Sunday, March 20, 2016

Topic 5 / Post 3 – Security Architecture Layer / Software Defined Security - Global Security Compliance Rules

March 20, 2016 / Dennis Holinka

Topic 5 – Security Architecture Layer

This week's posts go over the Security Architecture Layer, the various perspectives, and related reflections in the blog.


Post 3 – Software Defined Security - Global Security Compliance Rules Consolidation


The future of software defined security will be difficult unless there is a metadata driven architecture to provide a central approach to the way security architecture rules and controls are implemented. Most global enterprise are constantly chasing the deluge of controls across multiple privacy, security, legal, regulatory, and compliance taxonomies.  Among the taxonomies that abound are the following frameworks that contribute to creation or redundant mapping of a control:  AICPA 2014 Trust Services Criteria, Canada PIPEDA (Personal Information Protection Electronic Documents Act), COBIT 5.0, COPPA (Children’s Online Privacy Protection Act), CSA Enterprise Architecture, ENISA (European Network Information and Security Agency) Information Assurance Framework, European Union Data Protection Directive 95/36/EC, FERPA (Family Education and Rights Privacy Act), HIPAA/HITECH act and the Omnibus Rule, ISO/IEC 27001:2013, ITAR (International Traffic in Arms Regulation), Mexico - Federal Law on Protection of Personal Data Held by Private Parties, NIST SP800-53 Rev 3 Appendix J, NZISM (New Zealand Information Security Manual), ODCA (Open Data Center Alliance) Usage Model PAAS Interoperability Rev. 2.0, and PCI DSS v3.


In order for software defined security to inter-operate globally and meet programmatic objective and provide adaptability, a central information repository, similar to the one described in the Security Information Requirement for the Security Vision Requirements document described by Gartner.  This central repository should steward the cross mappings of the various global frameworks to simplify the number of controls and implied security architecture designs so that may be programatically applied to IT solutions for the business enterprise.  An example of an organization that provides such cross mappings is the Cloud Security Alliance whose mission it is to standardize on the security controls across domains and frameworks.  The controls matrix provided by the organization (CCM) assist customers in assessing the overall security risk of a provider with its intention of standardizing cloud providers.  According to the Alliance organization, CCM "provides a controls framework in 16 domains that are cross-walked to other industry-accepted security standards, regulations, and controls frameworks to reduce audit complexity, normalize security expectations, cloud taxonomy and terminology, and security measures implemented in the cloud":



 Figure: CSA - CCM version 3.0.1



According to Gartner, Phase 3 is "longer term, expect further transformation of information security to become software-defined itself.  The shift to SDx has the potential to generate organizational disruption" by requiring teams from server, network, storage, and information security integrate into a platform team.  The software defined anything SDx including security will require the standardization of controls and an API based approach similar to Open Stack for Security to emerge to provide the facade for provider specific implementations of security.  For example there are emerging SDN security controllers that can control the flow of open flow traffic defined by SDN.  This is achieved by separating the management, control, and data planes for security as well as network so that each can be controlled.  There are scripting languages such as FRESCO and controllers/kernels such as FORT/NOX that provide the ability to provide dynamic security to the network flows.  Similarly, SOA Gateways can be used to provide similar security features when combined with a programmatic management, control, and data plane provider. 


 Figure: Software Defined Network Security Application - Example


As you can see from the figure that the SDN Controller can manage the security of the software defined network that was topologically assembled.  A similar approach can be used if SDx is used at the process and application component layers as it is used here in the technology layer for network, server, storage, and information repositories (e.g. Data-stores).  The approach of using APIs that can reconfigure configurations/objects and manage intercepts for entry or exit functions for the application and technology layers will be required to provide the SDx Phase 3 integration for security across the IT stack.


Topic 5 / Post 2 – Security Architecture Layer / Application Security Architecture and Applied Design

March 20, 2016 / Dennis Holinka

Topic 5 – Security Architecture Layer

This week's posts go over the Security Architecture Layer, the various perspectives, and related reflections in the blog.

