The document proposes a core and extended model for embedding security within technology solutions. The core model maps out solution components, zones, standards and controls. It shows how solutions consist of multiple components located in zones, with different standards applying. The extended model adds details on security control activities and events. Solution security is described as a "wicked problem" with no clear solution. New technologies introduce new risks to solutions across dispersed landscapes. The document outlines types of solution zones and common component types that make up solutions.
2. Introduction, Purpose And Scope
• These notes describe an approach to embedding security
within the technology solution landscape
• They describe a security model that encompasses the
range of individual solution components up to the entire
solution landscape
March 8, 2022 2
3. Topics
• Core And Extended Solution Security Model
• Solution And Technology Risks
• Solution Zone Types and Zones
• Solution Component Types And Components
• Security Standards And Controls
• Operational Solution Entity Types And Solution Zones
• Operational Solution Entities And Security Controls
March 8, 2022 3
4. Proposed Core Solution Security Model
March 8, 2022 4
Solution
Component
Types
Solution
Components
Solution
Solution Zones
Solution
Zone Types
Solution
Topology
Security
Standards
And Controls
Solution Consists Of
Multiple Components
Each Solution
Component
Has A Type
Solution Exists
Within A
Topology Of
Many Solutions
Solution Components
Are Located In Solution
Zones
Each Solution
Zone Has A Type
Different Solution
Standards And
Controls Apply To
Solution Zones
Solution
Operational
Entity
Solution
Operational
Entity Type
Deployed
Solution
Consists Of
Multiple
Operational
Entities
Each Solution
Operational
Entity Has A Type
Solution Operational Entities
Are Located In Solution Zones
Security
Controls Apply
To Solution
Components
Security Controls Apply To
Solution Operational Entities
Some Solution
Components
Become
Deployed
Operational
Entities
5. Proposed Core Solution Security Model
• Proposed solution security model allows the security status of a
solution and its constituent delivery and operational components to
be tracked wherever those components are located
• Core solution security model is essential a static record
• Provides an integrated approach to solution security across all
solution components and across the entire organisation topology of
solutions
• Model is a balance between simplicity, ease of use, level of detail and
utility
• Allows solution security to be analysed and reported on
• Enables the solution architect to validate the security of an individual
solution
• Enables the security status of the entire solution landscape to be
assessed and recorded
March 8, 2022 5
6. Proposed Extended Solution Security Model
March 8, 2022 6
Solution
Component
Types
Solution
Components
Solution
Solution Zones
Solution
Zone Types
Solution
Topology
Security
Standards
And Controls
Solution Consists Of
Multiple Components
Each Solution
Component
Has A Type
Solution Exists
Within A
Topology Of
Many Solutions
Solution Components
Are Located In Solution
Zones
Each Solution
Zone Has A Type
Different Solution
Standards And
Controls Apply To
Solution Zones
Solution
Operational
Entity
Solution
Operational
Entity Type
Deployed
Solution
Consists Of
Multiple
Operational
Entities
Each Solution
Operational
Entity Has A Type
Solution Operational Entities
Are Located In Solution Zones
Security
Controls Apply
To Solution
Components
Security Controls Apply To
Solution Operational Entities
Some Solution
Components
Become
Deployed
Operational
Entities
Security Control
Activities
And Events
Security Control
Activity
Implementation
Status
Security
Control
Activity Type
Security
Control
Activities
Security
Controls Have
Activities
Security
Controls
Activities
Have A
Type
Security Controls Activities
Have An Implementation
Status
There Can Be Events Linked
To Security Controls Activities
7. Proposed Extended Solution Security Model
• Model can be extended to hold the activities defined for
each security control and to hold information on events
relating to security controls and activities
• Extended solution security model introduces some
dynamic data
March 8, 2022 7
8. What Are We Protecting Against?
• Unauthorised access to solution functionality and its data
involves some or all of:
March 8, 2022 8
• Getting the solution to do something it
should not
• Stopping the solution from working as it
should or enabling it to be bypassed
• Getting consumers of the solution to perform
actions they should not
• Gaining unauthorised access to the solution
as a solution consumer
• Getting the data held in the solution
• Damaging the solution to prevent its use
• Denying access to the solution
• Using the solution as a gateway to other
organisation solution and data assets
• Stealing data to sell
or holding for
ransom
• Collecting ransom
before application or
data restored
• Using the application
to steal money
• Causing reputational
damage
• Stealing intellectual
property
• Putting the company
out of business
With
The
Aims Of
9. New Technology And New Risks
March 8, 2022 9
Solution
Security
Dispersed
Operational
Solution
Landscape
New
Unfamiliar
Technologies
Error Prone
Technology
Deployment
And Operation
No Single
Pane Of
Glass Showing
Security
Status
Increasing
Number
Of Threats
Reduced
Skills
More Solution
Entry Points
Greater
Complexity
And
Fragility
10. New Technology And New Risks
• New solution security concerns are continually arising, adding to the
threat landscape
− New solution design, deployment and operating models
− Distributed solution components, distributed solution consumer base,
distributed access with many interfaces, integration points and data flows
− Greater involvement of third-parties and their platforms whose operational
security models and practices are being inherited
− Complexity with multiple handoffs gives rise to gaps in end-to-end view and
knowledge leading to risks
• New technologies introduce new risks, direct and indirect
− Lack of familiarity with technology increases the likelihood of exploitable
mistakes and errors
− New technology is less proven and contains more exploitable errors
− Greater range of solution entry points increases risk
− Exposure of solutions to consumers outside the organisation increases risk
− Human risk factors weaken overall security
• Solution risk and security status is becoming harder to track
March 8, 2022 10
11. From …
March 8, 2022 11
Solution
Central Data
Store
Solution
Central
Application
Component
Solution API
Solution
Central
Infrastructure
Solution
Hosted
Infrastructure
Solution
Internal
Consumers
Solution
External
Private
Consumers
Solution
Hosted Data
Store
Solution
Hosted
Application
Component
Solution
Hosted
Analytics
Access and
Security
Infrastructure
Central To
Hosting
Facility
Connectivity
Solution
External Public
Consumers
Solution
Mobile App
12. To …
• Increasing solution landscape complexity and diversity gives rise to implicit and
explicit risks
March 8, 2022 12
Solution
Central Data
Store
Solution
Central
Application
Component
Solution API
Solution
Central
Infrastructure
Solution
Hosted
Infrastructure
Solution
Internal
Consumers
Solution
External
Private
Consumers
Solution
Hosted Data
Store
Solution
Hosted
Application
Component
Solution
Hosted
Analytics
Access and
Security
Infrastructure
Central To
Hosting
Facility
Connectivity
Solution
External Public
Consumers
Solution
Mobile App
13. Illusion Of The Solution Cocoon
• Solutions do not always exist in
a security cocoon provided by a
range of infrastructural
