SlideShare uma empresa Scribd logo

Solution Architecture And Solution Security

Alan McSweeney
Alan McSweeney

The document proposes a core and extended model for embedding security within technology solutions. The core model maps out solution components, zones, standards and controls. It shows how solutions consist of multiple components located in zones, with different standards applying. The extended model adds details on security control activities and events. Solution security is described as a "wicked problem" with no clear solution. New technologies introduce new risks to solutions across dispersed landscapes. The document outlines types of solution zones and common component types that make up solutions.

Tecnologia
1 de 75
Baixar para ler offline
Solution Architecture And Solution Security Alan McSweeney http://ie.linkedin.com/in/alanmcsweeney https://www.amazon.com/dp/1797567616
Introduction, Purpose And Scope • These notes describe an approach to embedding security within the technology solution landscape • They describe a security model that encompasses the range of individual solution components up to the entire solution landscape March 8, 2022 2
Topics • Core And Extended Solution Security Model • Solution And Technology Risks • Solution Zone Types and Zones • Solution Component Types And Components • Security Standards And Controls • Operational Solution Entity Types And Solution Zones • Operational Solution Entities And Security Controls March 8, 2022 3
Proposed Core Solution Security Model March 8, 2022 4 Solution Component Types Solution Components Solution Solution Zones Solution Zone Types Solution Topology Security Standards And Controls Solution Consists Of Multiple Components Each Solution Component Has A Type Solution Exists Within A Topology Of Many Solutions Solution Components Are Located In Solution Zones Each Solution Zone Has A Type Different Solution Standards And Controls Apply To Solution Zones Solution Operational Entity Solution Operational Entity Type Deployed Solution Consists Of Multiple Operational Entities Each Solution Operational Entity Has A Type Solution Operational Entities Are Located In Solution Zones Security Controls Apply To Solution Components Security Controls Apply To Solution Operational Entities Some Solution Components Become Deployed Operational Entities
Proposed Core Solution Security Model • Proposed solution security model allows the security status of a solution and its constituent delivery and operational components to be tracked wherever those components are located • Core solution security model is essential a static record • Provides an integrated approach to solution security across all solution components and across the entire organisation topology of solutions • Model is a balance between simplicity, ease of use, level of detail and utility • Allows solution security to be analysed and reported on • Enables the solution architect to validate the security of an individual solution • Enables the security status of the entire solution landscape to be assessed and recorded March 8, 2022 5
Proposed Extended Solution Security Model March 8, 2022 6 Solution Component Types Solution Components Solution Solution Zones Solution Zone Types Solution Topology Security Standards And Controls Solution Consists Of Multiple Components Each Solution Component Has A Type Solution Exists Within A Topology Of Many Solutions Solution Components Are Located In Solution Zones Each Solution Zone Has A Type Different Solution Standards And Controls Apply To Solution Zones Solution Operational Entity Solution Operational Entity Type Deployed Solution Consists Of Multiple Operational Entities Each Solution Operational Entity Has A Type Solution Operational Entities Are Located In Solution Zones Security Controls Apply To Solution Components Security Controls Apply To Solution Operational Entities Some Solution Components Become Deployed Operational Entities Security Control Activities And Events Security Control Activity Implementation Status Security Control Activity Type Security Control Activities Security Controls Have Activities Security Controls Activities Have A Type Security Controls Activities Have An Implementation Status There Can Be Events Linked To Security Controls Activities
Proposed Extended Solution Security Model • Model can be extended to hold the activities defined for each security control and to hold information on events relating to security controls and activities • Extended solution security model introduces some dynamic data March 8, 2022 7
What Are We Protecting Against? • Unauthorised access to solution functionality and its data involves some or all of: March 8, 2022 8 • Getting the solution to do something it should not • Stopping the solution from working as it should or enabling it to be bypassed • Getting consumers of the solution to perform actions they should not • Gaining unauthorised access to the solution as a solution consumer • Getting the data held in the solution • Damaging the solution to prevent its use • Denying access to the solution • Using the solution as a gateway to other organisation solution and data assets • Stealing data to sell or holding for ransom • Collecting ransom before application or data restored • Using the application to steal money • Causing reputational damage • Stealing intellectual property • Putting the company out of business With The Aims Of
New Technology And New Risks March 8, 2022 9 Solution Security Dispersed Operational Solution Landscape New Unfamiliar Technologies Error Prone Technology Deployment And Operation No Single Pane Of Glass Showing Security Status Increasing Number Of Threats Reduced Skills More Solution Entry Points Greater Complexity And Fragility
New Technology And New Risks • New solution security concerns are continually arising, adding to the threat landscape − New solution design, deployment and operating models − Distributed solution components, distributed solution consumer base, distributed access with many interfaces, integration points and data flows − Greater involvement of third-parties and their platforms whose operational security models and practices are being inherited − Complexity with multiple handoffs gives rise to gaps in end-to-end view and knowledge leading to risks • New technologies introduce new risks, direct and indirect − Lack of familiarity with technology increases the likelihood of exploitable mistakes and errors − New technology is less proven and contains more exploitable errors − Greater range of solution entry points increases risk − Exposure of solutions to consumers outside the organisation increases risk − Human risk factors weaken overall security • Solution risk and security status is becoming harder to track March 8, 2022 10
From … March 8, 2022 11 Solution Central Data Store Solution Central Application Component Solution API Solution Central Infrastructure Solution Hosted Infrastructure Solution Internal Consumers Solution External Private Consumers Solution Hosted Data Store Solution Hosted Application Component Solution Hosted Analytics Access and Security Infrastructure Central To Hosting Facility Connectivity Solution External Public Consumers Solution Mobile App
To … • Increasing solution landscape complexity and diversity gives rise to implicit and explicit risks March 8, 2022 12 Solution Central Data Store Solution Central Application Component Solution API Solution Central Infrastructure Solution Hosted Infrastructure Solution Internal Consumers Solution External Private Consumers Solution Hosted Data Store Solution Hosted Application Component Solution Hosted Analytics Access and Security Infrastructure Central To Hosting Facility Connectivity Solution External Public Consumers Solution Mobile App
Illusion Of The Solution Cocoon • Solutions do not always exist in a security cocoon provided by a range of infrastructural components, protected from all malicious actors and actions that repel all attempts to penetrate the solution • Individual solutions must be aware of their security requirements and ensure they are in place − Take individual solution responsibility − Do not make any assumptions on what security is available − Perform due diligence on available and operational security infrastructure − Identify and address solution- specific security needs March 8, 2022 13 Solution And Its Components
Illusion Of The Solution Cocoon • Operational solution components can reside in multiple locations subject to different sets of security infrastructure, making the problem of solution security all the greater March 8, 2022 14
Solution Security Is A “Wicked Problem*” • Solution security is a wicked problem because there is no certainly about when the problem has been resolved and a state of security has been achieved • The security state of a solution can just be expressed along a subjective spectrum of better or worse rather than a binary true or false March 8, 2022 15 * Dilemmas in a General Theory of Planning, Horst Wittel and Melvin Webber https://urbanpolicy.net/wp-content/uploads/2012/11/Rittel+Webber_1973_PolicySciences4- 2.pdf
Wicked Problem Characteristics And Solution Security March 8, 2022 16 Characteristics of Wicked Problems Application to Solution Security There is no definite formulation of wicked problems.There is no certainly about when security has been fully achieved. Wicked problems have no stopping rule. There is no stopping rule that states security has been fully achieved if a defined set of activities and controls have been performed and implemented. Solutions to wicked problems are not true or false, but good or bad The security state of a solution can just be expressed along a spectrum of better or worse rather than a binary true or false. There is no immediate or ultimate test for solutions. The security of a solution is difficult, if not impossible, to establish. Proving the certainty of a negative can be unachievable. All attempts to solutions have effects that may not be reversible. Implementing solution security impacts the operation and use of the solutions themselves. Wicked problems have no clear solution, and perhaps not even a set of possible solutions. There is no one security solution but a combination of interrelated and layers security components. Every wicked problem is essentially unique. There is no one standard solution template to security. Every wicked problem may be a symptom of another problem. Solution security is only a subset of wider organisation security. Lack of security is a potential problem that has to be exploited for the problem to become real. It is difficult for individual solutions to be secure if an organisation security foundation and framework are not in place. There are multiple explanations for the wicked problem. Solution security can be defined in many ways. The planner (or policy-maker) has no right to be wrong. Failure to implement effective solution security can lead to very serious negative consequences to getting it wrong leads to blame but getting it right does not lead to any praise.
Solution Security Negative Outcomes • Solution security can have negative consequences: prevents types of access, limits availability in different ways, restricts functionality provided, makes solution harder to use, lengthens solution delivery times, increases costs along the entire solution lifecycle, leads to loss of usability, utility and rate of use • Security requirements and standards may discourage security, leading to bypass and circumvention actions • Complex security arrangements may give the illusion of security that does not exist in reality March 8, 2022 17
Solution Inheritance Of Security Infrastructure • Individual solutions must be able to inherit security controls, facilities and standards from common enterprise-level controls, standards, toolsets and frameworks. • Individual solutions must not be forced to implement individual infrastructural security facilities and controls − This is wasteful of solution implementation resources, results in multiple non- standard approaches to security and represents a security risk to the organisation • Solution architects must be aware of the need for solution security and of the need to have enterprise-level controls that solutions can adopt. • The extended solution landscape potentially consists of a large number of interacting components and entities located in different zones, each with different security profiles, requirements and concerns − Different security concerns and therefore controls apply to each of these components • Solution security is not covered by a single control − It involves multiple overlapping sets of controls providing layers of security March 8, 2022 18
Security Model And Inheritance Of Security Controls • Defining a security model and set of solution zone and operational entity controls allows the existence of and the solution inheritance of security controls to be validated and potential security gaps to be identified March 8, 2022 19
Solution Architecture And Interfaces With Other IT Architecture Disciplines • The solution architecture discipline must work with other IT architecture disciplines, including security architecture • Enterprise architecture needs to embed security into the organisation’s overall IT architecture March 8, 2022 20 Enterprise Architecture Information and Data Architecture Application Architecture Business Architecture Technical Architecture Solution Architecture Service Architecture Security Architecture Overall Architecture Framework Security Standards Service Operation and Support Data Architecture Infrastructure Architecture Business Context Business Process, Products
Solution Zone Types and Zones March 8, 2022 21 Solution Component Types Solution Components Solution Solution Zones Solution Zone Types Solution Topology Security Standards And Controls Solution Consists Of Multiple Components Each Solution Component Has A Type Solution Exists Within A Topology Of Many Solutions Solution Components Are Located In Solution Zones Each Solution Zone Has A Type Different Solution Standards And Controls Apply To Solution Zones Solution Operational Entity Solution Operational Entity Type Deployed Solution Consists Of Multiple Operational Entities Each Solution Operational Entity Has A Type Solution Operational Entities Are Located In Solution Zones Security Controls Apply To Solution Components Security Controls Apply To Solution Operational Entities Some Solution Components Become Deployed Operational Entities
Solution Zones • Solution zones are locations where groups of closely related solution components reside • They represent containers for solution components • Zones are located within the wider physical solution landscape • Each zone and the components it holds have different security requirements • Not all solutions will have components in all zone and not all organisations will have all the zone types • The solution and its constituent components can span multiple different zones of the same type • The zone approach is useful way of representing the entirety of a solution, its constituent components, their connectivity, linkages and interactions • You will have different levels of control over different solution zones (including no control) March 8, 2022 22
Sample Solution Zone Types March 8, 2022 23
Sample Solution Zone Types March 8, 2022 24
Sample Solution Zone Types Zone Description Insecure External Organisation Presentation And Access Where publicly accessible or accessing entities reside. These entities are regarded as insecure and/or untrusted. Secure External Organisation Participation and Collaboration Outside the physical organisation boundary where entities that are provided by or to trusted external parties reside Secure External Organisation Access Contain entities that enable secure access or are securely accessible from outside the organisation Organisation Contain the entities within the organisation boundary and contains all the locations, business units and functions within it Central Solutions and Access Contains the solution entities and their data Solution Zone Contains the solution entities Data Zone Zone within the organisation where data is segregated for security Remote Business Unit Solutions and Access Remotely located organisation business unit or location and the entities it contains Workstation Zone Zone within the organisation where users accessing data and solutions are segregated for security Outsourced Service Provider Solutions and Access Contains solutions provided by and located in facilities provided by outsourced partners Cloud Service Provider Solutions and Access Contains solutions - platform, infrastructure and service - provided by and located in cloud service providers Co-Located Solutions and Access Contains solutions the organisation has located in facilities provided by co- location providers March 8, 2022 25
Solution Component Types And Components Solution Component Types Solution Components Solution Solution Zones Solution Zone Types Solution Topology Security Standards And Controls Solution Consists Of Multiple Components Each Solution Component Has A Type Solution Exists Within A Topology Of Many Solutions Solution Components Are Located In Solution Zones Each Solution Zone Has A Type Different Solution Standards And Controls Apply To Solution Zones Solution Operational Entity Solution Operational Entity Type Deployed Solution Consists Of Multiple Operational Entities Each Solution Operational Entity Has A Type Solution Operational Entities Are Located In Solution Zones Security Controls Apply To Solution Components Security Controls Apply To Solution Operational Entities Some Solution Components Become Deployed Operational Entities March 8, 2022 26
Solution Components • The functional and operational design of any solution and therefore its security will include many of these components, including those inherited by the solution or common components used by the solution • When creating the end-to-end solution design the solution architect should identify all the required solution components • The complete solution security view should refer explicitly to the components and their controls • While each individual solution should be able to inherit the security controls provided by these components, the solution design should include explicit reference to them for completeness and to avoid unvalidated assumptions • There is a common and generalised set of components, many of which are shared, within the wider solution topology that should be considered when assessing overall solution security March 8, 2022 27
Solution Is The Sum Of Its Components • The solution is a window to its constituent components • Solution consumers experience the totality of the solutions March 8, 2022 28
Solution Components Classes • Time-Bounded Delivery Entity Types − Time-bounded sets of work required to get the solution fully operational • Enduring Operational Technology Entity Types − Operational instrumentation and tool components required for the solution to operate • Enduring Process, Procedure and Structural Entity Types − Organisation and process changes required to use the solution optimally March 8, 2022 29
