonalGain
PersonalFame
Curiosity
Mo
tiva
tio
n
Attackers’ ExpertiseSource – NSS Labs
Script-Kiddy
Hobbyist Hacker
Expert
Theft
Author of
ToolsVandalism
Fastest growing segment
Tools created by experts now used by less-
skilled criminals, for personal gain
Hobbyist Hacker
Expert
Cyber Threat Map
Copyright © 2014 Secure Logic 6
Cyber Threat Landscape
www.sec-logic.com
Threat agents• Conflict in Nations• Organized Criminals• Radical activists• Cyber-vandals• Data miner• Malicious Employees• Recognition• Unintentional Errors
Threat Vectors• Motivation• Means• Money• Assets of interest
MY ASSET
Business Cybersecurity
Objective
7
Cyber Threat Landscape
Technology Domain
DDOS
Firewall
IPS
AV
HIDS
FIM
Operational Domain
Change Mgt
SIEM
Version Control
www.sec-logic.com Copyright © 2014 Secure Logic
Business Domain
Objective
Strategy
Requirements
Copyright © 2014 Secure Logic 8 www.sec-logic.com
Cyber Security Counterintelligence (through) Architecture Modelling { CSCAM }⁻ Reference Architecture⁻ Network and Security Standards ⁻ Data Flow
Reference Architecture
Copyright © 2014 Secure Logic 9 www.sec-logic.com
C-SCAM
The model and methodology for developing risk-driven enterprise information architecture and for delivering sustainable ICT solutions that support critical business initiatives.
The framework is based on these industry standards:SABSA - Applied Business Security ArchitectureTOGAF – Enterprise Information Architecture FrameworkISO 27001 – Information Security Management System
Reference Architecture
Copyright © 2014 Secure Logic 10 www.sec-logic.com
C-SCAM
BusinessDrivers
Key Points:
Services Anytime Anywhere
Community and Industry Collaboration
Citizen Focused Services
Better Information Sharing
Financial and Performance Management
Driver 2020
Strategy 2020
ICT Re-investment pool
Reference Architecture
Copyright © 2014 Secure Logic 11 www.sec-logic.com
C-SCAM
BusinessDrivers
AttributesProfiles
Key Points:
Entities and their Relationship
Supplier and Consumption Channels
Contextual Architecture dependencies
IT Network and Security attributes
IT Services Modelling
Reference Architecture
Copyright © 2014 Secure Logic 12 www.sec-logic.com
C-SCAM
BusinessDrivers
AttributesProfiles
StrategyAlignment
Key Points:
Commoditise Data Services
Create a Marketplace for external Providers
Promote the use of Virtualisation
High Specification Security Standards
Enable Compliance
Reference Architecture
Copyright © 2014 Secure Logic 13 www.sec-logic.com
C-SCAM
BusinessDrivers
AttributesProfiles
StrategyAlignment
Control& EnablementObjectives
Domain &Trust Models
Key Points:
Defines logical and physical boundaries
Set of elements with common security policy
Determines network segregation and controls
Determines Data Flow between Domains, Zones
Enable information exchange
Reference Architecture
Copyright © 2014 Secure Logic 14 www.sec-logic.com
C-SCAM
BusinessDrivers
AttributesProfiles
StrategyAlignment
Control& EnablementObjectives
Domain &Trust Models
Scenarios&Design
Patterns
Scenario 1: Co-Location/ Self Managed
Agency/Service Provider A migrates all of their data centre infrastructure to the GovDC facility once in place, Agency A operates their data centre infrastructure as a co-located facility, independent from other agencies and marketplace suppliers located within the facility
Scenario 2: Hybrid co-location / Managed Services
Agency/Service Provider B migrates their UNIX infrastructure to the GovDC facility They choose to replace the remainder of their infrastructure with services sourced from private sector suppliers via GovDC’s service catalogue
Scenario 3: Fully Managed Services
Agency/Service Provider C has an equipment refresh coming up and they need new infrastructure instead of procuring new capacity and infrastructure, they purchase a fully managed service from inside GovDC and migrate to the facility
Key Points:
Agile and scalable take-up model
Modular and Easy Integration
Standard procedures for on boarding
Reference Architecture and Design Blueprints
Ensure Sustainability and Stability
Reference Architecture
Copyright © 2014 Secure Logic 15 www.sec-logic.com
C-SCAM
BusinessDrivers
AttributesProfiles
StrategyAlignment
Control& EnablementObjectives
Domain &Trust Models
Scenarios&Design
Patterns
Zone Placement
Agency
Traffic
Applications
3. External Cloud Access Domain
provides a common interaction point
to consume external cloud services
1. DMZ Domain protects the
application, data domains and sub-
domains (zones) by confirming
identity and trust prior to allowing
access to these “protected”
domains and zones
5. Services Backbone: provided by
GovDC, offers robust, secure
