Reference Architecture

Guiding Principles
q Define protections that enable trust in the cloud. q Develop cross-platform capabilities and patterns for proprietary and open-source providers. q Will facilitate trusted and efficient access, administration and resiliency to the customer/consumer. q Provide direction to secure information that is protected by regulations. q The Architecture must facilitate proper and efficient identification, authentication, authorization, administration and auditability. q Centralize security policy, maintenance operation and oversight functions. q Access to information must be secure yet still easy to obtain. q Delegate or Federate access control where appropriate. q Must be easy to adopt and consume, supporting the design of security patterns q The Architecture must be elastic, flexible and resilient supporting multi-tenant, multi-landlord platforms q The architecture must address and support multiple levels of protection, including network, operating system, and application security needs.

Version 2.0

Business Operation Support Services (BOSS)

Compliance
Audit Planning Independent Audits Third-Party Audits Internal Audits Contact/Authority Maintenance

Information Technology Operation & Support (ITOS)

IT Operation
DRP
Plan Management Test Management

Presentation Services
Presentation Platform Presentation Modality
Consumer Service Platform
Social Media Search

End-Points
Mobile Devices
Mobile Device Management

Security and Risk Management

Speech Recognition (IVR)

Enterprise Service Platform

B2E B2M B2C

Desktops
Company owned Third-Party Public Kiosk

Colaboration E-Mail e-Readers

B2B P2P

Portable Devices Fixed Devices

Governance Risk & Compliance

Compliance Management Vendor Management Policy Management
Exceptions
Self Assessment

InfoSec Management
Capability Mapping Risk Portfolio Management Risk Dashboard

Medical Devices

Smart Appliances

Handwriting (ICR)

High Level Use Cases

IT Governance
Architectrure Governance Standards and Guidelines

Secure Sandbox

Audit Management

IT Risk Management

Technical Awareness and Training

Residual Risk Management

Information System Regulatory Mapping

Intellectual Property Protection

Privilege Management Infrastructure

Data Governance
Data Ownership / Stewardship Secure Disposal of Data
SaaS, PaaS, IaaS

Resource Management
Segregation of Duties Contractors

PMO
Program Mgmnt Project Mgmnt Remediation

Portfolio Management
Maturity Model Roadmap Strategy Alignment Input Validation Security Design Patterns

Application Services
Programming Interfaces Security Knowledge Lifecycle
Attack Patterns Code Samples Security Application Framwrok - ACEGI

Identity Management
Domain Unique Identifier Identity Provisioning Federated IDM Attribute Provisioning

Authentication Services
Risk Based Multifactor Auth Smart Password OTP Card Management Biometrics Network Authentication Single Sign On Middleware WS-Security Authentication Identity Verification OTB AutN SAML Token

Data Classification Clear Desk Policy

Handling / Labeling / Security Policy Rules for Information Leakage Prevention Rules for Data Retention

Integration Middleware

Operational Risk Management

Operational Risk Committee Business Crisis Management Impact Analysis Key Risk Indicators Business Continuity Planning Testing

Human Resources Security

Employee Termination Background Screening Roles and Responsibilities Employment Agreements Job Descriptions Employee Awareness

Service Delivery
Service Level Management
Objectives OLAs Internal SLAs External SLAs

Information Technology Resiliency

Availability Management Resiliency Analysis

Development Process
Self-Service
Security Code Review Application Vulnerability Scanning Stress and Volume Testing

Connectivity & Delivery

Software Quality Assurance

Entitlement Review Policy Policy Definition Enforcement Principal Data Policy Management Mangement Resource Data XACML Management Role Obligation Management Out of the Box (OTB) AutZ

Authorization Services

Privilege Usage Management

Keystroke/Session Logging Privilege Usage Gateway Password Vaulting Resource Protection

Hypervisor Governance and Compliance

Abstraction

Vendor Management Service Dashboard

Threat and Vulnerability Management

Compliance Testing Vulnerability Management
Application Infrastructure DB Databases Servers Network

Capacity Planning

Risk Management Framework Business Technical Assessment Assessment Independent Risk Management

Employee Code of Conduct

Information Services
Application Performance Monitoring

Asset Management
Service Costing Charge Back Operational Bugdeting Investment Budgeting

Service Delivery
Service Catalog SLAs OLAs Dashboard Recovery Contracts Plans

Reporting Services
Data Mining Reporting Tools Business Intelligence
PMO Strategy Roadmap

ITOS

Problem
Management

Incident
Management

BOSS
Risk Assessments Data Classification Process Ownership

Penetration Testing
Internal External

Threat Management
Source Code Scanning Risk Taxonomy

Security Monitoring Services

SIEM Platform Event Correlation Event Mining Database Monitoring Application Monitoring Honey Pot End-Point Monitoring Counter Threat Management Anti-Phishing User Behavior & Profile Patterns Cloud Monitoring E-Mail Journaling Market Threat Intelligence