components, protected from all
malicious actors and actions
that repel all attempts to
penetrate the solution
• Individual solutions must be
aware of their security
requirements and ensure they
are in place
− Take individual solution
responsibility
− Do not make any assumptions on
what security is available
− Perform due diligence on
available and operational security
infrastructure
− Identify and address solution-
specific security needs
March 8, 2022 13
Solution
And Its
Components
14. Illusion Of The Solution Cocoon
• Operational solution components can reside in multiple
locations subject to different sets of security infrastructure,
making the problem of solution security all the greater
March 8, 2022 14
15. Solution Security Is A “Wicked Problem*”
• Solution security is a wicked problem because there is no
certainly about when the problem has been resolved and a
state of security has been achieved
• The security state of a solution can just be expressed along
a subjective spectrum of better or worse rather than a
binary true or false
March 8, 2022 15
* Dilemmas in a General Theory of Planning, Horst Wittel and Melvin Webber
https://urbanpolicy.net/wp-content/uploads/2012/11/Rittel+Webber_1973_PolicySciences4-
2.pdf
16. Wicked Problem Characteristics And Solution
Security
March 8, 2022 16
Characteristics of Wicked Problems Application to Solution Security
There is no definite formulation of wicked problems.There is no certainly about when security has been fully achieved.
Wicked problems have no stopping rule. There is no stopping rule that states security has been fully achieved if a
defined set of activities and controls have been performed and
implemented.
Solutions to wicked problems are not true or false,
but good or bad
The security state of a solution can just be expressed along a spectrum of
better or worse rather than a binary true or false.
There is no immediate or ultimate test for solutions. The security of a solution is difficult, if not impossible, to establish.
Proving the certainty of a negative can be unachievable.
All attempts to solutions have effects that may not
be reversible.
Implementing solution security impacts the operation and use of the
solutions themselves.
Wicked problems have no clear solution, and
perhaps not even a set of possible solutions.
There is no one security solution but a combination of interrelated and
layers security components.
Every wicked problem is essentially unique. There is no one standard solution template to security.
Every wicked problem may be a symptom of
another problem.
Solution security is only a subset of wider organisation security. Lack of
security is a potential problem that has to be exploited for the problem
to become real. It is difficult for individual solutions to be secure if an
organisation security foundation and framework are not in place.
There are multiple explanations for the wicked
problem.
Solution security can be defined in many ways.
The planner (or policy-maker) has no right to be
wrong.
Failure to implement effective solution security can lead to very serious
negative consequences to getting it wrong leads to blame but getting it
right does not lead to any praise.
17. Solution Security Negative Outcomes
• Solution security can have negative consequences:
prevents types of access, limits availability in different
ways, restricts functionality provided, makes solution
harder to use, lengthens solution delivery times, increases
costs along the entire solution lifecycle, leads to loss of
usability, utility and rate of use
• Security requirements and standards may discourage
security, leading to bypass and circumvention actions
• Complex security arrangements may give the illusion of
security that does not exist in reality
March 8, 2022 17
18. Solution Inheritance Of Security Infrastructure
• Individual solutions must be able to inherit security controls, facilities and
standards from common enterprise-level controls, standards, toolsets and
frameworks.
• Individual solutions must not be forced to implement individual
infrastructural security facilities and controls
− This is wasteful of solution implementation resources, results in multiple non-
standard approaches to security and represents a security risk to the organisation
• Solution architects must be aware of the need for solution security and of
the need to have enterprise-level controls that solutions can adopt.
• The extended solution landscape potentially consists of a large number of
interacting components and entities located in different zones, each with
different security profiles, requirements and concerns
− Different security concerns and therefore controls apply to each of these
components
• Solution security is not covered by a single control
− It involves multiple overlapping sets of controls providing layers of security
March 8, 2022 18
19. Security Model And Inheritance Of Security Controls
• Defining a security model and set of solution zone and
operational entity controls allows the existence of and the
solution inheritance of security controls to be validated
and potential security gaps to be identified
March 8, 2022 19
20. Solution Architecture And Interfaces With Other IT
Architecture Disciplines
• The solution architecture discipline must work with other IT architecture disciplines,
including security architecture
• Enterprise architecture needs to embed security into the organisation’s overall IT
architecture
March 8, 2022 20
Enterprise Architecture
Information and Data Architecture
Application
Architecture
Business
Architecture
Technical
Architecture
Solution
Architecture Service
Architecture
Security
Architecture
Overall Architecture Framework Security
Standards
Service Operation
and Support
Data
Architecture
Infrastructure
Architecture
Business
Context
Business
Process,
Products
21. Solution Zone Types and Zones
March 8, 2022 21
Solution
Component
Types
Solution
Components
Solution
Solution Zones
Solution
Zone Types
Solution
Topology
Security
Standards
And Controls
Solution Consists Of
Multiple Components
Each Solution
Component
Has A Type
Solution Exists
Within A
Topology Of
Many Solutions
Solution Components
Are Located In Solution
Zones
Each Solution
Zone Has A Type
Different Solution
Standards And
Controls Apply To
Solution Zones
Solution
Operational
Entity
Solution
Operational
Entity Type
Deployed
Solution
Consists Of
Multiple
Operational
Entities
Each Solution
Operational
Entity Has A Type
Solution Operational Entities
Are Located In Solution Zones
Security
Controls Apply
To Solution
Components
Security Controls Apply To
Solution Operational Entities
Some Solution
Components
Become
Deployed
Operational
Entities
22. Solution Zones
• Solution zones are locations where groups of closely related solution
components reside
• They represent containers for solution components
• Zones are located within the wider physical solution landscape
• Each zone and the components it holds have different security
requirements
• Not all solutions will have components in all zone and not all
organisations will have all the zone types
• The solution and its constituent components can span multiple
different zones of the same type
• The zone approach is useful way of representing the entirety of a
solution, its constituent components, their connectivity, linkages and
interactions
• You will have different levels of control over different solution zones
(including no control)
March 8, 2022 22
25. Sample Solution Zone Types
Zone Description
Insecure External Organisation
Presentation And Access
Where publicly accessible or accessing entities reside. These entities are
regarded as insecure and/or untrusted.