Solution Components Classes And Types March 8, 2022 30 Solution Components Time-Bounded Delivery Entity Types Sets of Installation and Implementation Services Existing Data Conversions/ Migrations New Data Loads Parallel Runs Enhanced Support/ Hypercare Enduring Operational Technology Entity Types Changes to Existing Systems New Custom Developed Applications Acquired and Customised Software Products System Integrations/ Data Transfers/ Exchanges Reporting and Analysis Facilities Information Storage Facilities Central, Distributed and Communications Infrastructure Application Hosting and Management Services Enduring Process, Procedure and Structural Entity Types Cutover/ Transfer to Production And Support Operational Functions and Processes Sets of Maintenance, Service Management and Support Services Changes to Existing Business Processes New Business Processes Organisational Changes, Knowledge Management Training and Documentation
Solution With Consist Of Multiple Instances Of Solution Component Types March 8, 2022 31 Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Changes to Existing Systems New Custom Developed Applications Acquired and Customised Software Products System Integrations/ Data Transfers/ Exchanges Reporting and Analysis Facilities Sets of Installation and Implementation Services Information Storage Facilities Existing Data Conversions/ Migrations New Data Loads Central, Distributed and Communications Infrastructure Cutover/ Transfer to Production And Support Operational Functions and Processes Parallel Runs Enhanced Support/ Hypercare Sets of Maintenance, Service Management and Support Services Application Hosting and Management Services Changes to Existing Business Processes New Business Processes Organisational Changes, Knowledge Management Training and Documentation
Solution Topography • Irrespective of whether the solution is hosted inside or outside the organisation, it will still need to operate in a solution topography consisting of a number of logical layers • This topography is important as its implicitly or explicitly delineates borders to what is feasible March 8, 2022 32 Common Service Management Processes and Standards – solution support, service level management Common Financial Management Processes and Standards – solution cost and asset management Common Enterprise Architecture Standards – compliance with organisation technology standards and principles Common Security and Regulatory Compliance Architecture – integration of solution into overall security standards and operations Common Data Architecture – integration of solution data into the organisation data model and access to solution data, compliance with data regulations and standards Business Process and Organisation Structure – business processes and organisation functions that use the solution Extended Solution Landscape With Integration With Other Solutions – solution support, service level management, integration, data exchange Individual Solution Landscape – set of components that comprise the overall solution
Solution Topography • Individual solutions do not exist in isolation even through they may be acquired or implemented separately • The organisation’s operation solution landscape consists of many individual solutions located across many different solution zones March 8, 2022 33
Solution Topography March 8, 2022 34 Extended Solution Landscape With Integration With Other Solutions Individual Solution Landscape Business Process and Organisation Structure Common Data Architecture Common Security and Regulatory Compliance Architecture Common Enterprise Architecture Standards Common Financial Management Processes and Standards Common Service Management Processes and Standards
Security Standards And Controls Solution Component Types Solution Components Solution Solution Zones Solution Zone Types Solution Topology Security Standards And Controls Solution Consists Of Multiple Components Each Solution Component Has A Type Solution Exists Within A Topology Of Many Solutions Solution Components Are Located In Solution Zones Each Solution Zone Has A Type Different Solution Standards And Controls Apply To Solution Zones Solution Operational Entity Solution Operational Entity Type Deployed Solution Consists Of Multiple Operational Entities Each Solution Operational Entity Has A Type Solution Operational Entities Are Located In Solution Zones Security Controls Apply To Solution Components Security Controls Apply To Solution Operational Entities Some Solution Components Become Deployed Operational Entities
Operational Security Controls • Security controls represent a set of infrastructural facilities and associated processes designed to provide a comprehensive and overlapping set of security protection and defence − Security is not achieved by one control but by layers of controls • Security controls can be used as a checklist during solution design prior to operational acceptance testing to ensure that the solution and its operating environment is security compliant • Security controls must be realistic and achievable to assess, implement and operate − Complexity is the enemy of effectiveness and usefulness March 8, 2022 36
Operational Security Controls March 8, 2022 37
Operational Security Controls March 8, 2022 38 Security Control Control Scope Asset Security Design, implement and operate tools and processes to ensure the security of infrastructure and software assets through active asset inventory management Network Monitoring Design, implement and operate tools and processes to monitor network infrastructure, ensuring only authorised software can be installed and run, and provide defence against security threats and attacks Penetration Testing Design, implement and operate tools and processes to test solutions and their infrastructure to identify and resolve vulnerabilities and weaknesses in their design, implementation and operation through the simulation of attacks Browser Protection Design, implement and operate tools and processes to monitor, analyse, detect and act-on browser-based attacks and browser vulnerabilities Solution Availability, Resilience, Fault Tolerance and Recovery Design, implement and operate infrastructure, facilities and processes to ensure the availability of the solution, resilience against component failure and recovery in the event of failure Access Control Management Design, implement and operate tools and processes for the creation, assignment, management and revocation of access credentials and privileges for solution and data access to administrator, user and service accounts Account Management Design, implement and operate tools and processes to assign and manage authorisation to credentials for service, administrator and user accounts, including administrator accounts Email Protection Design, implement and operate tools and processes to monitor, analyse, detect and act-on email-based attacks and email vulnerabilities Application Solution Security Design, implement and operate tools and processes to manage the security aspects of developed, acquired or externally hosted solutions to identify, prevent, detect and resolve security weaknesses and vulnerabilities Malware Defence Design, implement and operate tools and processes to prevent the installation, spread, and execution of malicious applications, code or scripts Solution Monitoring Design, implement and operate tools and processes to monitor, analyse and report on the usage of a solution and its constituent components including resource consumption and performance Audit Log Management Design, implement and operate tools and processes to collect, store, analyse, alert, review audit logs of solution activity events that to facilitate the detection, understanding and recovery from an attack Inventory and Control of Assets Design, implement and operate tools and processes to manage the infrastructure and software assets that comprise the totality of solutions in order to actively manage those assets Data Management, Backup and Recovery Design, implement and operate tools and processes to manage solution data and establish data backup and recovery including integrity of backup data Supplier and Service Provider Management Design, implement and operate tools and processes to initially assess and continually monitor the security arrangements of solution component suppliers and service providers and the components and services they provide Network Management Design, implement and operate tools and processes to design, implement, operate and manage the security of network infrastructure and facilities including their vulnerability Continuous Vulnerability Management Design, implement and operate tools and processes to continuously assess and track vulnerabilities on all solution components in order to identify, response to, remediate and minimise attacks Data Protection Design, implement and operate tools and processes to identify, classify, securely handle, manage access to, manage regulatory compliance, appropriately retain and dispose of solution data
Operational Security Controls Activities Operate processes and procedures to analyse collected data to identify potential security breaches and vulnerabilities Identify any potential control breaches or deviations Assess the potential control breaches or deviations Escalate as appropriate Respond to potential control breaches or deviations Identify actions Track performance of actions Report on actions Improve based on analysis Detect Identify Respond Establish and configure the security control Define and implement the operational processes Allocate resources and budget Define control operation/usage data collection framework Define control data model Define management and reporting procedures Establish March 8, 2022 39
Security Controls Activities – Asset Security • Breakdown of activities for the Asset Security control area March 8, 2022 40 Establish Detect Identify Respond • Implement tools and processes to scan, collect, store and provide access to infrastructure and software asset data and their configuration • Implement processes to identify changes • Implement processes to subscribe to vulnerability updates • Implement processes to monitor vulnerabilities and manage updates • Implement processes to disable assets • Implement processes to authorise changes to assets • Implement infrastructure device management including patching and software update distribution • Establish business function and allocate resources to operate asset management • Define asset security roles and responsibilities • Implement reporting and information access processes • Operate asset security management data collection processes • Detect asset changes • Analyse collected asset data to detect potential asset security breaches • Operate escalation processes • Operate asset security incident management processes • Operate asset security problem management processes • • Identify and evaluate asset security breaches and vulnerabilities • Create asset security breaches and vulnerabilities handling action plans and activity schedules including interim and long-term actions • Handle security breaches and vulnerabilities • Assign actions and activities • Work through action plan and report on progress • Finalise action plan
Security Controls Activities – Network Monitoring • Breakdown of activities for the Network Monitoring control area March 8, 2022 41 Establish Detect Identify Respond • Acquire and implement tools and processes to monitor the network infrastructure, perform intrusion detection, traffic filtering, anti- malware, collect data on network operations and use, generate alerts and manage events • Implement processes to handle alerts and events and identify and manage network issues raised • Implement processes to subscribe to network security updates • Implement processes to authorise changes to network configuration • Establish business function and allocate resources to operate network monitoring • Define network monitoring roles and responsibilities • Implement network monitoring reporting and information access processes • Operate network monitoring alerting and event management • Operate network data collection processes • Operate escalation processes • Operate network monitoring alerting and event incident management processes • Operate network monitoring alerting and event problem management processes • Manage network monitoring alerting and event management infrastructure and apply patches and updates • • Identify, evaluate and prioritise network breaches and vulnerabilities • Create network monitoring alerting and event management breaches and vulnerabilities handling action plans and activity schedules including interim and long-term actions • Handle network monitoring alerting and event management breaches and vulnerabilities • Assign actions and activities • Work through action plan and report on progress • Finalise action plan
Security Controls Activities • The control activities represent a general set of actions relating to each control • The specific detail for each control is different March 8, 2022 42
Security Standards • There are many security standards including: − AICPA Trust Services Criteria - https://us.aicpa.org/interestareas/frc/assuranceadvisoryservices/trustdataintegritytaskforce − CIS Critical Security Controls - https://learn.cisecurity.org/cis-controls-download − Cloud Security Alliance (CSA)Cloud Controls Matrix (CCM) - https://cloudsecurityalliance.org/research/cloud-controls-matrix/ − Control Objectives for Information Technologies - https://www.isaca.org/resources/cobit − COSO - https://www.coso.org/Documents/COSO-Deloitte-Managing-Cyber-Risk-in-a-Digital-Age.pdf − Cybersecurity Maturity Model Certification (CMMC) - https://www.acq.osd.mil/cmmc/documentation.html − FS.31 GSMA Baseline Security Controls - https://www.gsma.com/security/resources/fs-31-gsma-baseline- security-controls/ − ISO 27000 Series - https://www.iso.org/isoiec-27001-information-security.html − NIST CSF (Cyber Security Framework) - https://www.nist.gov/cyberframework − NIST Framework for Improving Critical Infrastructure Cybersecurity - http://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf − NIST SP 1800 Series - https://csrc.nist.gov/publications/sp1800 − NIST SP 800-53, Revision 5 Controls CURRENT VERSION 5.1 - https://csrc.nist.gov/CSRC/media/Projects/risk-management/800-53%20Downloads/800-53r5/NIST_SP- 800-53_rev5-derived-OSCAL.xlsx − NIST: Cybersecurity Framework, 800-53, 800-171 – https://csrc.nist.gov/Projects/risk-management/sp800- 53-controls/downloads − US FedRAMP (Federal Risk and Authorization Management Program) - https://tailored.fedramp.gov/ March 8, 2022 43
Security Standards • Security standards exist at various levels with varying levels of detail and complexity − Some are very detailed with hundreds of controls • There needs to be a balance between complexity and level of detail and the ease of implementation, operation and use • There are no specific solution-oriented security standards across all solution components types and operational deployment patterns March 8, 2022 44
Operational Solution Entities And Solution Zones March 8, 2022 45 Solution Component Types Solution Components Solution Solution Zones Solution Zone Types Solution Topology Security Standards And Controls Solution Consists Of Multiple Components Each Solution Component Has A Type Solution Exists Within A Topology Of Many Solutions Solution Components Are Located In Solution Zones Each Solution Zone Has A Type Different Solution Standards And Controls Apply To Solution Zones Solution Operational Entity Solution Operational Entity Type Deployed Solution Consists Of Multiple Operational Entities Each Solution Operational Entity Has A Type Solution Operational Entities Are Located In Solution Zones Security Controls Apply To Solution Components Security Controls Apply To Solution Operational Entities Some Solution Components Become Deployed Operational Entities
Operational Solution Entities March 8, 2022 46 Solution Components Time-Bounded Delivery Entity Types Sets of Installation and Implementation Services Existing Data Conversions/ Migrations New Data Loads Parallel Runs Enhanced Support/ Hypercare Enduring Operational Technology Entity Types Changes to Existing Systems New Custom Developed Applications Acquired and Customised Software Products System Integrations/ Data Transfers/ Exchanges Reporting and Analysis Facilities Information Storage Facilities Central, Distributed and Communications Infrastructure Application Hosting and Management Services Enduring Process, Procedure and Structural Entity Types Cutover/ Transfer to Production And Support Operational Functions and Processes Sets of Maintenance, Service Management and Support Services Changes to Existing Business Processes New Business Processes Organisational Changes, Knowledge Management Training and Documentation
Operational Solution Entities • The designed, deployed and operational solution components become solution operational entities • Solution security starts with the solution design process • These physical entities reside in the solution zones • As with solution component types and solution components, there are operational entity types and instances of those types that are the actual solution operational entities • Operational security controls and protection activities need to focus on these entities – they are the main points of solution vulnerability March 8, 2022 47
Operational Solution Entities March 8, 2022 48 Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Changes to Existing Systems New Custom Developed Applications Acquired and Customised Software Products System Integrations/ Data Transfers/ Exchanges Reporting and Analysis Facilities Sets of Installation and Implementation Services Information Storage Facilities Existing Data Conversions/ Migrations New Data Loads Central, Distributed and Communications Infrastructure Cutover/ Transfer to Production And Support Operational Functions and Processes Parallel Runs Enhanced Support/ Hypercare Sets of Maintenance, Service Management and Support Services Application Hosting and Management Services Changes to Existing Business Processes New Business Processes Organisational Changes, Knowledge Management Training and Documentation
Operational Solution Entity Types And Solution Zones March 8, 2022 49