Post 2 – Application Security Architecture and Applied Design

Enterprise Architecture and quite similarly, Security Architecture is riddled with much confusion and ambiguity in how to make their implementations tangible.  If you ask an enterprise architect what consumables he or she will produce, you will fortunate to receive a list of artifacts as described by Gartner in the EA Charter document.  Similarly, Security Architecture has experienced a similar problem in that it is the experience of IT professionals that security architecture has emerged as a checkbox / compliance / controls based set of exercises and has limited if little visual modeling artifacts to produce that would be the visual depiction of the abstractions that are required for the creation of an architecture design.  It is here that there are a number of needed frameworks to provide an Enterprise Architect and even more so, a Solution Architect with a modeling discipline and set of techniques to produce artifacts from.  

Fortunately, the approach I have researched and provide here as a recommendation is the use of the IBM Security Framework and Security Blueprint Methodology coupled with a practical approach of enhancing existing Solution Architecture artifacts with security architecture designs.   The IBM approach formed its framework by decomposing the various sub-components of the Security Framework into parts that a solution architect will have to provide a visual modeling artifact for.  The practical approach of modeling each of these specific areas of control objectives which we can consolidate using a global controls list like CCM from the Cloud Security Alliance.  However, we should align each of the controls into the larger framework provided by the IBM Security Framework:


Figure: Enterprise Security Framework - IBM

The overall framework breaks up into various parts policy management planes and then into subcomponents of the policy domains for the security architecture coverage.  The policy governance and manaagement portions are the Command and Control Management, Security Policy Management, and Risk and Compliance Assessment.  The policy sub domains are Identity, Access and Entitlement Management, Data and Information Protection Management, Software, System and Service Assurance, Threat and Vulnerability Management, IT Service Management, and Physical Asset Management.  Each policy domain is broken into further sub-components along with Security Services Infrastructure components required to be addressed as part of the blueprinting of the solutions.  The solution approach can be enhanced modeling using Archimate and its Extended Motivation Model which maps the controls to the multi layer EA model diagram to document the various components of the framework and blueprint the solution.  


Figure: Archimate Extended Motivation Model - Mastering Archimate (The Open Group)

By documenting each part of the framework using the Risk approach using the Archimate language, the solution artifacts in addition to those documented as part of the TOGAF Security Architecture ADM deliverables will provide a detailed design for implementing and understanding the security architecture designs.  As a matter of convenience I providing the list of subcomponents of the frameworks that will have to be modeled.  The best approach to modeling would be to walk down the security framework and align the various global standardized controls from CCM and place them within governance, policy oversight management, or policy domain sub component frameworks.  Then model the various controls as they apply to the SRV - Security Requirements Vision as detailed in the SSR - Security Solutions Requirement map to the various matrices and traceabilities to STR, SBR, SBP, STT, and SIRs in the SRV.  They are as follows and should use the above Archimate modeling technique to design the security architecture including more detailed models such as UML that will further decompose the Application Architecture layer in Archimate.








Figure: Enterprise Security and BluePrint Framework - IBM

Topic 5 / Post 1 – Security Architecture Layer / Cloud Security for SaaS, PaaS, and IaaS

March 20, 2016 / Dennis Holinka

Topic 5 – Security Architecture Layer

This week's posts go over the Security Architecture Layer, the various perspectives, and related reflections in the blog.