Secure External Organisation
Participation and Collaboration
Outside the physical organisation boundary where entities that are provided by
or to trusted external parties reside
Secure External Organisation Access Contain entities that enable secure access or are securely accessible from
outside the organisation
Organisation Contain the entities within the organisation boundary and contains all the
locations, business units and functions within it
Central Solutions and Access Contains the solution entities and their data
Solution Zone Contains the solution entities
Data Zone Zone within the organisation where data is segregated for security
Remote Business Unit Solutions and
Access
Remotely located organisation business unit or location and the entities it
contains
Workstation Zone Zone within the organisation where users accessing data and solutions are
segregated for security
Outsourced Service Provider Solutions
and Access
Contains solutions provided by and located in facilities provided by outsourced
partners
Cloud Service Provider Solutions and
Access
Contains solutions - platform, infrastructure and service - provided by and
located in cloud service providers
Co-Located Solutions and Access Contains solutions the organisation has located in facilities provided by co-
location providers
March 8, 2022 25
26. Solution Component Types And Components Solution
Component
Types
Solution
Components
Solution
Solution Zones
Solution
Zone Types
Solution
Topology
Security
Standards
And Controls
Solution Consists Of
Multiple Components
Each Solution
Component
Has A Type
Solution Exists
Within A
Topology Of
Many Solutions
Solution Components
Are Located In Solution
Zones
Each Solution
Zone Has A Type
Different Solution
Standards And
Controls Apply To
Solution Zones
Solution
Operational
Entity
Solution
Operational
Entity Type
Deployed
Solution
Consists Of
Multiple
Operational
Entities
Each Solution
Operational
Entity Has A Type
Solution Operational Entities
Are Located In Solution Zones
Security
Controls Apply
To Solution
Components
Security Controls Apply To
Solution Operational Entities
Some Solution
Components
Become
Deployed
Operational
Entities
March 8, 2022 26
27. Solution Components
• The functional and operational design of any solution and
therefore its security will include many of these components,
including those inherited by the solution or common
components used by the solution
• When creating the end-to-end solution design the solution
architect should identify all the required solution components
• The complete solution security view should refer explicitly to
the components and their controls
• While each individual solution should be able to inherit the
security controls provided by these components, the solution
design should include explicit reference to them for
completeness and to avoid unvalidated assumptions
• There is a common and generalised set of components, many of
which are shared, within the wider solution topology that
should be considered when assessing overall solution security
March 8, 2022 27
28. Solution Is The Sum Of Its Components
• The solution is a window to its constituent components
• Solution consumers experience the totality of the solutions
March 8, 2022 28
29. Solution Components Classes
• Time-Bounded Delivery Entity Types
− Time-bounded sets of work required to get the solution fully
operational
• Enduring Operational Technology Entity Types
− Operational instrumentation and tool components required for
the solution to operate
• Enduring Process, Procedure and Structural Entity Types
− Organisation and process changes required to use the solution
optimally
March 8, 2022 29
30. Solution Components Classes And Types
March 8, 2022 30
Solution Components
Time-Bounded Delivery Entity
Types
Sets of Installation and
Implementation Services
Existing Data Conversions/
Migrations
New Data Loads
Parallel Runs
Enhanced Support/ Hypercare
Enduring Operational
Technology Entity Types
Changes to Existing Systems
New Custom Developed
Applications
Acquired and Customised Software
Products
System Integrations/ Data
Transfers/ Exchanges
Reporting and Analysis Facilities
Information Storage Facilities
Central, Distributed and
Communications Infrastructure
Application Hosting and
Management Services
Enduring Process, Procedure
and Structural Entity Types
Cutover/ Transfer to Production And
Support
Operational Functions and
Processes
Sets of Maintenance, Service
Management and Support Services
Changes to Existing Business
Processes
New Business Processes
Organisational Changes, Knowledge
Management
Training and Documentation
31. Solution With Consist Of Multiple Instances Of Solution
Component Types
March 8, 2022 31
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Component
Changes to Existing Systems
New Custom Developed
Applications
Acquired and Customised Software
Products
System Integrations/ Data
Transfers/ Exchanges
Reporting and Analysis Facilities
Sets of Installation and
Implementation Services
Information Storage Facilities
Existing Data Conversions/
Migrations
New Data Loads
Central, Distributed and
Communications Infrastructure
Cutover/ Transfer to Production And
Support
Operational Functions and
Processes
Parallel Runs
Enhanced Support/ Hypercare
Sets of Maintenance, Service
Management and Support Services
Application Hosting and
Management Services
Changes to Existing Business
Processes
New Business Processes
Organisational Changes, Knowledge
Management
Training and Documentation
32. Solution Topography
• Irrespective of whether the solution is hosted inside or outside the organisation, it
will still need to operate in a solution topography consisting of a number of logical
layers
• This topography is important as its implicitly or explicitly delineates borders to what
is feasible
March 8, 2022 32
Common Service Management
Processes and Standards – solution
support, service level management
Common Financial
Management Processes and
Standards – solution cost and
asset management
Common Enterprise Architecture
Standards – compliance with
organisation technology standards
and principles
Common Security and
Regulatory Compliance
Architecture – integration of
solution into overall security
standards and operations
Common Data Architecture –
integration of solution data into the
organisation data model and access
to solution data, compliance with
data regulations and standards
Business Process and
Organisation Structure –
business processes and
organisation functions that use
the solution
Extended Solution Landscape With
Integration With Other Solutions –
solution support, service level
management, integration, data
exchange
Individual Solution
Landscape – set of
components that comprise
the overall solution
33. Solution Topography
• Individual solutions do not exist in isolation even through
they may be acquired or implemented separately
• The organisation’s operation solution landscape consists of
many individual solutions located across many different
solution zones
March 8, 2022 33