Operational Solution Entity Types – 1 March 8, 2022 50 Operational Entity Type Description External Data Sources Data sources outside the organisation boundary providing data to the organisation External Public Interacting Parties Public solution consumers outside the organisation and outside the control of the organisation External Data Telemetry Devices Devices owned by the organisation in public locations and from which solutions receive data External Telecommand Devices Devices owned by the organisation in public locations and to which solutions send commands External Private Interacting Parties Solution consumers external to the organisation and with whom the organisation has a relationship and who may have authenticated access Externally Located Employees Employees accessing organisation solutions from outside the organisation’s security boundary Mobile Employees Employees accessing organisation solutions outside the organisation but within the organisation’s extended security boundary Private Access Groups Interaction areas for secure collaboration with third-parties with authenticated access Publicly Accessible Solutions Solutions hosted on organisation on-premises infrastructure that are publicly accessible without authentication Externally Accessible Solutions Solutions hosted on organisation on-premises infrastructure that are publicly accessible with authentication Data Access, Exchange and Service Gateway Facility to allow the access to organisation data and services and to enable the exchange and transfer of data Secure Communications Access Component that provides common secure communications facilities to solutions Identity, Access and Authentication Component providing common facilities for identity and access management and consumer authorisation and authentication Access and Activity Logging Component that provides facilities to log resource accesses, activities and events Anti-Virus, Malware Defence Provides protection against viruses and other malware Network Monitoring Provides facilities to monitor network access, usage and performance Threat Protection and Vulnerability Checking Provides protection against vulnerabilities contained in solutions and any components they use or incorporate Business Continuity and Disaster Recovery Component that provides common secure business continuity and disaster recovery facilities to solutions Mail Organisation email facility Identity, Access and Authentication Component that provides common secure identity, authentication and access control facilities to solutions Backup and Recovery Organisation data backup and recovery facility Internally Accessible Solutions Solutions deployed on on-premises infrastructure designed to be used by internal solution consumers Solution Structured Data Stores Database-oriented data stores for solutions deployed on on-premises infrastructure Solution Unstructured Data Stores Database-oriented data stores for solutions deployed on on-premises infrastructure Business Unit Solution Access Group Set of solution consumers located within a separately located business unit Solution Access Groups Set of solution consumers located within the central organisation Outsourced Service Provider Connectivity and Access Component within outsourced service provider for secure connectivity and access to outsourced solutions and data Outsourced Service Provider Access and Authentication Facility within outsourced service provider for identity and access management and consumer authorisation and authentication
Operational Solution Entity Types – 2 March 8, 2022 51 Operational Entity Type Description Hosted Shared Solutions Solutions on a shared platform hosted by within outsourced service provider Hosted Shared Solution Data Stores Data stores for solutions on a shared platform deployed within outsourced service provider Hosted Dedicated Solutions Solutions on a dedicated platform hosted by within outsourced service provider Hosted Dedicated Solution Data Stores Data stores for solutions on a dedicated platform deployed within outsourced service provider Cloud Service Provider Connectivity and Access Component within cloud service provider for secure connectivity and access to cloud-located solutions and data Cloud Service Provider Access and Authentication Component within cloud service providing facilities for identity and access management and consumer authorisation and authentication Internally Accessible Infrastructure Deployed Solutions Solutions deployed in an IaaS pattern designed for use within the organisation Externally Accessible Infrastructure Deployed Solutions Solutions deployed in an IaaS pattern designed for use outside the organisation Internally Accessible Infrastructure Deployed Solutions Data Stores Data stores for solutions deployed in an IaaS pattern designed for use within the organisation Internally Accessible Platform Deployed Solutions Solutions deployed in a PaaS pattern designed for use within the organisation Externally Accessible Infrastructure Deployed Solutions Data Stores Data stores for solutions deployed in an IaaS pattern designed for use outside the organisation by designated external consumers Externally Accessible Platform Deployed Solutions Solutions deployed in a PaaS pattern designed for use outside the organisation by designated external consumers Publicly Accessible Platform Deployed Solutions Solutions deployed in a PaaS pattern designed for use outside the organisation by public consumers Publicly Accessible Infrastructure Deployed Solutions Solutions deployed in an IaaS pattern designed for use outside the organisation by public consumers Publicly Accessible Infrastructure Deployed Solutions Data Stores Data stores for solutions deployed in an IaaS pattern designed for use outside the organisation by public consumers Platform Deployed Solutions Data Stores Data stores for solutions deployed in a PaaS pattern Externally Accessible Service Deployed Solutions Solutions deployed in a SaaS pattern designed for use outside the organisation by designated external consumers Publicly Accessible Service Deployed Solutions Solutions deployed in a SaaS pattern designed for use outside the organisation by public consumers Internally Accessible Service Deployed Solutions Solutions deployed in a SaaS pattern designed for use within the organisation Service Deployed Solutions Data Stores Data stores for solutions deployed in a SaaS pattern Co-Location Provider Connectivity and Access Component within a co-location service provider for secure connectivity and access to co-located solutions and data Co-Location Identity, Access and Authentication Facility within a co-location service provider for identity and access management and consumer authorisation and authentication Co-Located Solutions Facility within a co-location service provider for identity and access management and consumer authorisation and authentication Co-Located Solution Data Stores Solutions hosted by within a co-location service provider
Operational Solution Entity Types And Solution Zone Type – 1 March 8, 2022 52 Zone Operational Entity Insecure External Organisation Presentation And Access External Data Sources External Public Interacting Parties External Data Telemetry Devices External Telecommand Devices Secure External Organisation Participation and Collaboration External Private Interacting Parties Externally Located Employees Mobile Employees Private Access Groups Secure External Organisation Access Publicly Accessible Solutions Externally Accessible Solutions Data Access, Exchange and Service Gateway Secure Communications Access Identity, Access and Authentication Organisation Access and Activity Logging Anti-Virus, Malware Defence Network Monitoring Threat Protection and Vulnerability Checking Business Continuity and Disaster Recovery Central Solutions and Access Mail Identity, Access and Authentication Backup and Recovery Solution Zone Internally Accessible Solutions Data Zone Solution Structured Data Stores Solution Unstructured Data Stores
Operational Solution Entity Types And Solution Zone Type – 2 March 8, 2022 53 Zone Operational Entity Outsourced Service Provider Solutions and Access Outsourced Service Provider Connectivity and Access Outsourced Service Provider Access and Authentication Hosted Shared Solutions Hosted Shared Solution Data St3ores Hosted Dedicated Solutions Hosted Dedicated Solution Data Stores Cloud Service Provider Solutions and Access Cloud Service Provider Connectivity and Access Cloud Service Provider Access and Authentication Internally Accessible Infrastru9cture Deployed Solutions3 Externally Accessible Infrastructure Deployed Solutions Internally Accessible Infrastructure Deployed Solutions Data Stores Internally Accessible Platform Deployed Solutions Externally Accessible Infrastructure Deployed Solutions Data Stores Externally Accessible Platform Deployed Solutions Publicly Accessible Platform Deployed Solutions Publicly Accessible Infrastructure Deployed Solutions Publicly Accessible Infrastructure Deployed Solutions Data Stores Platform Deployed Solutions Data Stores Externally Accessible Service Deployed Solutions Publicly Accessible Service Deployed Solutions Internally Accessible Service Deployed Solutions Service Deployed Solutions Data Stores Co-Located Solutions and Access Co-Location Provider Connectivity and Access Co-Location Identity, Access and Authentication Co-Located Solutions Co-Located Solution Data Stores
Operational Solution Entity Types And Security Controls • Security controls apply to operational solution entity types • Each operational entity type will have different security control requirements depending on what the entity does and in what zone it is located March 8, 2022 54 Operational Entity Asset Security Account Management Access Control Management Solution Availability, Resilience, Fault Tolerance and Recovery Solution Monitoring Inventory and Control of Assets Data Protection Audit Log Management Application Solution Security Browser Protection Email Protection Malware Defense Data Management and Backup and Recovery Network Monitoring Penetration Testing Continuous Vulnerability Management Network Management Supplier and Service Provider Management
External Data Sources External Public Interacting Parties External Data Telemetry Devices Data sources outside the organisation boundary providing data to the organisation Public solution consumers outside the organisation and outside the control of the organisation Devices owned by the organisation in public locations and from which solutions receive data Security Controls And Operational Solution Entity Types March 8, 2022 55
External Telecommand Devices External Private Interacting Parties Mobile Employees Devices owned by the organisation in public locations and to which solutions send commands Solution consumers external to the organisation and with whom the organisation has a relationship and who may have authenticated access Employees accessing organisation solutions from outside the organisation’s security boundary Security Controls And Operational Solution Entity Types March 8, 2022 56 External Telecommand Devices Account Management Access Control Management Inventory and Control of Assets Data Protection Audit Log Management Application Solution Security Malware Defense Data Management and Backup and Recovery Network Monitoring Penetration Testing Continuous Vulnerability Management Network Management
Private Access Groups Publicly Accessible Solutions Externally Accessible Solutions Interaction areas for secure collaboration with third-parties with authenticated access Solutions hosted on organisation on-premises infrastructure that are publicly accessible without authentication Solutions hosted on organisation on-premises infrastructure that are publicly accessible with authentication Security Controls And Operational Solution Entity Types March 8, 2022 57
Data Access, Exchange and Service Gateway Secure Communications Access Identity, Access and Authentication Facility to allow the access to organisation data and services and to enable the exchange and transfer of data Component that provides common secure communications facilities to solutions Component providing common facilities for identity and access management and consumer authorisation and authentication Security Controls And Operational Solution Entity Types March 8, 2022 58
Access and Activity Logging Anti-Virus, Malware Defence Network Monitoring Component that provides facilities to log resource accesses, activities and events Provides protection against viruses and other malware Provides protection against viruses and other malware Security Controls And Operational Solution Entity Types March 8, 2022 59
Threat Protection and Vulnerability Checking Business Continuity and Disaster Recovery Mail Provides protection against vulnerabilities contained in solutions and any components they use or incorporate Component that provides common secure business continuity and disaster recovery facilities to solutions Component that provides common secure business continuity and disaster recovery facilities to solutions Security Controls And Operational Solution Entity Types March 8, 2022 60
Identity, Access and Authentication Backup and Recovery Internally Accessible Solutions Component that provides common secure identity, authentication and access control facilities to solutions Organisation data backup and recovery facility Solutions deployed on on- premises infrastructure designed to be used by internal solution consumers Security Controls And Operational Solution Entity Types March 8, 2022 61
Solution Structured Data Stores Solution Unstructured Data Stores Business Unit Solution Access Group Database-oriented data stores for solutions deployed on on- premises infrastructure Database-oriented data stores for solutions deployed on on- premises infrastructure Set of solution consumers located within a separately located business unit Security Controls And Operational Solution Entity Types March 8, 2022 62
Solution Access Groups Outsourced Service Provider Connectivity and Access Outsourced Service Provider Access and Authentication Set of solution consumers located within the central organisation Component within outsourced service provider for secure connectivity and access to outsourced solutions and data Facility within outsourced service provider for identity and access management and consumer authorisation and authentication Security Controls And Operational Solution Entity Types March 8, 2022 63
Hosted Shared Solutions Hosted Shared Solution Data Stores Hosted Dedicated Solutions Solutions on a shared platform hosted by within outsourced service provider Data stores for solutions on a shared platform deployed within outsourced service provider Solutions on a dedicated platform hosted by within outsourced service provider Security Controls And Operational Solution Entity Types March 8, 2022 64
Hosted Dedicated Solution Data Stores Cloud Service Provider Connectivity and Access Cloud Service Provider Access and Authentication Data stores for solutions on a dedicated platform deployed within outsourced service provider Component within cloud service provider for secure connectivity and access to cloud-located solutions and data Component within cloud service providing facilities for identity and access management and consumer authorisation and authentication Security Controls And Operational Solution Entity Types March 8, 2022 65
Internally Accessible Infrastructure Deployed Solutions Internally Accessible Infrastructure Deployed Solutions Data Stores Internally Accessible Platform Deployed Solutions Solutions deployed in an IaaS pattern designed for use within the organisation Data stores for solutions deployed in an IaaS pattern designed for use within the organisation Data stores for solutions deployed in an IaaS pattern designed for use within the organisation Security Controls And Operational Solution Entity Types March 8, 2022 66
Internally Accessible Service Deployed Solutions Externally Accessible Infrastructure Deployed Solutions Externally Accessible Infrastructure Deployed Solutions Data Stores Solutions deployed in a SaaS pattern designed for use within the organisation Solutions deployed in an IaaS pattern designed for use outside the organisation Data stores for solutions deployed in an IaaS pattern designed for use outside the organisation by designated external consumers Security Controls And Operational Solution Entity Types March 8, 2022 67
Externally Accessible Platform Deployed Solutions Externally Accessible Service Deployed Solutions Publicly Accessible Infrastructure Deployed Solutions Solutions deployed in a PaaS pattern designed for use outside the organisation by designated external consumers Solutions deployed in a SaaS pattern designed for use outside the organisation by designated external consumers Solutions deployed in a SaaS pattern designed for use outside the organisation by public consumers Security Controls And Operational Solution Entity Types March 8, 2022 68
Publicly Accessible Infrastructure Deployed Solutions Data Stores Publicly Accessible Platform Deployed Solutions Platform Deployed Solutions Data Stores Data stores for solutions deployed in an IaaS pattern designed for use outside the organisation by public consumers Solutions deployed in a PaaS pattern designed for use outside the organisation by public consumers Data stores for solutions deployed in a PaaS pattern Security Controls And Operational Solution Entity Types March 8, 2022 69
Service Deployed Solutions Data Stores Co-Location Provider Connectivity and Access Co-Location Identity, Access and Authentication Data stores for solutions deployed in a SaaS pattern Component within a co- location service provider for secure connectivity and access to co-located solutions and data Facility within a co-location service provider for identity and access management and consumer authorisation and authentication Security Controls And Operational Solution Entity Types March 8, 2022 70
Security Controls And Operational Solution Entity Types March 8, 2022 71 Co-Located Solutions Co-Located Solution Data Stores Facility within a co-location service provider for identity and access management and consumer authorisation and authentication Solutions hosted by within a co- location service provider
Sample Solution Security Data Model • The sample core and extended conceptual solution security data models described earlier can be translated into a more tangible and usable data model • The data model can be implemented easily March 8, 2022 72
Sample Solution Security Data Model March 8, 2022 73
Summary • These notes have proposed a solution-oriented security approach that can be applied across the entire set of solutions that comprise the organisation solution landscape • It describes a model for collecting, structuring and analysing solution security across the entire organisation solution topology • The proposed model can be applied to solution design and implementation process to create an inventory of required and implemented and operational security controls across all operation components • It can be used as part of solution design and operation due diligence − Use at stage gates during solution delivery to validate solution security March 8, 2022 74
More Information Alan McSweeney http://ie.linkedin.com/in/alanmcsweeney https://www.amazon.com/dp/1797567616 8 March 2022 75