CMDB

Knowledge
Management

Data Governance
Risk Assessments NonProduction Data Information Leakage Metadata Session Events

Security Monitoring
Service
Management

Change
Management

Audit Findings

SOC Portal Managed Security Services Knowledge Base Branding Protection

Service Support Service Support

Configuration Management
Configuration Rules (Metadata) Configuration Management Database (CMDB) Service Events

Authorization Events

Authentication Events

HR Data (Employees & Contractors)

Business Strategy

Application Events

Network Events

Computer Events

Behavioral Malware Prevention White Sensitive File Listing Protection AntiHIPS / Host Virus HIDS Firewall

Server

Infrastructure Protection Services

Anti-Virus, Anti-Spam, Anti-Malware Media Lockdown

End-Point
HIPS /HIDS

Host Firewall Behavioral Malware Prevention

Data Segregation HIPS NIPS Events

Hardware Based Trusted Assets Content Filtering

User Directory Services

Active Directory Services LDAP Repositories DBMS X.500 Repositories Repositories

Network
Behavioral Malware Prevention Firewall Content Filtering DPI Inventory Control NIPS / Wireless NIDS Protection Link Layer Network Security Black Listing Filtering

Forensic Tools White Listing

Real-time internetwork defense (SCAP)

Legal Services
Contracts E-Discovery Incident Response Legal Preparation

Internal Investigations
Forensic Analysis e-Mail Journaling

Capacity Planning Automated Asset Discovery

Software Management Configuration Management

Physical Inventory

Knowledge Repository

Risk Management
GRC RA BIA

Transformation Services
Database Events Privilege Usage Events

Application
XML Applicance Application Firewall Secure Messaging Secure Collaboration
Real Time Filtering

Change Logs

DR & BC Plans

VRA

TVM

ACLs

CRLs

Compliance Monitoring

NIPS Events

DLP EVents

eDiscovery Events

Registry Services

Location Services

Federated Services

Virtual Directory Services

Meta Directory Services

Data Protection
Data lifecycle management
Meta Data Control eSignature
(Unstructured data)

Incident Management
Security Incident Response

Problem Management
Event Classifiation Trend Analysis Root Cause Analysis Problem Resolution

Automated Ticketing Ticketing

Self-Service

Internal Infrastructure

Infrastructure Services
Asset Handling
Data Software Hardware

Cross Cloud Security Incident Response

Virtual Infrastructure
Remote

Data De-Identification Life cycle management

Data Masking Data Obscuring

Data Tagging Data Seeding

Orphan Incident Management

Facility Security
Controlled Physical Access
Barriers Security Patrols Electronic Surveillance Physical Authentication

Knowledge Management
Best practices Trend Analysis Benchmarking Security Job Aids Security FAQ

Patch Management
Compliance Monitoring Service Discovery

Servers
Secure Build Image Management

Desktop Client Virtualization

Local
SessionBased VM-Based (VDI)

Storage Virtualization << insert Jairos content> Block-Based Virtualization

Host-Based

Data Loss Prevention

Data Discovery Network
(Data in Transit)

Intellectual Property Protection

Intellectual Property Digital Rights Management

LDM LUN

LVM

Storage DeviceBased

Network-Based

Appliance Switched

End-Point
(Data in Use)

Server
(Data at Rest)

Change Management

Domain
Container
Process or Solution Data

SABSA ITIL v3 TOGAF JERICHO

Service Provisioning

Approval Workflow

Change Review Board Emergency Changes

Release Management
Scheduling Testing Version Control Build Source Code Management

Environmental Risk Management

Physical Security Equipment Location Power Redundancy

Equipment Maintenance Availability Services

Application Virtualization

End Point

Client Application Streaming

Server Application Streaming

Virtual Workspaces
Vertical Isolation

File-Based Virtualization

Symmetric Keys

Cryptographic Services Signature PKI Key Management Services

Asymmetric Keys
Data-in-Transit Encryption
(Transitory, Fixed)

Data-in-use
Encryption (Memory)

Data-at-Rest Encryption
(DB, File, SAN, Desktop, Mobile)

Server Virtualization
Virtual Machines (Hosted Based)
Full Paravirtualization Hardware-Assisted

Network Virtualizaton Network Address

Space Virtualization IPv4 IPv6
External (VLAN) Internal (VNIC)

Database Virtualization

Planned Changes Project Changes Operational Chages

Storage Services

Network Services
Network Segmentation Authoritative Time Source

Mobile Device Virtualization

Policies and Standards

Operational Security Baselines Job Aid Guidelines Role Based Awareness Best Practices & Regulatory correlation Information Security Policies Technical Security Standards Data/Asset Classification

OS VIrtualization

TPM Virtualization

Virtual Memory

Smartcard Virtualization

Co-Chairs: Jairo Orea, Yaron Levi, Dan Logan. Team: Richard Austin, Frank Simorjay, Yaron Levi, Jon-Michael Brook, Jarrod Stenberg, Ken Trant, Earle Humphreys, Vern Williams Date: 02/25/2013