34. Solution Topography
March 8, 2022 34
Extended Solution Landscape With
Integration With Other Solutions
Individual Solution Landscape
Business Process and Organisation Structure
Common Data Architecture
Common Security and Regulatory Compliance Architecture
Common Enterprise Architecture Standards
Common Financial Management Processes and Standards
Common
Service
Management
Processes
and
Standards
35. Security Standards And Controls Solution
Component
Types
Solution
Components
Solution
Solution Zones
Solution
Zone Types
Solution
Topology
Security
Standards
And Controls
Solution Consists Of
Multiple Components
Each Solution
Component
Has A Type
Solution Exists
Within A
Topology Of
Many Solutions
Solution Components
Are Located In Solution
Zones
Each Solution
Zone Has A Type
Different Solution
Standards And
Controls Apply To
Solution Zones
Solution
Operational
Entity
Solution
Operational
Entity Type
Deployed
Solution
Consists Of
Multiple
Operational
Entities
Each Solution
Operational
Entity Has A Type
Solution Operational Entities
Are Located In Solution Zones
Security
Controls Apply
To Solution
Components
Security Controls Apply To
Solution Operational Entities
Some Solution
Components
Become
Deployed
Operational
Entities
36. Operational Security Controls
• Security controls represent a set of infrastructural facilities
and associated processes designed to provide a
comprehensive and overlapping set of security protection
and defence
− Security is not achieved by one control but by layers of controls
• Security controls can be used as a checklist during solution
design prior to operational acceptance testing to ensure
that the solution and its operating environment is security
compliant
• Security controls must be realistic and achievable to assess,
implement and operate
− Complexity is the enemy of effectiveness and usefulness
March 8, 2022 36
38. Operational Security Controls
March 8, 2022 38
Security Control Control Scope
Asset Security Design, implement and operate tools and processes to ensure the security of infrastructure and software assets through active asset inventory
management
Network Monitoring Design, implement and operate tools and processes to monitor network infrastructure, ensuring only authorised software can be installed and
run, and provide defence against security threats and attacks
Penetration Testing Design, implement and operate tools and processes to test solutions and their infrastructure to identify and resolve vulnerabilities and
weaknesses in their design, implementation and operation through the simulation of attacks
Browser Protection Design, implement and operate tools and processes to monitor, analyse, detect and act-on browser-based attacks and browser vulnerabilities
Solution Availability, Resilience,
Fault Tolerance and Recovery
Design, implement and operate infrastructure, facilities and processes to ensure the availability of the solution, resilience against component
failure and recovery in the event of failure
Access Control Management Design, implement and operate tools and processes for the creation, assignment, management and revocation of access credentials and
privileges for solution and data access to administrator, user and service accounts
Account Management Design, implement and operate tools and processes to assign and manage authorisation to credentials for service, administrator and user
accounts, including administrator accounts
Email Protection Design, implement and operate tools and processes to monitor, analyse, detect and act-on email-based attacks and email vulnerabilities
Application Solution Security Design, implement and operate tools and processes to manage the security aspects of developed, acquired or externally hosted solutions to
identify, prevent, detect and resolve security weaknesses and vulnerabilities
Malware Defence Design, implement and operate tools and processes to prevent the installation, spread, and execution of malicious applications, code or scripts
Solution Monitoring Design, implement and operate tools and processes to monitor, analyse and report on the usage of a solution and its constituent components
including resource consumption and performance
Audit Log Management Design, implement and operate tools and processes to collect, store, analyse, alert, review audit logs of solution activity events that to facilitate
the detection, understanding and recovery from an attack
Inventory and Control of Assets Design, implement and operate tools and processes to manage the infrastructure and software assets that comprise the totality of solutions in
order to actively manage those assets
Data Management, Backup and
Recovery
Design, implement and operate tools and processes to manage solution data and establish data backup and recovery including integrity of
backup data
Supplier and Service Provider
Management
Design, implement and operate tools and processes to initially assess and continually monitor the security arrangements of solution component
suppliers and service providers and the components and services they provide
Network Management Design, implement and operate tools and processes to design, implement, operate and manage the security of network infrastructure and
facilities including their vulnerability
Continuous Vulnerability
Management
Design, implement and operate tools and processes to continuously assess and track vulnerabilities on all solution components in order to
identify, response to, remediate and minimise attacks
Data Protection Design, implement and operate tools and processes to identify, classify, securely handle, manage access to, manage regulatory compliance,
appropriately retain and dispose of solution data
39. Operational Security Controls Activities
Operate processes and procedures to
analyse collected data to identify
potential security breaches and
vulnerabilities
Identify any potential control
breaches or deviations
Assess the potential control breaches
or deviations
Escalate as appropriate
Respond to potential control
breaches or deviations
Identify actions
Track performance of actions
Report on actions
Improve based on analysis
Detect
Identify
Respond
Establish and configure the security
control
Define and implement the
operational processes
Allocate resources and budget
Define control operation/usage data
collection framework
Define control data model
Define management and reporting
procedures
Establish
March 8, 2022 39
40. Security Controls Activities – Asset Security
• Breakdown of activities for the Asset Security control area
March 8, 2022 40
Establish Detect Identify Respond
• Implement tools and processes to
scan, collect, store and provide access
to infrastructure and software asset
data and their configuration
• Implement processes to identify
changes
• Implement processes to subscribe to
vulnerability updates
• Implement processes to monitor
vulnerabilities and manage updates
• Implement processes to disable assets
• Implement processes to authorise
changes to assets