Recomendados

IT Architecture’s Role In Solving Technical Debt.pdf
IT Architecture’s Role In Solving Technical Debt.pdfIT Architecture’s Role In Solving Technical Debt.pdf
IT Architecture’s Role In Solving Technical Debt.pdf
Alan McSweeney
 
Agile Solution Architecture and Design
Agile Solution Architecture and DesignAgile Solution Architecture and Design
Agile Solution Architecture and Design
Alan McSweeney
 
Design Science and Solution Architecture
Design Science and Solution ArchitectureDesign Science and Solution Architecture
Design Science and Solution Architecture
Alan McSweeney
 
Incorporating A DesignOps Approach Into Solution Architecture
Incorporating A DesignOps Approach Into Solution ArchitectureIncorporating A DesignOps Approach Into Solution Architecture
Incorporating A DesignOps Approach Into Solution Architecture
Alan McSweeney
 
Digital Transformation And Solution Architecture
Digital Transformation And Solution ArchitectureDigital Transformation And Solution Architecture
Digital Transformation And Solution Architecture
Alan McSweeney
 
Security-by-Design in Enterprise Architecture
Security-by-Design in Enterprise ArchitectureSecurity-by-Design in Enterprise Architecture
Security-by-Design in Enterprise Architecture
The Open Group SA
 
Solution Architecture – Approach to Rapidly Scoping The Initial Solution Options
Solution Architecture – Approach to Rapidly Scoping The Initial Solution OptionsSolution Architecture – Approach to Rapidly Scoping The Initial Solution Options
Solution Architecture – Approach to Rapidly Scoping The Initial Solution Options
Alan McSweeney
 
Operational Risk Management Data Validation Architecture
Operational Risk Management Data Validation ArchitectureOperational Risk Management Data Validation Architecture
Operational Risk Management Data Validation Architecture
Alan McSweeney
 

Recomendados

IT Architecture’s Role In Solving Technical Debt.pdf
IT Architecture’s Role In Solving Technical Debt.pdfIT Architecture’s Role In Solving Technical Debt.pdf
IT Architecture’s Role In Solving Technical Debt.pdf
Alan McSweeney
 
Agile Solution Architecture and Design
Agile Solution Architecture and DesignAgile Solution Architecture and Design
Agile Solution Architecture and Design
Alan McSweeney
 
Design Science and Solution Architecture
Design Science and Solution ArchitectureDesign Science and Solution Architecture
Design Science and Solution Architecture
Alan McSweeney
 
Incorporating A DesignOps Approach Into Solution Architecture
Incorporating A DesignOps Approach Into Solution ArchitectureIncorporating A DesignOps Approach Into Solution Architecture
Incorporating A DesignOps Approach Into Solution Architecture
Alan McSweeney
 
Digital Transformation And Solution Architecture
Digital Transformation And Solution ArchitectureDigital Transformation And Solution Architecture
Digital Transformation And Solution Architecture
Alan McSweeney
 
Security-by-Design in Enterprise Architecture
Security-by-Design in Enterprise ArchitectureSecurity-by-Design in Enterprise Architecture
Security-by-Design in Enterprise Architecture
The Open Group SA
 
Solution Architecture – Approach to Rapidly Scoping The Initial Solution Options
Solution Architecture – Approach to Rapidly Scoping The Initial Solution OptionsSolution Architecture – Approach to Rapidly Scoping The Initial Solution Options
Solution Architecture – Approach to Rapidly Scoping The Initial Solution Options
Alan McSweeney
 
Operational Risk Management Data Validation Architecture
Operational Risk Management Data Validation ArchitectureOperational Risk Management Data Validation Architecture
Operational Risk Management Data Validation Architecture
Alan McSweeney
 
Forget Big Data. It's All About Smart Data
Forget Big Data. It's All About Smart DataForget Big Data. It's All About Smart Data
Forget Big Data. It's All About Smart Data
Alan McSweeney
 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber Security
The Open Group SA
 
Complexity and Solution Architecture
Complexity and Solution ArchitectureComplexity and Solution Architecture
Complexity and Solution Architecture
Alan McSweeney
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security Architecture
Priyanka Aash
 
Learn Togaf 9.1 in 100 slides!
Learn Togaf 9.1 in 100 slides!Learn Togaf 9.1 in 100 slides!
Learn Togaf 9.1 in 100 slides!
Sam Mandebvu
 
Solution Architecture Concept Workshop
Solution Architecture Concept WorkshopSolution Architecture Concept Workshop
Solution Architecture Concept Workshop
Alan McSweeney
 
Cloud architecture with the ArchiMate Language
Cloud architecture with the ArchiMate LanguageCloud architecture with the ArchiMate Language
Cloud architecture with the ArchiMate Language
Iver Band
 
Introduction to Enterprise architecture and the steps to perform an Enterpris...
Introduction to Enterprise architecture and the steps to perform an Enterpris...Introduction to Enterprise architecture and the steps to perform an Enterpris...
Introduction to Enterprise architecture and the steps to perform an Enterpris...
Prashanth Panduranga
 
Multi Cloud Architecture Approach
Multi Cloud Architecture ApproachMulti Cloud Architecture Approach
Multi Cloud Architecture Approach
Maganathin Veeraragaloo
 
On business capabilities, functions and application features
On business capabilities, functions and application featuresOn business capabilities, functions and application features
On business capabilities, functions and application features
Jörgen Dahlberg
 
Review of Information Technology Function Critical Capability Models
Review of Information Technology Function Critical Capability ModelsReview of Information Technology Function Critical Capability Models
Review of Information Technology Function Critical Capability Models
Alan McSweeney
 
Enterprise Architecture Implementation And The Open Group Architecture Framew...
Enterprise Architecture Implementation And The Open Group Architecture Framew...Enterprise Architecture Implementation And The Open Group Architecture Framew...
Enterprise Architecture Implementation And The Open Group Architecture Framew...
Alan McSweeney
 
Why Solutions Fail and the Business Value of Solution Architecture
Why Solutions Fail and the Business Value of Solution ArchitectureWhy Solutions Fail and the Business Value of Solution Architecture
Why Solutions Fail and the Business Value of Solution Architecture
Alan McSweeney
 
Structured Approach to Solution Architecture
Structured Approach to Solution ArchitectureStructured Approach to Solution Architecture
Structured Approach to Solution Architecture
Alan McSweeney
 
Introduction to Business Architecture - Part 2
Introduction to Business Architecture - Part 2Introduction to Business Architecture - Part 2
Introduction to Business Architecture - Part 2
Alan McSweeney
 
What is a secure enterprise architecture roadmap?
What is a secure enterprise architecture roadmap?What is a secure enterprise architecture roadmap?
What is a secure enterprise architecture roadmap?
Ulf Mattsson
 
Conceptual security architecture
Conceptual security architectureConceptual security architecture
Conceptual security architecture
MubashirAslam5
 
Integrating It Frameworks, Methodologies And Best Practices Into It Delivery ...
Integrating It Frameworks, Methodologies And Best Practices Into It Delivery ...Integrating It Frameworks, Methodologies And Best Practices Into It Delivery ...
Integrating It Frameworks, Methodologies And Best Practices Into It Delivery ...
Alan McSweeney
 
A cloud readiness assessment framework
A cloud readiness assessment frameworkA cloud readiness assessment framework
A cloud readiness assessment framework
Carlo Colicchio
 
Data Architecture for Solutions.pdf
Data Architecture for Solutions.pdfData Architecture for Solutions.pdf
Data Architecture for Solutions.pdf
Alan McSweeney
 
Applicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit ProgramApplicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit Program
Michael Davis
 
Implementing AppSec Policies with TeamMentor
Implementing AppSec Policies with TeamMentorImplementing AppSec Policies with TeamMentor
Implementing AppSec Policies with TeamMentor
tmbainjr131
 

Mais conteúdo relacionado

Mais procurados

Forget Big Data. It's All About Smart Data
Forget Big Data. It's All About Smart DataForget Big Data. It's All About Smart Data
Forget Big Data. It's All About Smart Data
Alan McSweeney
 
Complexity and Solution Architecture
Complexity and Solution ArchitectureComplexity and Solution Architecture
Complexity and Solution Architecture
Alan McSweeney
 
Solution Architecture Concept Workshop
Solution Architecture Concept WorkshopSolution Architecture Concept Workshop
Solution Architecture Concept Workshop
Alan McSweeney
 
Cloud architecture with the ArchiMate Language
Cloud architecture with the ArchiMate LanguageCloud architecture with the ArchiMate Language
Cloud architecture with the ArchiMate Language
Iver Band
 
Review of Information Technology Function Critical Capability Models
Review of Information Technology Function Critical Capability ModelsReview of Information Technology Function Critical Capability Models
Review of Information Technology Function Critical Capability Models
Alan McSweeney
 
Why Solutions Fail and the Business Value of Solution Architecture
Why Solutions Fail and the Business Value of Solution ArchitectureWhy Solutions Fail and the Business Value of Solution Architecture
Why Solutions Fail and the Business Value of Solution Architecture
Alan McSweeney
 
Structured Approach to Solution Architecture
Structured Approach to Solution ArchitectureStructured Approach to Solution Architecture
Structured Approach to Solution Architecture
Alan McSweeney
 
Introduction to Business Architecture - Part 2
Introduction to Business Architecture - Part 2Introduction to Business Architecture - Part 2
Introduction to Business Architecture - Part 2
Alan McSweeney
 
What is a secure enterprise architecture roadmap?
What is a secure enterprise architecture roadmap?What is a secure enterprise architecture roadmap?
What is a secure enterprise architecture roadmap?
Ulf Mattsson
 
A cloud readiness assessment framework
A cloud readiness assessment frameworkA cloud readiness assessment framework
A cloud readiness assessment framework
Carlo Colicchio
 
Data Architecture for Solutions.pdf
Data Architecture for Solutions.pdfData Architecture for Solutions.pdf
Data Architecture for Solutions.pdf
Alan McSweeney
 

Mais procurados (20)

Forget Big Data. It's All About Smart Data
Forget Big Data. It's All About Smart DataForget Big Data. It's All About Smart Data
Forget Big Data. It's All About Smart Data
 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber Security
 
Complexity and Solution Architecture
Complexity and Solution ArchitectureComplexity and Solution Architecture
Complexity and Solution Architecture
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security Architecture
 
Learn Togaf 9.1 in 100 slides!
Learn Togaf 9.1 in 100 slides!Learn Togaf 9.1 in 100 slides!
Learn Togaf 9.1 in 100 slides!
 
Solution Architecture Concept Workshop
Solution Architecture Concept WorkshopSolution Architecture Concept Workshop
Solution Architecture Concept Workshop
 
Cloud architecture with the ArchiMate Language
Cloud architecture with the ArchiMate LanguageCloud architecture with the ArchiMate Language
Cloud architecture with the ArchiMate Language
 
Introduction to Enterprise architecture and the steps to perform an Enterpris...
Introduction to Enterprise architecture and the steps to perform an Enterpris...Introduction to Enterprise architecture and the steps to perform an Enterpris...
Introduction to Enterprise architecture and the steps to perform an Enterpris...
 
Multi Cloud Architecture Approach
Multi Cloud Architecture ApproachMulti Cloud Architecture Approach
Multi Cloud Architecture Approach
 
On business capabilities, functions and application features
On business capabilities, functions and application featuresOn business capabilities, functions and application features
On business capabilities, functions and application features
 
Review of Information Technology Function Critical Capability Models
Review of Information Technology Function Critical Capability ModelsReview of Information Technology Function Critical Capability Models
Review of Information Technology Function Critical Capability Models
 
Enterprise Architecture Implementation And The Open Group Architecture Framew...
Enterprise Architecture Implementation And The Open Group Architecture Framew...Enterprise Architecture Implementation And The Open Group Architecture Framew...
Enterprise Architecture Implementation And The Open Group Architecture Framew...
 
Why Solutions Fail and the Business Value of Solution Architecture
Why Solutions Fail and the Business Value of Solution ArchitectureWhy Solutions Fail and the Business Value of Solution Architecture
Why Solutions Fail and the Business Value of Solution Architecture
 
Structured Approach to Solution Architecture
Structured Approach to Solution ArchitectureStructured Approach to Solution Architecture
Structured Approach to Solution Architecture
 
Introduction to Business Architecture - Part 2
Introduction to Business Architecture - Part 2Introduction to Business Architecture - Part 2
Introduction to Business Architecture - Part 2
 
What is a secure enterprise architecture roadmap?
What is a secure enterprise architecture roadmap?What is a secure enterprise architecture roadmap?
What is a secure enterprise architecture roadmap?
 
Conceptual security architecture
Conceptual security architectureConceptual security architecture
Conceptual security architecture
 
Integrating It Frameworks, Methodologies And Best Practices Into It Delivery ...
Integrating It Frameworks, Methodologies And Best Practices Into It Delivery ...Integrating It Frameworks, Methodologies And Best Practices Into It Delivery ...
Integrating It Frameworks, Methodologies And Best Practices Into It Delivery ...
 
