Kennis sessie Security architectuur Security architecture in practice

Transcription

1 Kennis sessie Security architectuur Security architecture in practice Renato Kuiper 6 december 2017

2 Security, Risk Management, IAM, Cloud and Architecture 2016 Security officer, Security architect, AVG - PGGM VKA: Enterprise Security architect at Dutch Rail roads CSA NL: Cloud Security Alliance/ board member CSA: Cyber Security Academy, program group/ teacher Several PvIB (Platform for Information Security professionals NL) Renato Kuiper rolls and publications Management consultant/ Architect VKA Principal security consultant - CMG Teacher HTS, systems programmer/ security specialist

3 Architecture is like a chicken everyone has their own interpretation

4 Definition of the concept architecture The Architecture (of a system) is the fundamental organization of that system embodied in: its components their relationships to each other and to the environment and the principles guiding its design and evolution. Source: ISO/IEC 42010:2007

5 What s a security architecture (1)? A Security Architecture is a prescriptive document that uses a set of coherent models and principles efficiently and flexibly to guide the implementation of the information security policy of an organization. Source: PvIB Expert Letter June 2009, ISSN , Volume 2 No. 1 Security architecture: a new hype for specialists, or a useful means of communication?

6 What s a security architecture (2)? A security architecture consists of a transparent and coherent overview of models, principles, starting points and conditions that give a concrete interpretation of the information security policy, usually without speaking in terms of specific solutions. A security architecture reduces a complex problem into models, principles and sub problems that can be understood, mainly on the basis of the well-known what, where, when, how, with what and who questions. The models and principles show where you take which type of measures, when the principles are applicable, and how they connect with other principles.

7 Security (in) architecture, gives» Consistency and understanding Understanding the business requirements and the assets of the organization and consistency with the measures to be taken in order to secure and protect that» Transparency and balance Visible relevant security requirements and principles for all assets within the organization, goal of general and specific measures is clear and transparent» Overall picture and clarity A clear and consistent overall design, the consistency of the measures is clear, there are no exceptions incomprehensible or additional measures

8 Practical model within a Dutch transport organisation Example of a positioning

9 Process of developing a cyber security architecture Determine ambition level Assign security Responsibilities It is not a waterfall, every steps has a loop back Determine relevant security controls Determine security services (technical and operations) Mostly forgotten steps: Ambition Governance Roadmap Security implementation guides Security roadmap

10 Process of developing a cyber security architecture Determine ambition level/ principle Assign security Responsibilities Determine relevant security controls Determine security services (technical and operations) Security implementation guides Security roadmap

11 Cyber Security Architecture Lets look at some artefacts

12 Cyber Security Assessment Netherlands CSAN 2015 Adjust it to your threat profile Source:

13 Security principes Business-layer: IB-B1 Risk based IB-B2 IB-B3 IB-B4 IB-B5 Controls based on threats and cost Access control for all information Defence-in-Depth approach Security by Design & Privacy by Design approach Information layer: IB-I1 Need to Know IB-I2 IB-I3 IB-I4 Technical layer: IB-T1 IB-T2 IB-T3 Security though the whole chain Data security/ application security/ infrastructure security Limitation of human errors. Traceability Zoning Scan for Vulnerability and monitor threats Two approaches:» Academic way: on all layers based on business requirements» Pragmatic way: based on discussion with business and security Just some examples, every company has its own set of principles! Look at the security principle paper of ISC2, ISACA and ISF as a inspiration source Every principal contains the Rationales and the implications!!

14 Cyber threat profile and ISO27002 controls (example) Actors and possible attacks (Dutch: manifestaties ) from the NCSC Threat profile translated to controls?? Actor NCSC Threat profile Attack Treat catalogue Threat ISO27002 control Attack Threat control Attack Threat control Actor Attack Threat control Actor Attack Threat control

15 ISO27002 controls to security areas (example) ISO27002 controls addressed in different kind of area s ISO27002 Control Policy Areas Control Organization Control Physical Control Control Security functions Technical security services Security processes

16 Security functions based on NORA (example)

17 NIST Cyber Security Framework

18 Security building blocks

19 Technical security Standards Follow NIST (crypto, logging, authorization and authentication, NCSC,

20 Security services: do it yourself or MSSP SOC?

21 Models for zones/ security domains (example) Untrusted Internet Client Tier (remote work places) Semi- Trusted Basis level A Sensitive level 1a B Critical level 1b Untrusted Client Tier and devices (BYOD) Trusted Trusted

22 Security services and cloud You need something like the CSA CCM to discus these security functionality.

23 Take away Security architecture can help to bridge the gap between policy and implementation. It contain principles, standards and models. Communication instrument to C-level, security, architect,.. and financial people. Describes the governance on strategic, tactical and operational level. It guides the implementation. Uses security functions and services (technical and processes). Gives you a roadmap. Gives input or directs the security project portfolio.

24 The future?? Writing a book, end of I hope. SABSA, à light SABSA for agile environments..

25 Questions?? Thanks for you're attention As of January 1, 2018: 25