• Implement infrastructure device
management including patching and
software update distribution
• Establish business function and
allocate resources to operate asset
management
• Define asset security roles and
responsibilities
• Implement reporting and information
access processes
• Operate asset security management
data collection processes
• Detect asset changes
• Analyse collected asset data to detect
potential asset security breaches
• Operate escalation processes
• Operate asset security incident
management processes
• Operate asset security problem
management processes
•
• Identify and evaluate asset security
breaches and vulnerabilities
• Create asset security breaches and
vulnerabilities handling action plans
and activity schedules including
interim and long-term actions
• Handle security breaches and
vulnerabilities
• Assign actions and activities
• Work through action plan and report
on progress
• Finalise action plan
41. Security Controls Activities – Network Monitoring
• Breakdown of activities for the Network Monitoring
control area
March 8, 2022 41
Establish Detect Identify Respond
• Acquire and implement tools and
processes to monitor the network
infrastructure, perform intrusion
detection, traffic filtering, anti-
malware, collect data on network
operations and use, generate alerts
and manage events
• Implement processes to handle alerts
and events and identify and manage
network issues raised
• Implement processes to subscribe to
network security updates
• Implement processes to authorise
changes to network configuration
• Establish business function and
allocate resources to operate network
monitoring
• Define network monitoring roles and
responsibilities
• Implement network monitoring
reporting and information access
processes
• Operate network monitoring alerting
and event management
• Operate network data collection
processes
• Operate escalation processes
• Operate network monitoring alerting
and event incident management
processes
• Operate network monitoring alerting
and event problem management
processes
• Manage network monitoring alerting
and event management infrastructure
and apply patches and updates
•
• Identify, evaluate and prioritise
network breaches and vulnerabilities
• Create network monitoring alerting
and event management breaches and
vulnerabilities handling action plans
and activity schedules including
interim and long-term actions
• Handle network monitoring alerting
and event management breaches and
vulnerabilities
• Assign actions and activities
• Work through action plan and report
on progress
• Finalise action plan
42. Security Controls Activities
• The control activities represent a general set of actions
relating to each control
• The specific detail for each control is different
March 8, 2022 42
43. Security Standards
• There are many security standards including:
− AICPA Trust Services Criteria -
https://us.aicpa.org/interestareas/frc/assuranceadvisoryservices/trustdataintegritytaskforce
− CIS Critical Security Controls - https://learn.cisecurity.org/cis-controls-download
− Cloud Security Alliance (CSA)Cloud Controls Matrix (CCM) -
https://cloudsecurityalliance.org/research/cloud-controls-matrix/
− Control Objectives for Information Technologies - https://www.isaca.org/resources/cobit
− COSO - https://www.coso.org/Documents/COSO-Deloitte-Managing-Cyber-Risk-in-a-Digital-Age.pdf
− Cybersecurity Maturity Model Certification (CMMC) -
https://www.acq.osd.mil/cmmc/documentation.html
− FS.31 GSMA Baseline Security Controls - https://www.gsma.com/security/resources/fs-31-gsma-baseline-
security-controls/
− ISO 27000 Series - https://www.iso.org/isoiec-27001-information-security.html
− NIST CSF (Cyber Security Framework) - https://www.nist.gov/cyberframework
− NIST Framework for Improving Critical Infrastructure Cybersecurity -
http://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
− NIST SP 1800 Series - https://csrc.nist.gov/publications/sp1800
− NIST SP 800-53, Revision 5 Controls CURRENT VERSION 5.1 -
https://csrc.nist.gov/CSRC/media/Projects/risk-management/800-53%20Downloads/800-53r5/NIST_SP-
800-53_rev5-derived-OSCAL.xlsx
− NIST: Cybersecurity Framework, 800-53, 800-171 – https://csrc.nist.gov/Projects/risk-management/sp800-
53-controls/downloads
− US FedRAMP (Federal Risk and Authorization Management Program) - https://tailored.fedramp.gov/
March 8, 2022 43
44. Security Standards
• Security standards exist at various levels with varying levels
of detail and complexity
− Some are very detailed with hundreds of controls
• There needs to be a balance between complexity and level
of detail and the ease of implementation, operation and
use
• There are no specific solution-oriented security standards
across all solution components types and operational
deployment patterns
March 8, 2022 44
45. Operational Solution Entities And Solution Zones
March 8, 2022 45
Solution
Component
Types
Solution
Components
Solution
Solution Zones
Solution
Zone Types
Solution
Topology
Security
Standards
And Controls
Solution Consists Of
Multiple Components
Each Solution
Component
Has A Type
Solution Exists
Within A
Topology Of
Many Solutions
Solution Components
Are Located In Solution
Zones
Each Solution
Zone Has A Type
Different Solution
Standards And
Controls Apply To
Solution Zones
Solution
Operational
Entity
Solution
Operational
Entity Type
Deployed
Solution
Consists Of
Multiple
Operational
Entities
Each Solution
Operational
Entity Has A Type
Solution Operational Entities
Are Located In Solution Zones
Security
Controls Apply
To Solution
Components
Security Controls Apply To
Solution Operational Entities
Some Solution
Components
Become
Deployed
Operational
Entities
46. Operational Solution Entities
March 8, 2022 46
Solution Components
Time-Bounded Delivery Entity
Types
Sets of Installation and
Implementation Services
Existing Data Conversions/
Migrations
New Data Loads
Parallel Runs
Enhanced Support/ Hypercare
Enduring Operational
Technology Entity Types
Changes to Existing Systems
New Custom Developed
Applications
Acquired and Customised Software
Products
System Integrations/ Data
Transfers/ Exchanges
Reporting and Analysis Facilities
Information Storage Facilities
Central, Distributed and
Communications Infrastructure
Application Hosting and
Management Services
Enduring Process, Procedure
and Structural Entity Types
Cutover/ Transfer to Production And
Support
Operational Functions and
Processes
Sets of Maintenance, Service
Management and Support Services
Changes to Existing Business
Processes
New Business Processes
Organisational Changes, Knowledge
Management
Training and Documentation
47. Operational Solution Entities
• The designed, deployed and operational solution
components become solution operational entities
• Solution security starts with the solution design process
• These physical entities reside in the solution zones
• As with solution component types and solution
components, there are operational entity types and
instances of those types that are the actual solution