A cloud readiness assessment framework
A cloud readiness assessment frameworkA cloud readiness assessment framework
A cloud readiness assessment framework
 
Data Architecture for Solutions.pdf
Data Architecture for Solutions.pdfData Architecture for Solutions.pdf
Data Architecture for Solutions.pdf
 

Semelhante a Solution Architecture And Solution Security

A New Security Management Approach for Agile Environments
A New Security Management Approach for Agile EnvironmentsA New Security Management Approach for Agile Environments
A New Security Management Approach for Agile Environments
PECB
 
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares the
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares theCriterion 1A - 4 - MasteryPros and Cons Thoroughly compares the
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares the
CruzIbarra161
 
Solution Security Architecture
Solution Security ArchitectureSolution Security Architecture
Solution Security Architecture
Alan McSweeney
 
Service-Oriented Security Engineering
Service-Oriented Security EngineeringService-Oriented Security Engineering
Service-Oriented Security Engineering
Richard Veryard
 
2015 03-04 presentation1
2015 03-04 presentation12015 03-04 presentation1
2015 03-04 presentation1
ifi8106tlu
 
The Open Group - ZT Commandments and Reference Model.pptx
The Open Group - ZT Commandments and Reference Model.pptxThe Open Group - ZT Commandments and Reference Model.pptx
The Open Group - ZT Commandments and Reference Model.pptx
Mark Simos
 
2022 DOI SKILup Days_Your Developers Decide Your Security Posture_Not Your Se...
2022 DOI SKILup Days_Your Developers Decide Your Security Posture_Not Your Se...2022 DOI SKILup Days_Your Developers Decide Your Security Posture_Not Your Se...
2022 DOI SKILup Days_Your Developers Decide Your Security Posture_Not Your Se...
Turja Narayan Chaudhuri
 
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
gealehegn
 

Semelhante a Solution Architecture And Solution Security (20)

Applicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit ProgramApplicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit Program
 
Implementing AppSec Policies with TeamMentor
Implementing AppSec Policies with TeamMentorImplementing AppSec Policies with TeamMentor
Implementing AppSec Policies with TeamMentor
 
Agile security
Agile securityAgile security
Agile security
 
Designing NextGen Threat Identification Solutions
Designing NextGen Threat Identification SolutionsDesigning NextGen Threat Identification Solutions
Designing NextGen Threat Identification Solutions
 
A New Security Management Approach for Agile Environments
A New Security Management Approach for Agile EnvironmentsA New Security Management Approach for Agile Environments
A New Security Management Approach for Agile Environments
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...
 
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares the
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares theCriterion 1A - 4 - MasteryPros and Cons Thoroughly compares the
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares the
 
Solution Security Architecture
Solution Security ArchitectureSolution Security Architecture
Solution Security Architecture
 
Service-Oriented Security Engineering
Service-Oriented Security EngineeringService-Oriented Security Engineering
Service-Oriented Security Engineering
 
2015 03-04 presentation1
2015 03-04 presentation12015 03-04 presentation1
2015 03-04 presentation1
 
The Open Group - ZT Commandments and Reference Model.pptx
The Open Group - ZT Commandments and Reference Model.pptxThe Open Group - ZT Commandments and Reference Model.pptx
The Open Group - ZT Commandments and Reference Model.pptx
 
2022 DOI SKILup Days_Your Developers Decide Your Security Posture_Not Your Se...
2022 DOI SKILup Days_Your Developers Decide Your Security Posture_Not Your Se...2022 DOI SKILup Days_Your Developers Decide Your Security Posture_Not Your Se...
2022 DOI SKILup Days_Your Developers Decide Your Security Posture_Not Your Se...
 
Connection can help keep your business secure!
Connection can help keep your business secure!Connection can help keep your business secure!
Connection can help keep your business secure!
 
Application Hackers Have A Handbook. Why Shouldn't You?
Application Hackers Have A Handbook. Why Shouldn't You?Application Hackers Have A Handbook. Why Shouldn't You?
Application Hackers Have A Handbook. Why Shouldn't You?
 
A journey into Application Security
A journey into Application SecurityA journey into Application Security
A journey into Application Security
 
Risk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection PowerpointRisk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection Powerpoint
 
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
 
How to Secure your Fintech Solution - A Whitepaper by RapidValue
How to Secure your Fintech Solution - A Whitepaper by RapidValueHow to Secure your Fintech Solution - A Whitepaper by RapidValue
How to Secure your Fintech Solution - A Whitepaper by RapidValue
 
An integrated security testing framework and tool
An integrated security testing framework and toolAn integrated security testing framework and tool
An integrated security testing framework and tool
 
Null application security in an agile world
Null application security in an agile worldNull application security in an agile world
Null application security in an agile world
 

Mais de Alan McSweeney

Solution Architecture and Solution Estimation.pdf
Solution Architecture and Solution Estimation.pdfSolution Architecture and Solution Estimation.pdf
Solution Architecture and Solution Estimation.pdf
Alan McSweeney
 
Analysis of the Numbers of Catholic Clergy and Members of Religious in Irelan...
Analysis of the Numbers of Catholic Clergy and Members of Religious in Irelan...Analysis of the Numbers of Catholic Clergy and Members of Religious in Irelan...
Analysis of the Numbers of Catholic Clergy and Members of Religious in Irelan...
Alan McSweeney
 
Data Privatisation, Data Anonymisation, Data Pseudonymisation and Differentia...
Data Privatisation, Data Anonymisation, Data Pseudonymisation and Differentia...Data Privatisation, Data Anonymisation, Data Pseudonymisation and Differentia...
Data Privatisation, Data Anonymisation, Data Pseudonymisation and Differentia...
Alan McSweeney
 
Solution Architecture And (Robotic) Process Automation Solutions
Solution Architecture And (Robotic) Process Automation SolutionsSolution Architecture And (Robotic) Process Automation Solutions
Solution Architecture And (Robotic) Process Automation Solutions
Alan McSweeney
 
Data Profiling, Data Catalogs and Metadata Harmonisation
Data Profiling, Data Catalogs and Metadata HarmonisationData Profiling, Data Catalogs and Metadata Harmonisation
Data Profiling, Data Catalogs and Metadata Harmonisation
Alan McSweeney
 
Comparison of COVID-19 Mortality Data and Deaths for Ireland March 2020 – Mar...
Comparison of COVID-19 Mortality Data and Deaths for Ireland March 2020 – Mar...Comparison of COVID-19 Mortality Data and Deaths for Ireland March 2020 – Mar...
Comparison of COVID-19 Mortality Data and Deaths for Ireland March 2020 – Mar...
Alan McSweeney
 
Analysis of Decentralised, Distributed Decision-Making For Optimising Domesti...
Analysis of Decentralised, Distributed Decision-Making For Optimising Domesti...Analysis of Decentralised, Distributed Decision-Making For Optimising Domesti...
Analysis of Decentralised, Distributed Decision-Making For Optimising Domesti...
Alan McSweeney
 
Data Integration, Access, Flow, Exchange, Transfer, Load And Extract Architec...
Data Integration, Access, Flow, Exchange, Transfer, Load And Extract Architec...Data Integration, Access, Flow, Exchange, Transfer, Load And Extract Architec...
Data Integration, Access, Flow, Exchange, Transfer, Load And Extract Architec...
Alan McSweeney
 
Ireland 2019 and 2020 Compared - Individual Charts
Ireland 2019 and 2020 Compared - Individual ChartsIreland 2019 and 2020 Compared - Individual Charts
Ireland 2019 and 2020 Compared - Individual Charts
Alan McSweeney
 
Critical Review of Open Group IT4IT Reference Architecture
Critical Review of Open Group IT4IT Reference ArchitectureCritical Review of Open Group IT4IT Reference Architecture
Critical Review of Open Group IT4IT Reference Architecture
Alan McSweeney
 
Analysis of Possible Excess COVID-19 Deaths in Ireland From Jan 2020 to Jun 2020
Analysis of Possible Excess COVID-19 Deaths in Ireland From Jan 2020 to Jun 2020Analysis of Possible Excess COVID-19 Deaths in Ireland From Jan 2020 to Jun 2020
Analysis of Possible Excess COVID-19 Deaths in Ireland From Jan 2020 to Jun 2020
Alan McSweeney
 
Solution Architecture and Solution Acquisition
Solution Architecture and Solution AcquisitionSolution Architecture and Solution Acquisition
Solution Architecture and Solution Acquisition
Alan McSweeney
 
Creating A Business Focussed Information Technology Strategy
Creating A Business Focussed Information Technology StrategyCreating A Business Focussed Information Technology Strategy
Creating A Business Focussed Information Technology Strategy
Alan McSweeney
 
Describing the Organisation Data Landscape
Describing the Organisation Data LandscapeDescribing the Organisation Data Landscape
Describing the Organisation Data Landscape
Alan McSweeney
 
Shadow IT And The Failure Of IT Architecture
Shadow IT And The Failure Of IT ArchitectureShadow IT And The Failure Of IT Architecture
Shadow IT And The Failure Of IT Architecture
Alan McSweeney
 
Solution Architecture Centre Of Excellence
Solution Architecture Centre Of ExcellenceSolution Architecture Centre Of Excellence
Solution Architecture Centre Of Excellence
Alan McSweeney
 

Mais de Alan McSweeney (20)

Solution Architecture and Solution Estimation.pdf
Solution Architecture and Solution Estimation.pdfSolution Architecture and Solution Estimation.pdf
Solution Architecture and Solution Estimation.pdf
 
Validating COVID-19 Mortality Data and Deaths for Ireland March 2020 – March ...
Validating COVID-19 Mortality Data and Deaths for Ireland March 2020 – March ...Validating COVID-19 Mortality Data and Deaths for Ireland March 2020 – March ...
Validating COVID-19 Mortality Data and Deaths for Ireland March 2020 – March ...
 
Analysis of the Numbers of Catholic Clergy and Members of Religious in Irelan...
Analysis of the Numbers of Catholic Clergy and Members of Religious in Irelan...Analysis of the Numbers of Catholic Clergy and Members of Religious in Irelan...
Analysis of the Numbers of Catholic Clergy and Members of Religious in Irelan...
 
Data Privatisation, Data Anonymisation, Data Pseudonymisation and Differentia...
Data Privatisation, Data Anonymisation, Data Pseudonymisation and Differentia...Data Privatisation, Data Anonymisation, Data Pseudonymisation and Differentia...
Data Privatisation, Data Anonymisation, Data Pseudonymisation and Differentia...
 
Data Privatisation, Data Anonymisation, Data Pseudonymisation and Differentia...
Data Privatisation, Data Anonymisation, Data Pseudonymisation and Differentia...Data Privatisation, Data Anonymisation, Data Pseudonymisation and Differentia...
Data Privatisation, Data Anonymisation, Data Pseudonymisation and Differentia...
 
Solution Architecture And (Robotic) Process Automation Solutions
Solution Architecture And (Robotic) Process Automation SolutionsSolution Architecture And (Robotic) Process Automation Solutions
Solution Architecture And (Robotic) Process Automation Solutions
 
Data Profiling, Data Catalogs and Metadata Harmonisation
Data Profiling, Data Catalogs and Metadata HarmonisationData Profiling, Data Catalogs and Metadata Harmonisation
Data Profiling, Data Catalogs and Metadata Harmonisation
 
Comparison of COVID-19 Mortality Data and Deaths for Ireland March 2020 – Mar...
Comparison of COVID-19 Mortality Data and Deaths for Ireland March 2020 – Mar...Comparison of COVID-19 Mortality Data and Deaths for Ireland March 2020 – Mar...
Comparison of COVID-19 Mortality Data and Deaths for Ireland March 2020 – Mar...
 
Analysis of Decentralised, Distributed Decision-Making For Optimising Domesti...
Analysis of Decentralised, Distributed Decision-Making For Optimising Domesti...Analysis of Decentralised, Distributed Decision-Making For Optimising Domesti...
Analysis of Decentralised, Distributed Decision-Making For Optimising Domesti...
 
Data Integration, Access, Flow, Exchange, Transfer, Load And Extract Architec...
Data Integration, Access, Flow, Exchange, Transfer, Load And Extract Architec...Data Integration, Access, Flow, Exchange, Transfer, Load And Extract Architec...
Data Integration, Access, Flow, Exchange, Transfer, Load And Extract Architec...
 
Ireland 2019 and 2020 Compared - Individual Charts
Ireland 2019 and 2020 Compared - Individual ChartsIreland 2019 and 2020 Compared - Individual Charts
Ireland 2019 and 2020 Compared - Individual Charts
 
Analysis of Irish Mortality Using Public Data Sources 2014-2020
Analysis of Irish Mortality Using Public Data Sources 2014-2020Analysis of Irish Mortality Using Public Data Sources 2014-2020
Analysis of Irish Mortality Using Public Data Sources 2014-2020
 
Ireland – 2019 And 2020 Compared In Data
Ireland – 2019 And 2020 Compared In DataIreland – 2019 And 2020 Compared In Data
Ireland – 2019 And 2020 Compared In Data
 
Critical Review of Open Group IT4IT Reference Architecture
Critical Review of Open Group IT4IT Reference ArchitectureCritical Review of Open Group IT4IT Reference Architecture
Critical Review of Open Group IT4IT Reference Architecture
 
Analysis of Possible Excess COVID-19 Deaths in Ireland From Jan 2020 to Jun 2020
Analysis of Possible Excess COVID-19 Deaths in Ireland From Jan 2020 to Jun 2020Analysis of Possible Excess COVID-19 Deaths in Ireland From Jan 2020 to Jun 2020
Analysis of Possible Excess COVID-19 Deaths in Ireland From Jan 2020 to Jun 2020
 
Solution Architecture and Solution Acquisition
Solution Architecture and Solution AcquisitionSolution Architecture and Solution Acquisition
Solution Architecture and Solution Acquisition
 
Creating A Business Focussed Information Technology Strategy
Creating A Business Focussed Information Technology StrategyCreating A Business Focussed Information Technology Strategy
Creating A Business Focussed Information Technology Strategy
 
Describing the Organisation Data Landscape
Describing the Organisation Data LandscapeDescribing the Organisation Data Landscape
Describing the Organisation Data Landscape
 
Shadow IT And The Failure Of IT Architecture
Shadow IT And The Failure Of IT ArchitectureShadow IT And The Failure Of IT Architecture
Shadow IT And The Failure Of IT Architecture
 
Solution Architecture Centre Of Excellence
Solution Architecture Centre Of ExcellenceSolution Architecture Centre Of Excellence
Solution Architecture Centre Of Excellence
 

Último

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Último (20)