Post 1 – Cloud Security for SaaS, PaaS, and IaaS

The advent of cloud computing has made securing the enterprise more difficult.  As stated in the Gartner research reading, there is risk where "no assessor has gone". That means that all of the controls, processes, procedures, and governance mechanisms have been built over the decades for the internal captive data center.  There has even been some security built for the business to business/customer (B2B/B2C) integration, but the use of hybrid and public cloud have called forth and into question all the historical know how of security controls as they apply to external entities.  The use of public cloud SaaS, PaaS, and IaaS, have begun to create the demand for security architecture and solutions to provide confidentiality, integrity, availability, and safety (CIAS) in order to protect and assure the safety of the business outcomes enabled by information technology.  Moreover, the advent of digital business technologies as a new business distribution channel has required that security be nimble yet highly disciplined so that it provides value add without setting up bureaucratic roadblocks to getting work done.  

Recently, I worked on an effort to bring in the use of public PaaS/SaaS applications for Enterprise File Sharing Services and the use of Social Media for the Enterprise.  Both of these solutions extend the storage and interaction of information outside the walls of the firm and bring with it risks that have not been assessed or mitigated ever before.  The risks associated with the extended enterprise has never been dealt with in such a public manner nor has the business implications and technology issues been understood well enough to move at the speed of business IT.  Even so, where there is a gap in protection, safety, or security, the market will emerge to provide add on solutions to make up for it.

Gartner has characterized the advent of the type of solutions that are providing for what they are calling Data Centric Audit and Protection (DCAP).  According to Gartner's Market Guide for DCAP, "DCAP is a category of products characterized by the ability to centrally manage data security policies and controls across unstructured, semistructured and structured repositories or silos. Based upon data security governance (DSG) principles, these products encompass the ability to classify and discover sensitive datasets and control access to the sensitive data by centrally managing and monitoring privileges and activity of users and administrators. Their ability to detect unusual behavior can result in real-time responses such as alerting or blocking."  These capabilities are very important in public cloud PaaS and SaaS in that security can be circumvented by external enterprise users or external rouge users.  For example, enterprises that use Yammer will be exposed to potential data loss if an employee can post sensitive corporate information on the social channel.  What has made this even more difficult to secure and created the need for intervention security pre and post brokering is that Microsoft is not locking the entry into channels to exist for one corporate subnet to the public cloud provider.  It has allowed for the most flexible access to their services with the expectation that third parties will emerge to protect the channel.  DCAP capabilities have been outlined by Gartner and there are products that are using different aspects of DCAP capabiliites to form four types of product offerings.  The four product segments are database audit and protection (DAP), file-centric audit and protection (FCAP), cloud access security broker (CASB) and data protection (DP) using abilities such as tokenization, data masking, and encryption.  Since there is no single solution that can meet all of the requirements of DCAP, the vendors in each of these spaces are merging into each other's  capabilities across the data silos.  The DCAP capabilities have been documented by Gartner.


Figure: DCAP - Gartner Research
http://www.gartner.com/document/3178623?ref=solrAll&refval=164946567&qid=858c3ad7f63df37892defe77cf75ea41

The abilities of each type of solution is dependent on how vendors are growing their capabilities in these respective spaces.  Forrester has classified these solutions as permutations of Cloud Access Security Intelligence (CASI) Solutions .  CASIs have formed to "discover cloud applications, monitor employee behavior, and prevent data leaks".  In essence, the DCAP capabilities have been uniquely combined to provide specific use case security capabilities to assure business outcomes from the security architecture.  The basic architecture of the extended proxy and non broker solutions is that a combination of broker based and api based pre/post event APIs provide the security protection to assure that enterprises protect the CIAS Secuiity requirements.

Figure: CASI - Forrester Research

This has made the ability to protect business outcomes in the digital / cloud space difficult in comparison to the closed loop enterprise where controls and capabilities were administered internally using enterprise available software.  The future of security architecture in the digital and cloud environments will present unique challenges and opportunities to revisit all of the controls and assumptions that enterprise controls are based as developers, architects, and IT professionals try to bring discipline and security to the extended enterprise that requires flexibility to expand its supply chain processes outside of the immediate enterprise.

Figure: Market Guide for DCAP - Gartner Research

Figure: Market Guide for CASB - Gartner Research