operational entities
• Operational security controls and protection activities need
to focus on these entities – they are the main points of
solution vulnerability
March 8, 2022 47
48. Operational Solution Entities
March 8, 2022 48
Operation Entity
Operation Entity
Operation Entity
Operation Entity
Operation Entity
Operation Entity
Operation Entity
Operation Entity
Operation Entity
Operation Entity
Operation Entity
Operation Entity
Operation Entity
Operation Entity
Operation Entity
Operation Entity
Operation Entity
Operation Entity
Operation Entity
Operation Entity
Operation Entity
Operation Entity
Operation Entity
Operation Entity
Operation Entity
Operation Entity
Operation Entity
Operation Entity
Operation Entity
Operation Entity
Operation Entity
Operation Entity
Operation Entity
Operation Entity
Operation Entity
Operation Entity
Operation Entity
Operation Entity
Operation Entity
Changes to Existing Systems
New Custom Developed
Applications
Acquired and Customised Software
Products
System Integrations/ Data
Transfers/ Exchanges
Reporting and Analysis Facilities
Sets of Installation and
Implementation Services
Information Storage Facilities
Existing Data Conversions/
Migrations
New Data Loads
Central, Distributed and
Communications Infrastructure
Cutover/ Transfer to Production And
Support
Operational Functions and
Processes
Parallel Runs
Enhanced Support/ Hypercare
Sets of Maintenance, Service
Management and Support Services
Application Hosting and
Management Services
Changes to Existing Business
Processes
New Business Processes
Organisational Changes, Knowledge
Management
Training and Documentation
50. Operational Solution Entity Types – 1
March 8, 2022 50
Operational Entity Type Description
External Data Sources Data sources outside the organisation boundary providing data to the organisation
External Public Interacting Parties Public solution consumers outside the organisation and outside the control of the organisation
External Data Telemetry Devices Devices owned by the organisation in public locations and from which solutions receive data
External Telecommand Devices Devices owned by the organisation in public locations and to which solutions send commands
External Private Interacting Parties Solution consumers external to the organisation and with whom the organisation has a relationship and who may have authenticated
access
Externally Located Employees Employees accessing organisation solutions from outside the organisation’s security boundary
Mobile Employees Employees accessing organisation solutions outside the organisation but within the organisation’s extended security boundary
Private Access Groups Interaction areas for secure collaboration with third-parties with authenticated access
Publicly Accessible Solutions Solutions hosted on organisation on-premises infrastructure that are publicly accessible without authentication
Externally Accessible Solutions Solutions hosted on organisation on-premises infrastructure that are publicly accessible with authentication
Data Access, Exchange and Service Gateway Facility to allow the access to organisation data and services and to enable the exchange and transfer of data
Secure Communications Access Component that provides common secure communications facilities to solutions
Identity, Access and Authentication Component providing common facilities for identity and access management and consumer authorisation and authentication
Access and Activity Logging Component that provides facilities to log resource accesses, activities and events
Anti-Virus, Malware Defence Provides protection against viruses and other malware
Network Monitoring Provides facilities to monitor network access, usage and performance
Threat Protection and Vulnerability Checking Provides protection against vulnerabilities contained in solutions and any components they use or incorporate
Business Continuity and Disaster Recovery Component that provides common secure business continuity and disaster recovery facilities to solutions
Mail Organisation email facility
Identity, Access and Authentication Component that provides common secure identity, authentication and access control facilities to solutions
Backup and Recovery Organisation data backup and recovery facility
Internally Accessible Solutions Solutions deployed on on-premises infrastructure designed to be used by internal solution consumers
Solution Structured Data Stores Database-oriented data stores for solutions deployed on on-premises infrastructure
Solution Unstructured Data Stores Database-oriented data stores for solutions deployed on on-premises infrastructure
Business Unit Solution Access Group Set of solution consumers located within a separately located business unit
Solution Access Groups Set of solution consumers located within the central organisation
Outsourced Service Provider Connectivity and Access Component within outsourced service provider for secure connectivity and access to outsourced solutions and data
Outsourced Service Provider Access and
Authentication
Facility within outsourced service provider for identity and access management and consumer authorisation and authentication
51. Operational Solution Entity Types – 2
March 8, 2022 51
Operational Entity Type Description
Hosted Shared Solutions Solutions on a shared platform hosted by within outsourced service provider
Hosted Shared Solution Data Stores Data stores for solutions on a shared platform deployed within outsourced service provider
Hosted Dedicated Solutions Solutions on a dedicated platform hosted by within outsourced service provider
Hosted Dedicated Solution Data Stores Data stores for solutions on a dedicated platform deployed within outsourced service provider
Cloud Service Provider Connectivity and Access Component within cloud service provider for secure connectivity and access to cloud-located solutions and data
Cloud Service Provider Access and Authentication Component within cloud service providing facilities for identity and access management and consumer authorisation and
authentication
Internally Accessible Infrastructure Deployed Solutions Solutions deployed in an IaaS pattern designed for use within the organisation
Externally Accessible Infrastructure Deployed
Solutions
Solutions deployed in an IaaS pattern designed for use outside the organisation
Internally Accessible Infrastructure Deployed Solutions
Data Stores
Data stores for solutions deployed in an IaaS pattern designed for use within the organisation
Internally Accessible Platform Deployed Solutions Solutions deployed in a PaaS pattern designed for use within the organisation
Externally Accessible Infrastructure Deployed
Solutions Data Stores
Data stores for solutions deployed in an IaaS pattern designed for use outside the organisation by designated external
consumers
Externally Accessible Platform Deployed Solutions Solutions deployed in a PaaS pattern designed for use outside the organisation by designated external consumers