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 

Solution Architecture And Solution Security

  • 1. Solution Architecture And Solution Security Alan McSweeney http://ie.linkedin.com/in/alanmcsweeney https://www.amazon.com/dp/1797567616
  • 2. Introduction, Purpose And Scope • These notes describe an approach to embedding security within the technology solution landscape • They describe a security model that encompasses the range of individual solution components up to the entire solution landscape March 8, 2022 2
  • 3. Topics • Core And Extended Solution Security Model • Solution And Technology Risks • Solution Zone Types and Zones • Solution Component Types And Components • Security Standards And Controls • Operational Solution Entity Types And Solution Zones • Operational Solution Entities And Security Controls March 8, 2022 3
  • 4. Proposed Core Solution Security Model March 8, 2022 4 Solution Component Types Solution Components Solution Solution Zones Solution Zone Types Solution Topology Security Standards And Controls Solution Consists Of Multiple Components Each Solution Component Has A Type Solution Exists Within A Topology Of Many Solutions Solution Components Are Located In Solution Zones Each Solution Zone Has A Type Different Solution Standards And Controls Apply To Solution Zones Solution Operational Entity Solution Operational Entity Type Deployed Solution Consists Of Multiple Operational Entities Each Solution Operational Entity Has A Type Solution Operational Entities Are Located In Solution Zones Security Controls Apply To Solution Components Security Controls Apply To Solution Operational Entities Some Solution Components Become Deployed Operational Entities
  • 5. Proposed Core Solution Security Model • Proposed solution security model allows the security status of a solution and its constituent delivery and operational components to be tracked wherever those components are located • Core solution security model is essential a static record • Provides an integrated approach to solution security across all solution components and across the entire organisation topology of solutions • Model is a balance between simplicity, ease of use, level of detail and utility • Allows solution security to be analysed and reported on • Enables the solution architect to validate the security of an individual solution • Enables the security status of the entire solution landscape to be assessed and recorded March 8, 2022 5
  • 6. Proposed Extended Solution Security Model March 8, 2022 6 Solution Component Types Solution Components Solution Solution Zones Solution Zone Types Solution Topology Security Standards And Controls Solution Consists Of Multiple Components Each Solution Component Has A Type Solution Exists Within A Topology Of Many Solutions Solution Components Are Located In Solution Zones Each Solution Zone Has A Type Different Solution Standards And Controls Apply To Solution Zones Solution Operational Entity Solution Operational Entity Type Deployed Solution Consists Of Multiple Operational Entities Each Solution Operational Entity Has A Type Solution Operational Entities Are Located In Solution Zones Security Controls Apply To Solution Components Security Controls Apply To Solution Operational Entities Some Solution Components Become Deployed Operational Entities Security Control Activities And Events Security Control Activity Implementation Status Security Control Activity Type Security Control Activities Security Controls Have Activities Security Controls Activities Have A Type Security Controls Activities Have An Implementation Status There Can Be Events Linked To Security Controls Activities
  • 7. Proposed Extended Solution Security Model • Model can be extended to hold the activities defined for each security control and to hold information on events relating to security controls and activities • Extended solution security model introduces some dynamic data March 8, 2022 7
  • 8. What Are We Protecting Against? • Unauthorised access to solution functionality and its data involves some or all of: March 8, 2022 8 • Getting the solution to do something it should not • Stopping the solution from working as it should or enabling it to be bypassed • Getting consumers of the solution to perform actions they should not • Gaining unauthorised access to the solution as a solution consumer • Getting the data held in the solution • Damaging the solution to prevent its use • Denying access to the solution • Using the solution as a gateway to other organisation solution and data assets • Stealing data to sell or holding for ransom • Collecting ransom before application or data restored • Using the application to steal money • Causing reputational damage • Stealing intellectual property • Putting the company out of business With The Aims Of
  • 9. New Technology And New Risks March 8, 2022 9 Solution Security Dispersed Operational Solution Landscape New Unfamiliar Technologies Error Prone Technology Deployment And Operation No Single Pane Of Glass Showing Security Status Increasing Number Of Threats Reduced Skills More Solution Entry Points Greater Complexity And Fragility
  • 10. New Technology And New Risks • New solution security concerns are continually arising, adding to the threat landscape − New solution design, deployment and operating models − Distributed solution components, distributed solution consumer base, distributed access with many interfaces, integration points and data flows − Greater involvement of third-parties and their platforms whose operational security models and practices are being inherited − Complexity with multiple handoffs gives rise to gaps in end-to-end view and knowledge leading to risks • New technologies introduce new risks, direct and indirect − Lack of familiarity with technology increases the likelihood of exploitable mistakes and errors − New technology is less proven and contains more exploitable errors − Greater range of solution entry points increases risk − Exposure of solutions to consumers outside the organisation increases risk − Human risk factors weaken overall security • Solution risk and security status is becoming harder to track March 8, 2022 10
  • 11. From … March 8, 2022 11 Solution Central Data Store Solution Central Application Component Solution API Solution Central Infrastructure Solution Hosted Infrastructure Solution Internal Consumers Solution External Private Consumers Solution Hosted Data Store Solution Hosted Application Component Solution Hosted Analytics Access and Security Infrastructure Central To Hosting Facility Connectivity Solution External Public Consumers Solution Mobile App
  • 12. To … • Increasing solution landscape complexity and diversity gives rise to implicit and explicit risks March 8, 2022 12 Solution Central Data Store Solution Central Application Component Solution API Solution Central Infrastructure Solution Hosted Infrastructure Solution Internal Consumers Solution External Private Consumers Solution Hosted Data Store Solution Hosted Application Component Solution Hosted Analytics Access and Security Infrastructure Central To Hosting Facility Connectivity Solution External Public Consumers Solution Mobile App
  • 13. Illusion Of The Solution Cocoon • Solutions do not always exist in a security cocoon provided by a range of infrastructural components, protected from all malicious actors and actions that repel all attempts to penetrate the solution • Individual solutions must be aware of their security requirements and ensure they are in place − Take individual solution responsibility − Do not make any assumptions on what security is available − Perform due diligence on available and operational security infrastructure − Identify and address solution- specific security needs March 8, 2022 13 Solution And Its Components
  • 14. Illusion Of The Solution Cocoon • Operational solution components can reside in multiple locations subject to different sets of security infrastructure, making the problem of solution security all the greater March 8, 2022 14
  • 15. Solution Security Is A “Wicked Problem*” • Solution security is a wicked problem because there is no certainly about when the problem has been resolved and a state of security has been achieved • The security state of a solution can just be expressed along a subjective spectrum of better or worse rather than a binary true or false March 8, 2022 15 * Dilemmas in a General Theory of Planning, Horst Wittel and Melvin Webber https://urbanpolicy.net/wp-content/uploads/2012/11/Rittel+Webber_1973_PolicySciences4- 2.pdf
  • 16. Wicked Problem Characteristics And Solution Security March 8, 2022 16 Characteristics of Wicked Problems Application to Solution Security There is no definite formulation of wicked problems.There is no certainly about when security has been fully achieved. Wicked problems have no stopping rule. There is no stopping rule that states security has been fully achieved if a defined set of activities and controls have been performed and implemented. Solutions to wicked problems are not true or false, but good or bad The security state of a solution can just be expressed along a spectrum of better or worse rather than a binary true or false. There is no immediate or ultimate test for solutions. The security of a solution is difficult, if not impossible, to establish. Proving the certainty of a negative can be unachievable. All attempts to solutions have effects that may not be reversible. Implementing solution security impacts the operation and use of the solutions themselves. Wicked problems have no clear solution, and perhaps not even a set of possible solutions. There is no one security solution but a combination of interrelated and layers security components. Every wicked problem is essentially unique. There is no one standard solution template to security. Every wicked problem may be a symptom of another problem. Solution security is only a subset of wider organisation security. Lack of security is a potential problem that has to be exploited for the problem to become real. It is difficult for individual solutions to be secure if an organisation security foundation and framework are not in place. There are multiple explanations for the wicked problem. Solution security can be defined in many ways. The planner (or policy-maker) has no right to be wrong. Failure to implement effective solution security can lead to very serious negative consequences to getting it wrong leads to blame but getting it right does not lead to any praise.
  • 17. Solution Security Negative Outcomes • Solution security can have negative consequences: prevents types of access, limits availability in different ways, restricts functionality provided, makes solution harder to use, lengthens solution delivery times, increases costs along the entire solution lifecycle, leads to loss of usability, utility and rate of use • Security requirements and standards may discourage security, leading to bypass and circumvention actions • Complex security arrangements may give the illusion of security that does not exist in reality March 8, 2022 17
  • 18. Solution Inheritance Of Security Infrastructure • Individual solutions must be able to inherit security controls, facilities and standards from common enterprise-level controls, standards, toolsets and frameworks. • Individual solutions must not be forced to implement individual infrastructural security facilities and controls − This is wasteful of solution implementation resources, results in multiple non- standard approaches to security and represents a security risk to the organisation • Solution architects must be aware of the need for solution security and of the need to have enterprise-level controls that solutions can adopt. • The extended solution landscape potentially consists of a large number of interacting components and entities located in different zones, each with different security profiles, requirements and concerns − Different security concerns and therefore controls apply to each of these components • Solution security is not covered by a single control − It involves multiple overlapping sets of controls providing layers of security March 8, 2022 18
  • 19. Security Model And Inheritance Of Security Controls • Defining a security model and set of solution zone and operational entity controls allows the existence of and the solution inheritance of security controls to be validated and potential security gaps to be identified March 8, 2022 19
  • 20. Solution Architecture And Interfaces With Other IT Architecture Disciplines • The solution architecture discipline must work with other IT architecture disciplines, including security architecture • Enterprise architecture needs to embed security into the organisation’s overall IT architecture March 8, 2022 20 Enterprise Architecture Information and Data Architecture Application Architecture Business Architecture Technical Architecture Solution Architecture Service Architecture Security Architecture Overall Architecture Framework Security Standards Service Operation and Support Data Architecture Infrastructure Architecture Business Context Business Process, Products
  • 21. Solution Zone Types and Zones March 8, 2022 21 Solution Component Types Solution Components Solution Solution Zones Solution Zone Types Solution Topology Security Standards And Controls Solution Consists Of Multiple Components Each Solution Component Has A Type Solution Exists Within A Topology Of Many Solutions Solution Components Are Located In Solution Zones Each Solution Zone Has A Type Different Solution Standards And Controls Apply To Solution Zones Solution Operational Entity Solution Operational Entity Type Deployed Solution Consists Of Multiple Operational Entities Each Solution Operational Entity Has A Type Solution Operational Entities Are Located In Solution Zones Security Controls Apply To Solution Components Security Controls Apply To Solution Operational Entities Some Solution Components Become Deployed Operational Entities
  • 22. Solution Zones • Solution zones are locations where groups of closely related solution components reside • They represent containers for solution components • Zones are located within the wider physical solution landscape • Each zone and the components it holds have different security requirements • Not all solutions will have components in all zone and not all organisations will have all the zone types • The solution and its constituent components can span multiple different zones of the same type • The zone approach is useful way of representing the entirety of a solution, its constituent components, their connectivity, linkages and interactions • You will have different levels of control over different solution zones (including no control) March 8, 2022 22
  • 23. Sample Solution Zone Types March 8, 2022 23
  • 24. Sample Solution Zone Types March 8, 2022 24
  • 25. Sample Solution Zone Types Zone Description Insecure External Organisation Presentation And Access Where publicly accessible or accessing entities reside. These entities are regarded as insecure and/or untrusted. Secure External Organisation Participation and Collaboration Outside the physical organisation boundary where entities that are provided by or to trusted external parties reside Secure External Organisation Access Contain entities that enable secure access or are securely accessible from outside the organisation Organisation Contain the entities within the organisation boundary and contains all the locations, business units and functions within it Central Solutions and Access Contains the solution entities and their data Solution Zone Contains the solution entities Data Zone Zone within the organisation where data is segregated for security Remote Business Unit Solutions and Access Remotely located organisation business unit or location and the entities it contains Workstation Zone Zone within the organisation where users accessing data and solutions are segregated for security Outsourced Service Provider Solutions and Access Contains solutions provided by and located in facilities provided by outsourced partners Cloud Service Provider Solutions and Access Contains solutions - platform, infrastructure and service - provided by and located in cloud service providers Co-Located Solutions and Access Contains solutions the organisation has located in facilities provided by co- location providers March 8, 2022 25
  • 26. Solution Component Types And Components Solution Component Types Solution Components Solution Solution Zones Solution Zone Types Solution Topology Security Standards And Controls Solution Consists Of Multiple Components Each Solution Component Has A Type Solution Exists Within A Topology Of Many Solutions Solution Components Are Located In Solution Zones Each Solution Zone Has A Type Different Solution Standards And Controls Apply To Solution Zones Solution Operational Entity Solution Operational Entity Type Deployed Solution Consists Of Multiple Operational Entities Each Solution Operational Entity Has A Type Solution Operational Entities Are Located In Solution Zones Security Controls Apply To Solution Components Security Controls Apply To Solution Operational Entities Some Solution Components Become Deployed Operational Entities March 8, 2022 26
  • 27. Solution Components • The functional and operational design of any solution and therefore its security will include many of these components, including those inherited by the solution or common components used by the solution • When creating the end-to-end solution design the solution architect should identify all the required solution components • The complete solution security view should refer explicitly to the components and their controls • While each individual solution should be able to inherit the security controls provided by these components, the solution design should include explicit reference to them for completeness and to avoid unvalidated assumptions • There is a common and generalised set of components, many of which are shared, within the wider solution topology that should be considered when assessing overall solution security March 8, 2022 27
  • 28. Solution Is The Sum Of Its Components • The solution is a window to its constituent components • Solution consumers experience the totality of the solutions March 8, 2022 28
  • 29. Solution Components Classes • Time-Bounded Delivery Entity Types − Time-bounded sets of work required to get the solution fully operational • Enduring Operational Technology Entity Types − Operational instrumentation and tool components required for the solution to operate • Enduring Process, Procedure and Structural Entity Types − Organisation and process changes required to use the solution optimally March 8, 2022 29