connectivity between agency
resources
2. Internal Protection Domain
houses agency compute and
storage resources, along with a
growing number of common
services accessible to agency
business applications
4. Secure Administration Domain
provides segregated privileged user
access to the systems application,
data domains and sub-domains
(zones)
Reference Architecture
Copyright © 2014 Secure Logic 16 www.sec-logic.com
C-SCAM
BusinessDrivers
AttributesProfiles
StrategyAlignment
Control& EnablementObjectives
Domain &Trust Models
Scenarios&Design
Patterns
Zone Placement
Services &Mechanism
Products &Tools
DMZ Services Stream
- Internet Gateway Services- IDS / IPS as a Service- Proxy Gateway Services- E-mail Gateway Services- Firewall as a Service- Remote Access Services- Application Delivery Services
Secure Administration Domain
- Encryption as a Service- Hardware Security Module (HSM) as a Service- Cryptographic Key Management Services- Authentication as a Service- Enterprise Policy Services- DNS as a Service- Vulnerability Management Services
Internal Protection Domain
- Identity Management Services- IP Address Management as a Service- Application Delivery Services- Proxy Gateway Services- DLP as a Service- Collaboration Services- Mobile Device Management as a Service
Key Points:
Services Anytime Anywhere
Clear Roadmap to’ Services’ model
Solution ‘Traceability’ and ‘Completeness’
Key benefits today vs Future enablement
‘As a Service’ design modelling
Reference Architecture
Copyright © 2014 Secure Logic 17 www.sec-logic.com
BusinessDrivers
AttributesProfiles
StrategyAlignment
Control& EnablementObjectives
Domain &Trust Models
Scenarios&Design
Patterns
Zone Placement
Services &Mechanism
Products &Tools
Service Management
Matrix
ArchitecturalGovernance
Key Points:
Baseline Standards established
Policy and Procedures Framework
Enable Compliance & Assurance
Enable Agency Certification program
Integrated Risk Management model
Data Flow
Copyright © 2014 Secure Logic 18 www.sec-logic.com
X
X
Key Points:
Data Flow enables info sec assurance
Data integrity and confidentially maintained
Enables Accountability and controls Visibility
Collaboration with standardised approach
Enable Baseline Security practise
Private Government Marketplace
Internal Protection Domains and Zones
DMZ
External Domains(Internet)
Allowed Not Allowed
XX
Private Government Marketplace
Internal Protection Domains and Zones
External or Internal Protected User Network
Allowed Not Allowed
XX
XX
DMZ
Support
Zone(s)
Secure Admin DomainInternal Protection Support Zone(s)
External or Internal Protected User Network
Allowed Not Allowed
X
XX
SAZ
DMZ
Support
Zone
Secure Admin DomainInternal Protection Support Zone
DMZ
DMZ Data Flow Privileged system access to the PGM protected domain
Privileged system access to the DMZ domain
Network and Security Principles
Copyright © 2014 Secure Logic 19 www.sec-logic.com
The following requirements must be met when using physically separate or virtualised network infrastructure.
network and security devices facing unclassified protection zones (e.g. unprotected) must exist on physically separate hardware to other domains
network and security devices used for service redundancy and high availability must run on physically separate hardware to ensure a single hardware failure will not impact availability
network and security devices used for the secure administration zone must run on physically separate hardware to the systems being administered to ensure protection, segregation and availability during failures
network connectivity to servers for administration and monitoring should be through separate server network interface cardsproduction infrastructure must exist on physically separate hardware to non-production infrastructure.
About Us
Copyright © 2014 Secure Logic 20 www.sec-logic.com
Sydney, Singapore, Shanghai & Kuala Lumpur
Secure Logic is committed to developing partnerships with customers who demand a combination of expertise and technical capabilities that deliver innovative solutions for achieving operational maturity.
Sustainability
Stability
Future Growth
Service Category
Thank You
About Secure Logic
Secure Logic was started in 2006 by a group of highly skilled IT professionals looking to redefine IT security. We work across the globe helping businesses identify their IT security needs and align them to their business drivers.
Today, Secure Logic’s consultants work with many key banking and finance organisations, enterprises of all sizes, and government departments assisting them to meet security compliance and governance requirements.
For more information
Visit – www.securelogicgroup.com.au