Publicly Accessible Platform Deployed Solutions Solutions deployed in a PaaS pattern designed for use outside the organisation by public consumers
Publicly Accessible Infrastructure Deployed Solutions Solutions deployed in an IaaS pattern designed for use outside the organisation by public consumers
Publicly Accessible Infrastructure Deployed Solutions
Data Stores
Data stores for solutions deployed in an IaaS pattern designed for use outside the organisation by public consumers
Platform Deployed Solutions Data Stores Data stores for solutions deployed in a PaaS pattern
Externally Accessible Service Deployed Solutions Solutions deployed in a SaaS pattern designed for use outside the organisation by designated external consumers
Publicly Accessible Service Deployed Solutions Solutions deployed in a SaaS pattern designed for use outside the organisation by public consumers
Internally Accessible Service Deployed Solutions Solutions deployed in a SaaS pattern designed for use within the organisation
Service Deployed Solutions Data Stores Data stores for solutions deployed in a SaaS pattern
Co-Location Provider Connectivity and Access Component within a co-location service provider for secure connectivity and access to co-located solutions and data
Co-Location Identity, Access and Authentication Facility within a co-location service provider for identity and access management and consumer authorisation and
authentication
Co-Located Solutions Facility within a co-location service provider for identity and access management and consumer authorisation and
authentication
Co-Located Solution Data Stores Solutions hosted by within a co-location service provider
52. Operational Solution Entity Types And Solution Zone
Type – 1
March 8, 2022 52
Zone Operational Entity
Insecure External Organisation Presentation
And Access
External Data Sources
External Public Interacting Parties
External Data Telemetry Devices
External Telecommand Devices
Secure External Organisation Participation and
Collaboration
External Private Interacting Parties
Externally Located Employees
Mobile Employees
Private Access Groups
Secure External Organisation Access Publicly Accessible Solutions
Externally Accessible Solutions
Data Access, Exchange and Service Gateway
Secure Communications Access
Identity, Access and Authentication
Organisation Access and Activity Logging
Anti-Virus, Malware Defence
Network Monitoring
Threat Protection and Vulnerability Checking
Business Continuity and Disaster Recovery
Central Solutions and Access Mail
Identity, Access and Authentication
Backup and Recovery
Solution Zone Internally Accessible Solutions
Data Zone Solution Structured Data Stores
Solution Unstructured Data Stores
53. Operational Solution Entity Types And Solution Zone
Type – 2
March 8, 2022 53
Zone Operational Entity
Outsourced Service Provider Solutions and
Access
Outsourced Service Provider Connectivity and Access
Outsourced Service Provider Access and Authentication
Hosted Shared Solutions
Hosted Shared Solution Data St3ores
Hosted Dedicated Solutions
Hosted Dedicated Solution Data Stores
Cloud Service Provider Solutions and Access Cloud Service Provider Connectivity and Access
Cloud Service Provider Access and Authentication
Internally Accessible Infrastru9cture Deployed Solutions3
Externally Accessible Infrastructure Deployed Solutions
Internally Accessible Infrastructure Deployed Solutions Data Stores
Internally Accessible Platform Deployed Solutions
Externally Accessible Infrastructure Deployed Solutions Data Stores
Externally Accessible Platform Deployed Solutions
Publicly Accessible Platform Deployed Solutions
Publicly Accessible Infrastructure Deployed Solutions
Publicly Accessible Infrastructure Deployed Solutions Data Stores
Platform Deployed Solutions Data Stores
Externally Accessible Service Deployed Solutions
Publicly Accessible Service Deployed Solutions
Internally Accessible Service Deployed Solutions
Service Deployed Solutions Data Stores
Co-Located Solutions and Access Co-Location Provider Connectivity and Access
Co-Location Identity, Access and Authentication
Co-Located Solutions
Co-Located Solution Data Stores
54. Operational Solution Entity Types And Security
Controls
• Security controls apply to
operational solution entity types
• Each operational entity type will
have different security control
requirements depending on what
the entity does and in what zone
it is located
March 8, 2022 54
Operational Entity
Asset
Security
Account
Management
Access Control
Management
Solution
Availability,
Resilience,
Fault
Tolerance and
Recovery
Solution
Monitoring
Inventory and
Control of
Assets
Data
Protection
Audit Log
Management
Application
Solution
Security
Browser
Protection
Email
Protection
Malware
Defense
Data
Management
and Backup
and Recovery
Network
Monitoring
Penetration
Testing
Continuous
Vulnerability
Management
Network
Management
Supplier and
Service
Provider
Management
55. External Data Sources External Public Interacting Parties External Data Telemetry Devices
Data sources outside the
organisation boundary
providing data to the
organisation
Public solution consumers
outside the organisation and
outside the control of the
organisation
Devices owned by the
organisation in public locations
and from which solutions
receive data
Security Controls And Operational Solution Entity
Types
March 8, 2022 55
56. External Telecommand Devices External Private Interacting Parties Mobile Employees
Devices owned by the
organisation in public locations
and to which solutions send
commands
Solution consumers external to
the organisation and with
whom the organisation has a
relationship and who may have
authenticated access
Employees accessing
organisation solutions from
outside the organisation’s
security boundary
Security Controls And Operational Solution Entity
Types
March 8, 2022 56
External
Telecommand
Devices
Account
Management
Access Control
Management
Inventory and
Control of
Assets
Data
Protection
Audit Log
Management
Application
Solution
Security
Malware
Defense
Data
Management
and Backup
and Recovery
Network
Monitoring
Penetration
Testing
Continuous
Vulnerability
Management
Network
Management
57. Private Access Groups Publicly Accessible Solutions Externally Accessible Solutions
Interaction areas for secure
collaboration with third-parties
with authenticated access
Solutions hosted on
organisation on-premises
infrastructure that are publicly
accessible without
authentication
Solutions hosted on
organisation on-premises
infrastructure that are publicly
accessible with authentication
Security Controls And Operational Solution Entity
Types
March 8, 2022 57
58. Data Access, Exchange and Service
Gateway
Secure Communications Access Identity, Access and Authentication
Facility to allow the access to
organisation data and services
and to enable the exchange
and transfer of data
Component that provides
common secure
communications facilities to
solutions
Component providing common
facilities for identity and access
management and consumer
authorisation and
authentication
Security Controls And Operational Solution Entity