  • 30. Solution Components Classes And Types March 8, 2022 30 Solution Components Time-Bounded Delivery Entity Types Sets of Installation and Implementation Services Existing Data Conversions/ Migrations New Data Loads Parallel Runs Enhanced Support/ Hypercare Enduring Operational Technology Entity Types Changes to Existing Systems New Custom Developed Applications Acquired and Customised Software Products System Integrations/ Data Transfers/ Exchanges Reporting and Analysis Facilities Information Storage Facilities Central, Distributed and Communications Infrastructure Application Hosting and Management Services Enduring Process, Procedure and Structural Entity Types Cutover/ Transfer to Production And Support Operational Functions and Processes Sets of Maintenance, Service Management and Support Services Changes to Existing Business Processes New Business Processes Organisational Changes, Knowledge Management Training and Documentation
  • 31. Solution With Consist Of Multiple Instances Of Solution Component Types March 8, 2022 31 Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Component Changes to Existing Systems New Custom Developed Applications Acquired and Customised Software Products System Integrations/ Data Transfers/ Exchanges Reporting and Analysis Facilities Sets of Installation and Implementation Services Information Storage Facilities Existing Data Conversions/ Migrations New Data Loads Central, Distributed and Communications Infrastructure Cutover/ Transfer to Production And Support Operational Functions and Processes Parallel Runs Enhanced Support/ Hypercare Sets of Maintenance, Service Management and Support Services Application Hosting and Management Services Changes to Existing Business Processes New Business Processes Organisational Changes, Knowledge Management Training and Documentation
  • 32. Solution Topography • Irrespective of whether the solution is hosted inside or outside the organisation, it will still need to operate in a solution topography consisting of a number of logical layers • This topography is important as its implicitly or explicitly delineates borders to what is feasible March 8, 2022 32 Common Service Management Processes and Standards – solution support, service level management Common Financial Management Processes and Standards – solution cost and asset management Common Enterprise Architecture Standards – compliance with organisation technology standards and principles Common Security and Regulatory Compliance Architecture – integration of solution into overall security standards and operations Common Data Architecture – integration of solution data into the organisation data model and access to solution data, compliance with data regulations and standards Business Process and Organisation Structure – business processes and organisation functions that use the solution Extended Solution Landscape With Integration With Other Solutions – solution support, service level management, integration, data exchange Individual Solution Landscape – set of components that comprise the overall solution
  • 33. Solution Topography • Individual solutions do not exist in isolation even through they may be acquired or implemented separately • The organisation’s operation solution landscape consists of many individual solutions located across many different solution zones March 8, 2022 33
  • 34. Solution Topography March 8, 2022 34 Extended Solution Landscape With Integration With Other Solutions Individual Solution Landscape Business Process and Organisation Structure Common Data Architecture Common Security and Regulatory Compliance Architecture Common Enterprise Architecture Standards Common Financial Management Processes and Standards Common Service Management Processes and Standards
  • 35. Security Standards And Controls Solution Component Types Solution Components Solution Solution Zones Solution Zone Types Solution Topology Security Standards And Controls Solution Consists Of Multiple Components Each Solution Component Has A Type Solution Exists Within A Topology Of Many Solutions Solution Components Are Located In Solution Zones Each Solution Zone Has A Type Different Solution Standards And Controls Apply To Solution Zones Solution Operational Entity Solution Operational Entity Type Deployed Solution Consists Of Multiple Operational Entities Each Solution Operational Entity Has A Type Solution Operational Entities Are Located In Solution Zones Security Controls Apply To Solution Components Security Controls Apply To Solution Operational Entities Some Solution Components Become Deployed Operational Entities
  • 36. Operational Security Controls • Security controls represent a set of infrastructural facilities and associated processes designed to provide a comprehensive and overlapping set of security protection and defence − Security is not achieved by one control but by layers of controls • Security controls can be used as a checklist during solution design prior to operational acceptance testing to ensure that the solution and its operating environment is security compliant • Security controls must be realistic and achievable to assess, implement and operate − Complexity is the enemy of effectiveness and usefulness March 8, 2022 36
  • 38. Operational Security Controls March 8, 2022 38 Security Control Control Scope Asset Security Design, implement and operate tools and processes to ensure the security of infrastructure and software assets through active asset inventory management Network Monitoring Design, implement and operate tools and processes to monitor network infrastructure, ensuring only authorised software can be installed and run, and provide defence against security threats and attacks Penetration Testing Design, implement and operate tools and processes to test solutions and their infrastructure to identify and resolve vulnerabilities and weaknesses in their design, implementation and operation through the simulation of attacks Browser Protection Design, implement and operate tools and processes to monitor, analyse, detect and act-on browser-based attacks and browser vulnerabilities Solution Availability, Resilience, Fault Tolerance and Recovery Design, implement and operate infrastructure, facilities and processes to ensure the availability of the solution, resilience against component failure and recovery in the event of failure Access Control Management Design, implement and operate tools and processes for the creation, assignment, management and revocation of access credentials and privileges for solution and data access to administrator, user and service accounts Account Management Design, implement and operate tools and processes to assign and manage authorisation to credentials for service, administrator and user accounts, including administrator accounts Email Protection Design, implement and operate tools and processes to monitor, analyse, detect and act-on email-based attacks and email vulnerabilities Application Solution Security Design, implement and operate tools and processes to manage the security aspects of developed, acquired or externally hosted solutions to identify, prevent, detect and resolve security weaknesses and vulnerabilities Malware Defence Design, implement and operate tools and processes to prevent the installation, spread, and execution of malicious applications, code or scripts Solution Monitoring Design, implement and operate tools and processes to monitor, analyse and report on the usage of a solution and its constituent components including resource consumption and performance Audit Log Management Design, implement and operate tools and processes to collect, store, analyse, alert, review audit logs of solution activity events that to facilitate the detection, understanding and recovery from an attack Inventory and Control of Assets Design, implement and operate tools and processes to manage the infrastructure and software assets that comprise the totality of solutions in order to actively manage those assets Data Management, Backup and Recovery Design, implement and operate tools and processes to manage solution data and establish data backup and recovery including integrity of backup data Supplier and Service Provider Management Design, implement and operate tools and processes to initially assess and continually monitor the security arrangements of solution component suppliers and service providers and the components and services they provide Network Management Design, implement and operate tools and processes to design, implement, operate and manage the security of network infrastructure and facilities including their vulnerability Continuous Vulnerability Management Design, implement and operate tools and processes to continuously assess and track vulnerabilities on all solution components in order to identify, response to, remediate and minimise attacks Data Protection Design, implement and operate tools and processes to identify, classify, securely handle, manage access to, manage regulatory compliance, appropriately retain and dispose of solution data
  • 39. Operational Security Controls Activities Operate processes and procedures to analyse collected data to identify potential security breaches and vulnerabilities Identify any potential control breaches or deviations Assess the potential control breaches or deviations Escalate as appropriate Respond to potential control breaches or deviations Identify actions Track performance of actions Report on actions Improve based on analysis Detect Identify Respond Establish and configure the security control Define and implement the operational processes Allocate resources and budget Define control operation/usage data collection framework Define control data model Define management and reporting procedures Establish March 8, 2022 39
  • 40. Security Controls Activities – Asset Security • Breakdown of activities for the Asset Security control area March 8, 2022 40 Establish Detect Identify Respond • Implement tools and processes to scan, collect, store and provide access to infrastructure and software asset data and their configuration • Implement processes to identify changes • Implement processes to subscribe to vulnerability updates • Implement processes to monitor vulnerabilities and manage updates • Implement processes to disable assets • Implement processes to authorise changes to assets • Implement infrastructure device management including patching and software update distribution • Establish business function and allocate resources to operate asset management • Define asset security roles and responsibilities • Implement reporting and information access processes • Operate asset security management data collection processes • Detect asset changes • Analyse collected asset data to detect potential asset security breaches • Operate escalation processes • Operate asset security incident management processes • Operate asset security problem management processes • • Identify and evaluate asset security breaches and vulnerabilities • Create asset security breaches and vulnerabilities handling action plans and activity schedules including interim and long-term actions • Handle security breaches and vulnerabilities • Assign actions and activities • Work through action plan and report on progress • Finalise action plan
  • 41. Security Controls Activities – Network Monitoring • Breakdown of activities for the Network Monitoring control area March 8, 2022 41 Establish Detect Identify Respond • Acquire and implement tools and processes to monitor the network infrastructure, perform intrusion detection, traffic filtering, anti- malware, collect data on network operations and use, generate alerts and manage events • Implement processes to handle alerts and events and identify and manage network issues raised • Implement processes to subscribe to network security updates • Implement processes to authorise changes to network configuration • Establish business function and allocate resources to operate network monitoring • Define network monitoring roles and responsibilities • Implement network monitoring reporting and information access processes • Operate network monitoring alerting and event management • Operate network data collection processes • Operate escalation processes • Operate network monitoring alerting and event incident management processes • Operate network monitoring alerting and event problem management processes • Manage network monitoring alerting and event management infrastructure and apply patches and updates • • Identify, evaluate and prioritise network breaches and vulnerabilities • Create network monitoring alerting and event management breaches and vulnerabilities handling action plans and activity schedules including interim and long-term actions • Handle network monitoring alerting and event management breaches and vulnerabilities • Assign actions and activities • Work through action plan and report on progress • Finalise action plan
  • 42. Security Controls Activities • The control activities represent a general set of actions relating to each control • The specific detail for each control is different March 8, 2022 42
  • 43. Security Standards • There are many security standards including: − AICPA Trust Services Criteria - https://us.aicpa.org/interestareas/frc/assuranceadvisoryservices/trustdataintegritytaskforce − CIS Critical Security Controls - https://learn.cisecurity.org/cis-controls-download − Cloud Security Alliance (CSA)Cloud Controls Matrix (CCM) - https://cloudsecurityalliance.org/research/cloud-controls-matrix/ − Control Objectives for Information Technologies - https://www.isaca.org/resources/cobit − COSO - https://www.coso.org/Documents/COSO-Deloitte-Managing-Cyber-Risk-in-a-Digital-Age.pdf − Cybersecurity Maturity Model Certification (CMMC) - https://www.acq.osd.mil/cmmc/documentation.html − FS.31 GSMA Baseline Security Controls - https://www.gsma.com/security/resources/fs-31-gsma-baseline- security-controls/ − ISO 27000 Series - https://www.iso.org/isoiec-27001-information-security.html − NIST CSF (Cyber Security Framework) - https://www.nist.gov/cyberframework − NIST Framework for Improving Critical Infrastructure Cybersecurity - http://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf − NIST SP 1800 Series - https://csrc.nist.gov/publications/sp1800 − NIST SP 800-53, Revision 5 Controls CURRENT VERSION 5.1 - https://csrc.nist.gov/CSRC/media/Projects/risk-management/800-53%20Downloads/800-53r5/NIST_SP- 800-53_rev5-derived-OSCAL.xlsx − NIST: Cybersecurity Framework, 800-53, 800-171 – https://csrc.nist.gov/Projects/risk-management/sp800- 53-controls/downloads − US FedRAMP (Federal Risk and Authorization Management Program) - https://tailored.fedramp.gov/ March 8, 2022 43
  • 44. Security Standards • Security standards exist at various levels with varying levels of detail and complexity − Some are very detailed with hundreds of controls • There needs to be a balance between complexity and level of detail and the ease of implementation, operation and use • There are no specific solution-oriented security standards across all solution components types and operational deployment patterns March 8, 2022 44
  • 45. Operational Solution Entities And Solution Zones March 8, 2022 45 Solution Component Types Solution Components Solution Solution Zones Solution Zone Types Solution Topology Security Standards And Controls Solution Consists Of Multiple Components Each Solution Component Has A Type Solution Exists Within A Topology Of Many Solutions Solution Components Are Located In Solution Zones Each Solution Zone Has A Type Different Solution Standards And Controls Apply To Solution Zones Solution Operational Entity Solution Operational Entity Type Deployed Solution Consists Of Multiple Operational Entities Each Solution Operational Entity Has A Type Solution Operational Entities Are Located In Solution Zones Security Controls Apply To Solution Components Security Controls Apply To Solution Operational Entities Some Solution Components Become Deployed Operational Entities
  • 46. Operational Solution Entities March 8, 2022 46 Solution Components Time-Bounded Delivery Entity Types Sets of Installation and Implementation Services Existing Data Conversions/ Migrations New Data Loads Parallel Runs Enhanced Support/ Hypercare Enduring Operational Technology Entity Types Changes to Existing Systems New Custom Developed Applications Acquired and Customised Software Products System Integrations/ Data Transfers/ Exchanges Reporting and Analysis Facilities Information Storage Facilities Central, Distributed and Communications Infrastructure Application Hosting and Management Services Enduring Process, Procedure and Structural Entity Types Cutover/ Transfer to Production And Support Operational Functions and Processes Sets of Maintenance, Service Management and Support Services Changes to Existing Business Processes New Business Processes Organisational Changes, Knowledge Management Training and Documentation
  • 47. Operational Solution Entities • The designed, deployed and operational solution components become solution operational entities • Solution security starts with the solution design process • These physical entities reside in the solution zones • As with solution component types and solution components, there are operational entity types and instances of those types that are the actual solution operational entities • Operational security controls and protection activities need to focus on these entities – they are the main points of solution vulnerability March 8, 2022 47
  • 48. Operational Solution Entities March 8, 2022 48 Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Operation Entity Changes to Existing Systems New Custom Developed Applications Acquired and Customised Software Products System Integrations/ Data Transfers/ Exchanges Reporting and Analysis Facilities Sets of Installation and Implementation Services Information Storage Facilities Existing Data Conversions/ Migrations New Data Loads Central, Distributed and Communications Infrastructure Cutover/ Transfer to Production And Support Operational Functions and Processes Parallel Runs Enhanced Support/ Hypercare Sets of Maintenance, Service Management and Support Services Application Hosting and Management Services Changes to Existing Business Processes New Business Processes Organisational Changes, Knowledge Management Training and Documentation
  • 49. Operational Solution Entity Types And Solution Zones March 8, 2022 49
