Open Enterprise Security. Architecture (O-ESA) A Framework and Template for. Policy-Driven Security. OrTHE GROUP. Pyan Haren ^PUBLISHING

Transcription

1 Open Enterprise Security Architecture (OESA) A Framework and Template for PolicyDriven Security OrTHE en GROUP Pyan Haren ^PUBLISHING

2 V Contents Preface Trademarks Acknowledgements Referenced documents IX XII XIII XIV Chapter 1 Executive overview 1 Chapter 2 Introduction General description of an enterprise security program Enterprise security program framework Enterprise security architecture The house design model The enterprise security system design model Community standards versus corporate standards Building codes and engineering practices versus governance House architecture versus security technology architecture Bill of materials versus security services Maintenance versus operations The remodeling 16 Chapter 3 Security governance Governance components and processes Governance process overview Governance process roles Governance model policy framework Governance principles Security by design Managed risk Usability and manageability Defense in depth Simplicity Resilience Integrity Enforced policy Design for malice 28

3 ISO/IEC XACML VI Mobility 3.6 Policies 3i Policy development Policy template Security policy language Standards, guidelines, and procedures Enforcement Ongoing assessment Governance example Authentication policy example Password quality enforcement standard example Example comments 41 Chapter 4 Security technology architecture Components and processes Conceptual framework for policydriven security Conceptual architecture for policydriven security PDP/PEP detail Identity management architecture Identity management conceptual architecture Identity management logical architecture Identity management security services template User and identity administration services Directory services Identity management physical architecture Federated identity management Border protection architecture Border protection conceptual architecture Border protection logical architecture Border protection security services template Packet filtering service VPN service Proxy services Other security services template Access management services Configuration management services Access control services Authentication services 67

4 VII Authorization services Detection services Visualization Content control services Auditing Cryptographic services 71 services Design and development Design principles Design requirements Explicit requirements Implicit requirements Design best practices Design patterns Security engineering Applying security design with threat models Reusable tools, libraries, and templates Coding best practices Code reviews Code analysis tools Testing best practices Requirementsbased testing Requirementsbased testing tools 85 Chapter 5 Security operations Asset management Security event management Security administration Security compliance Vulnerability management Reactive process for responding to vulnerability notifications Proactive process for vulnerability identification and response Event management Incident management Testing security architecture Security metrics Operational and businessaligned metrics 96

5 HIPAA VIII Objectives What is a security metric? Types of metrics Applying security metrics Types of metrics Designtime metrics Deploytime metrics Runtime metrics Measurers and modelers Security metrics process 105 Chapter 6 Toward policydriven security architecture Policy layers and relationships Policy automation vision Policy automation model Policy automation model example Policy automation roadmap 115 Chapter 7 Conclusions and recommendations Conclusions Recommendations Recommendations to user organizations Recommendations to vendors and standards organizations 125 Appendix A Glossary of resources 127 A.i Security governance resources and tools 127 A.2 NIST references for OESA implementation 129 Appendix B Security Architecture Checklist 131 Glossary 133 Index 139