Types
March 8, 2022 58
59. Access and Activity Logging Anti-Virus, Malware Defence Network Monitoring
Component that provides
facilities to log resource
accesses, activities and events
Provides protection against
viruses and other malware
Provides protection against
viruses and other malware
Security Controls And Operational Solution Entity
Types
March 8, 2022 59
60. Threat Protection and Vulnerability
Checking
Business Continuity and Disaster
Recovery
Mail
Provides protection against
vulnerabilities contained in
solutions and any components
they use or incorporate
Component that provides
common secure business
continuity and disaster
recovery facilities to solutions
Component that provides
common secure business
continuity and disaster
recovery facilities to solutions
Security Controls And Operational Solution Entity
Types
March 8, 2022 60
61. Identity, Access and Authentication Backup and Recovery Internally Accessible Solutions
Component that provides
common secure identity,
authentication and access
control facilities to solutions
Organisation data backup and
recovery facility
Solutions deployed on on-
premises infrastructure
designed to be used by internal
solution consumers
Security Controls And Operational Solution Entity
Types
March 8, 2022 61
62. Solution Structured Data Stores Solution Unstructured Data Stores Business Unit Solution Access Group
Database-oriented data stores
for solutions deployed on on-
premises infrastructure
Database-oriented data stores
for solutions deployed on on-
premises infrastructure
Set of solution consumers
located within a separately
located business unit
Security Controls And Operational Solution Entity
Types
March 8, 2022 62
63. Solution Access Groups Outsourced Service Provider
Connectivity and Access
Outsourced Service Provider Access
and Authentication
Set of solution consumers
located within the central
organisation
Component within outsourced
service provider for secure
connectivity and access to
outsourced solutions and data
Facility within outsourced
service provider for identity
and access management and
consumer authorisation and
authentication
Security Controls And Operational Solution Entity
Types
March 8, 2022 63
64. Hosted Shared Solutions Hosted Shared Solution Data Stores Hosted Dedicated Solutions
Solutions on a shared platform
hosted by within outsourced
service provider
Data stores for solutions on a
shared platform deployed
within outsourced service
provider
Solutions on a dedicated
platform hosted by within
outsourced service provider
Security Controls And Operational Solution Entity
Types
March 8, 2022 64
65. Hosted Dedicated Solution Data
Stores
Cloud Service Provider Connectivity
and Access
Cloud Service Provider Access and
Authentication
Data stores for solutions on a
dedicated platform deployed
within outsourced service
provider
Component within cloud
service provider for secure
connectivity and access to
cloud-located solutions and
data
Component within cloud
service providing facilities for
identity and access
management and consumer
authorisation and
authentication
Security Controls And Operational Solution Entity
Types
March 8, 2022 65
66. Internally Accessible Infrastructure
Deployed Solutions
Internally Accessible Infrastructure
Deployed Solutions Data Stores
Internally Accessible Platform
Deployed Solutions
Solutions deployed in an IaaS
pattern designed for use within
the organisation
Data stores for solutions
deployed in an IaaS pattern
designed for use within the
organisation
Data stores for solutions
deployed in an IaaS pattern
designed for use within the
organisation
Security Controls And Operational Solution Entity
Types
March 8, 2022 66
67. Internally Accessible Service
Deployed Solutions
Externally Accessible Infrastructure
Deployed Solutions
Externally Accessible Infrastructure
Deployed Solutions Data Stores
Solutions deployed in a SaaS
pattern designed for use within
the organisation
Solutions deployed in an IaaS
pattern designed for use
outside the organisation
Data stores for solutions
deployed in an IaaS pattern
designed for use outside the
organisation by designated
external consumers
Security Controls And Operational Solution Entity
Types
March 8, 2022 67
68. Externally Accessible Platform
Deployed Solutions
Externally Accessible Service
Deployed Solutions
Publicly Accessible Infrastructure
Deployed Solutions
Solutions deployed in a PaaS
pattern designed for use
outside the organisation by
designated external consumers
Solutions deployed in a SaaS
pattern designed for use
outside the organisation by
designated external consumers
Solutions deployed in a SaaS
pattern designed for use
outside the organisation by
public consumers
Security Controls And Operational Solution Entity
Types
March 8, 2022 68
69. Publicly Accessible Infrastructure
Deployed Solutions Data Stores
Publicly Accessible Platform
Deployed Solutions
Platform Deployed Solutions Data
Stores
Data stores for solutions
deployed in an IaaS pattern
designed for use outside the
organisation by public
consumers
Solutions deployed in a PaaS
pattern designed for use
outside the organisation by
public consumers
Data stores for solutions
deployed in a PaaS pattern
Security Controls And Operational Solution Entity
Types
March 8, 2022 69
70. Service Deployed Solutions Data
Stores
Co-Location Provider Connectivity
and Access
Co-Location Identity, Access and
Authentication
Data stores for solutions
deployed in a SaaS pattern
Component within a co-
location service provider for
secure connectivity and access
to co-located solutions and
data
Facility within a co-location
service provider for identity
and access management and
consumer authorisation and
authentication
Security Controls And Operational Solution Entity
Types
March 8, 2022 70
71. Security Controls And Operational Solution Entity
Types
March 8, 2022 71
Co-Located Solutions Co-Located Solution Data Stores
Facility within a co-location
service provider for identity
and access management and
consumer authorisation and
authentication
Solutions hosted by within a co-
location service provider
72. Sample Solution Security Data Model
• The sample core and extended conceptual solution security
data models described earlier can be translated into a
more tangible and usable data model
• The data model can be implemented easily
March 8, 2022 72
74. Summary
• These notes have proposed a solution-oriented security
approach that can be applied across the entire set of solutions
that comprise the organisation solution landscape
• It describes a model for collecting, structuring and analysing
solution security across the entire organisation solution
topology
• The proposed model can be applied to solution design and
implementation process to create an inventory of required and
implemented and operational security controls across all
operation components
• It can be used as part of solution design and operation due
diligence
− Use at stage gates during solution delivery to validate solution security
March 8, 2022 74