  • 50. Operational Solution Entity Types – 1 March 8, 2022 50 Operational Entity Type Description External Data Sources Data sources outside the organisation boundary providing data to the organisation External Public Interacting Parties Public solution consumers outside the organisation and outside the control of the organisation External Data Telemetry Devices Devices owned by the organisation in public locations and from which solutions receive data External Telecommand Devices Devices owned by the organisation in public locations and to which solutions send commands External Private Interacting Parties Solution consumers external to the organisation and with whom the organisation has a relationship and who may have authenticated access Externally Located Employees Employees accessing organisation solutions from outside the organisation’s security boundary Mobile Employees Employees accessing organisation solutions outside the organisation but within the organisation’s extended security boundary Private Access Groups Interaction areas for secure collaboration with third-parties with authenticated access Publicly Accessible Solutions Solutions hosted on organisation on-premises infrastructure that are publicly accessible without authentication Externally Accessible Solutions Solutions hosted on organisation on-premises infrastructure that are publicly accessible with authentication Data Access, Exchange and Service Gateway Facility to allow the access to organisation data and services and to enable the exchange and transfer of data Secure Communications Access Component that provides common secure communications facilities to solutions Identity, Access and Authentication Component providing common facilities for identity and access management and consumer authorisation and authentication Access and Activity Logging Component that provides facilities to log resource accesses, activities and events Anti-Virus, Malware Defence Provides protection against viruses and other malware Network Monitoring Provides facilities to monitor network access, usage and performance Threat Protection and Vulnerability Checking Provides protection against vulnerabilities contained in solutions and any components they use or incorporate Business Continuity and Disaster Recovery Component that provides common secure business continuity and disaster recovery facilities to solutions Mail Organisation email facility Identity, Access and Authentication Component that provides common secure identity, authentication and access control facilities to solutions Backup and Recovery Organisation data backup and recovery facility Internally Accessible Solutions Solutions deployed on on-premises infrastructure designed to be used by internal solution consumers Solution Structured Data Stores Database-oriented data stores for solutions deployed on on-premises infrastructure Solution Unstructured Data Stores Database-oriented data stores for solutions deployed on on-premises infrastructure Business Unit Solution Access Group Set of solution consumers located within a separately located business unit Solution Access Groups Set of solution consumers located within the central organisation Outsourced Service Provider Connectivity and Access Component within outsourced service provider for secure connectivity and access to outsourced solutions and data Outsourced Service Provider Access and Authentication Facility within outsourced service provider for identity and access management and consumer authorisation and authentication
  • 51. Operational Solution Entity Types – 2 March 8, 2022 51 Operational Entity Type Description Hosted Shared Solutions Solutions on a shared platform hosted by within outsourced service provider Hosted Shared Solution Data Stores Data stores for solutions on a shared platform deployed within outsourced service provider Hosted Dedicated Solutions Solutions on a dedicated platform hosted by within outsourced service provider Hosted Dedicated Solution Data Stores Data stores for solutions on a dedicated platform deployed within outsourced service provider Cloud Service Provider Connectivity and Access Component within cloud service provider for secure connectivity and access to cloud-located solutions and data Cloud Service Provider Access and Authentication Component within cloud service providing facilities for identity and access management and consumer authorisation and authentication Internally Accessible Infrastructure Deployed Solutions Solutions deployed in an IaaS pattern designed for use within the organisation Externally Accessible Infrastructure Deployed Solutions Solutions deployed in an IaaS pattern designed for use outside the organisation Internally Accessible Infrastructure Deployed Solutions Data Stores Data stores for solutions deployed in an IaaS pattern designed for use within the organisation Internally Accessible Platform Deployed Solutions Solutions deployed in a PaaS pattern designed for use within the organisation Externally Accessible Infrastructure Deployed Solutions Data Stores Data stores for solutions deployed in an IaaS pattern designed for use outside the organisation by designated external consumers Externally Accessible Platform Deployed Solutions Solutions deployed in a PaaS pattern designed for use outside the organisation by designated external consumers Publicly Accessible Platform Deployed Solutions Solutions deployed in a PaaS pattern designed for use outside the organisation by public consumers Publicly Accessible Infrastructure Deployed Solutions Solutions deployed in an IaaS pattern designed for use outside the organisation by public consumers Publicly Accessible Infrastructure Deployed Solutions Data Stores Data stores for solutions deployed in an IaaS pattern designed for use outside the organisation by public consumers Platform Deployed Solutions Data Stores Data stores for solutions deployed in a PaaS pattern Externally Accessible Service Deployed Solutions Solutions deployed in a SaaS pattern designed for use outside the organisation by designated external consumers Publicly Accessible Service Deployed Solutions Solutions deployed in a SaaS pattern designed for use outside the organisation by public consumers Internally Accessible Service Deployed Solutions Solutions deployed in a SaaS pattern designed for use within the organisation Service Deployed Solutions Data Stores Data stores for solutions deployed in a SaaS pattern Co-Location Provider Connectivity and Access Component within a co-location service provider for secure connectivity and access to co-located solutions and data Co-Location Identity, Access and Authentication Facility within a co-location service provider for identity and access management and consumer authorisation and authentication Co-Located Solutions Facility within a co-location service provider for identity and access management and consumer authorisation and authentication Co-Located Solution Data Stores Solutions hosted by within a co-location service provider
  • 52. Operational Solution Entity Types And Solution Zone Type – 1 March 8, 2022 52 Zone Operational Entity Insecure External Organisation Presentation And Access External Data Sources External Public Interacting Parties External Data Telemetry Devices External Telecommand Devices Secure External Organisation Participation and Collaboration External Private Interacting Parties Externally Located Employees Mobile Employees Private Access Groups Secure External Organisation Access Publicly Accessible Solutions Externally Accessible Solutions Data Access, Exchange and Service Gateway Secure Communications Access Identity, Access and Authentication Organisation Access and Activity Logging Anti-Virus, Malware Defence Network Monitoring Threat Protection and Vulnerability Checking Business Continuity and Disaster Recovery Central Solutions and Access Mail Identity, Access and Authentication Backup and Recovery Solution Zone Internally Accessible Solutions Data Zone Solution Structured Data Stores Solution Unstructured Data Stores
  • 53. Operational Solution Entity Types And Solution Zone Type – 2 March 8, 2022 53 Zone Operational Entity Outsourced Service Provider Solutions and Access Outsourced Service Provider Connectivity and Access Outsourced Service Provider Access and Authentication Hosted Shared Solutions Hosted Shared Solution Data St3ores Hosted Dedicated Solutions Hosted Dedicated Solution Data Stores Cloud Service Provider Solutions and Access Cloud Service Provider Connectivity and Access Cloud Service Provider Access and Authentication Internally Accessible Infrastru9cture Deployed Solutions3 Externally Accessible Infrastructure Deployed Solutions Internally Accessible Infrastructure Deployed Solutions Data Stores Internally Accessible Platform Deployed Solutions Externally Accessible Infrastructure Deployed Solutions Data Stores Externally Accessible Platform Deployed Solutions Publicly Accessible Platform Deployed Solutions Publicly Accessible Infrastructure Deployed Solutions Publicly Accessible Infrastructure Deployed Solutions Data Stores Platform Deployed Solutions Data Stores Externally Accessible Service Deployed Solutions Publicly Accessible Service Deployed Solutions Internally Accessible Service Deployed Solutions Service Deployed Solutions Data Stores Co-Located Solutions and Access Co-Location Provider Connectivity and Access Co-Location Identity, Access and Authentication Co-Located Solutions Co-Located Solution Data Stores
  • 54. Operational Solution Entity Types And Security Controls • Security controls apply to operational solution entity types • Each operational entity type will have different security control requirements depending on what the entity does and in what zone it is located March 8, 2022 54 Operational Entity Asset Security Account Management Access Control Management Solution Availability, Resilience, Fault Tolerance and Recovery Solution Monitoring Inventory and Control of Assets Data Protection Audit Log Management Application Solution Security Browser Protection Email Protection Malware Defense Data Management and Backup and Recovery Network Monitoring Penetration Testing Continuous Vulnerability Management Network Management Supplier and Service Provider Management
  • 55. External Data Sources External Public Interacting Parties External Data Telemetry Devices Data sources outside the organisation boundary providing data to the organisation Public solution consumers outside the organisation and outside the control of the organisation Devices owned by the organisation in public locations and from which solutions receive data Security Controls And Operational Solution Entity Types March 8, 2022 55
  • 56. External Telecommand Devices External Private Interacting Parties Mobile Employees Devices owned by the organisation in public locations and to which solutions send commands Solution consumers external to the organisation and with whom the organisation has a relationship and who may have authenticated access Employees accessing organisation solutions from outside the organisation’s security boundary Security Controls And Operational Solution Entity Types March 8, 2022 56 External Telecommand Devices Account Management Access Control Management Inventory and Control of Assets Data Protection Audit Log Management Application Solution Security Malware Defense Data Management and Backup and Recovery Network Monitoring Penetration Testing Continuous Vulnerability Management Network Management
  • 57. Private Access Groups Publicly Accessible Solutions Externally Accessible Solutions Interaction areas for secure collaboration with third-parties with authenticated access Solutions hosted on organisation on-premises infrastructure that are publicly accessible without authentication Solutions hosted on organisation on-premises infrastructure that are publicly accessible with authentication Security Controls And Operational Solution Entity Types March 8, 2022 57
  • 58. Data Access, Exchange and Service Gateway Secure Communications Access Identity, Access and Authentication Facility to allow the access to organisation data and services and to enable the exchange and transfer of data Component that provides common secure communications facilities to solutions Component providing common facilities for identity and access management and consumer authorisation and authentication Security Controls And Operational Solution Entity Types March 8, 2022 58
  • 59. Access and Activity Logging Anti-Virus, Malware Defence Network Monitoring Component that provides facilities to log resource accesses, activities and events Provides protection against viruses and other malware Provides protection against viruses and other malware Security Controls And Operational Solution Entity Types March 8, 2022 59
  • 60. Threat Protection and Vulnerability Checking Business Continuity and Disaster Recovery Mail Provides protection against vulnerabilities contained in solutions and any components they use or incorporate Component that provides common secure business continuity and disaster recovery facilities to solutions Component that provides common secure business continuity and disaster recovery facilities to solutions Security Controls And Operational Solution Entity Types March 8, 2022 60
  • 61. Identity, Access and Authentication Backup and Recovery Internally Accessible Solutions Component that provides common secure identity, authentication and access control facilities to solutions Organisation data backup and recovery facility Solutions deployed on on- premises infrastructure designed to be used by internal solution consumers Security Controls And Operational Solution Entity Types March 8, 2022 61
  • 62. Solution Structured Data Stores Solution Unstructured Data Stores Business Unit Solution Access Group Database-oriented data stores for solutions deployed on on- premises infrastructure Database-oriented data stores for solutions deployed on on- premises infrastructure Set of solution consumers located within a separately located business unit Security Controls And Operational Solution Entity Types March 8, 2022 62
  • 63. Solution Access Groups Outsourced Service Provider Connectivity and Access Outsourced Service Provider Access and Authentication Set of solution consumers located within the central organisation Component within outsourced service provider for secure connectivity and access to outsourced solutions and data Facility within outsourced service provider for identity and access management and consumer authorisation and authentication Security Controls And Operational Solution Entity Types March 8, 2022 63
  • 64. Hosted Shared Solutions Hosted Shared Solution Data Stores Hosted Dedicated Solutions Solutions on a shared platform hosted by within outsourced service provider Data stores for solutions on a shared platform deployed within outsourced service provider Solutions on a dedicated platform hosted by within outsourced service provider Security Controls And Operational Solution Entity Types March 8, 2022 64
  • 65. Hosted Dedicated Solution Data Stores Cloud Service Provider Connectivity and Access Cloud Service Provider Access and Authentication Data stores for solutions on a dedicated platform deployed within outsourced service provider Component within cloud service provider for secure connectivity and access to cloud-located solutions and data Component within cloud service providing facilities for identity and access management and consumer authorisation and authentication Security Controls And Operational Solution Entity Types March 8, 2022 65
  • 66. Internally Accessible Infrastructure Deployed Solutions Internally Accessible Infrastructure Deployed Solutions Data Stores Internally Accessible Platform Deployed Solutions Solutions deployed in an IaaS pattern designed for use within the organisation Data stores for solutions deployed in an IaaS pattern designed for use within the organisation Data stores for solutions deployed in an IaaS pattern designed for use within the organisation Security Controls And Operational Solution Entity Types March 8, 2022 66
  • 67. Internally Accessible Service Deployed Solutions Externally Accessible Infrastructure Deployed Solutions Externally Accessible Infrastructure Deployed Solutions Data Stores Solutions deployed in a SaaS pattern designed for use within the organisation Solutions deployed in an IaaS pattern designed for use outside the organisation Data stores for solutions deployed in an IaaS pattern designed for use outside the organisation by designated external consumers Security Controls And Operational Solution Entity Types March 8, 2022 67
  • 68. Externally Accessible Platform Deployed Solutions Externally Accessible Service Deployed Solutions Publicly Accessible Infrastructure Deployed Solutions Solutions deployed in a PaaS pattern designed for use outside the organisation by designated external consumers Solutions deployed in a SaaS pattern designed for use outside the organisation by designated external consumers Solutions deployed in a SaaS pattern designed for use outside the organisation by public consumers Security Controls And Operational Solution Entity Types March 8, 2022 68
  • 69. Publicly Accessible Infrastructure Deployed Solutions Data Stores Publicly Accessible Platform Deployed Solutions Platform Deployed Solutions Data Stores Data stores for solutions deployed in an IaaS pattern designed for use outside the organisation by public consumers Solutions deployed in a PaaS pattern designed for use outside the organisation by public consumers Data stores for solutions deployed in a PaaS pattern Security Controls And Operational Solution Entity Types March 8, 2022 69
  • 70. Service Deployed Solutions Data Stores Co-Location Provider Connectivity and Access Co-Location Identity, Access and Authentication Data stores for solutions deployed in a SaaS pattern Component within a co- location service provider for secure connectivity and access to co-located solutions and data Facility within a co-location service provider for identity and access management and consumer authorisation and authentication Security Controls And Operational Solution Entity Types March 8, 2022 70
  • 71. Security Controls And Operational Solution Entity Types March 8, 2022 71 Co-Located Solutions Co-Located Solution Data Stores Facility within a co-location service provider for identity and access management and consumer authorisation and authentication Solutions hosted by within a co- location service provider
  • 72. Sample Solution Security Data Model • The sample core and extended conceptual solution security data models described earlier can be translated into a more tangible and usable data model • The data model can be implemented easily March 8, 2022 72
  • 73. Sample Solution Security Data Model March 8, 2022 73
  • 74. Summary • These notes have proposed a solution-oriented security approach that can be applied across the entire set of solutions that comprise the organisation solution landscape • It describes a model for collecting, structuring and analysing solution security across the entire organisation solution topology • The proposed model can be applied to solution design and implementation process to create an inventory of required and implemented and operational security controls across all operation components • It can be used as part of solution design and operation due diligence − Use at stage gates during solution delivery to validate solution security March 8, 2022 74