Chapter 1: Introduction and related information about Information Security Architecture
1.0: Overview of the report
The author of this report as CISO of the company come up with plans about security architecture which can apprehend the top-quality flow of information inside the company. What programs are used to gain the objectives of the business? What information do these applications require to be able to achieve those targets, and what integration techniques are in vicinity to allow the sharing of that information? only by understanding those technologies and tactics can it be viable for the framers to develop a method for making sure the security of this information at the same time as permitting crucial business methods to progress unimpeded. Gartner security Architecture Framework will be used in this report. The Gartner security Architecture Framework objective is to align security strategies between three functional different areas of an organization or enterprise.
Information is one of the most crucial assets in any enterprise or organization and need to be accurately protected. Information security is the combining of different platforms, operations and internal controls to make sure the confidentiality, integrity, and availability of data in an enterprise. Given the wide acceptance and use of information technology (IT), users or people can now operate maximum IT solutions on their personal, immediately and with constrained assist of IT experts. Because of speedy advances in IT, information security is dealing with unprecedented challenges, and effective information security management is one of the primary concerns.
However, there may be many security technology studies, fantastically few information security management studies observed within the literature. It was not till 1995, while the British standard institution (BSI) mounted BS7799-1, “information security management – element I: Code of practice for information security management”, that extra entire management framework for information security emerged. Even as information security has usually been a challenge, it has turn out to be even more vital with the proliferation of the internet (Agarwal and Prasa, 1998).
While in the beyond organizations had been concerned most effective with protecting the flow of information in the business, nowadays they must do not forget the threat from outside – from attacks on the security of the company Intranet, for example, or electronic data interchange (EDI) between the organization, customers and suppliers. Nowadays organizations are doing a great process to secure their information, however they are the exception instead of the norm. Most of the people are grappling with simple information security issues, and but information security standards of confidentiality, integrity and availability are regularly touted as vital to attaining commercial enterprise goals.
Gartner security Architecture Framework will be used in this report. The Gartner security Architecture Framework objective is to align security strategies between three functional different areas of an organization or enterprise. Those three functional different areas of an organization or enterprise are Business Architecture, Information Architecture (1A), and Technology Architecture which will be explained in detail related to the company and the author position as CISO of the company below in this report (Gartner.com, 2018).
1.2 Business Architecture (BA)
The security architecture should be aligned with the aims and objectives of the company. Without right alignment there might be an inevitable disconnect among business approach and security. To allow this alignment it is crucial to correctly define the business architecture in place to gain the goals of the corporation by means of asking several questions to the company:
? What does the company do?
? Who does it?
? What information do they use to achieve their goals?
? In which do they do it?
However, by using answering those questions it turns into viable for the security architecture framers to develop a complete map of the strategies of the organization, in conjunction with a range of organizational charts and business process maps (Ealearning.com, 2018).
1.3: Information Architecture (IA)
Information structure is a basis discipline describing the theory, principles, guidelines, standards, conventions and elements for managing information as a useful resource. It produces drawings, charts, plans, files, designs, blueprints and templates assisting each person make efficient, powerful, productive and innovative use of all varieties of information.
Enterprises in day-to-day complicated global are experiencing speedy modifications in constantly competitive conditions. there’s an expanded need every day reply quickly daily converting market situations, new business opportunities, threats and rising alliances that had been unthinkable some years ago (Wigand, 1997).
Pressures of world competition and developing dependence on information technology in every company suggest that the powerful use of information is greater critical now than ever before. corporations have made huge investments in information technology, however commitment day the usage of information as a corporate useful resource seems to be lacking (Evernden and Evernden, 2003).
The convenience with which information may be created, extracted, and transmitted by way of email and communication hyperlinks has created expectations of the capability day exchange information quicker and more often among companies and end- users.
Information is now identified as a valid and valuable useful resource in the everyday management of a company, the characteristic defined as information management has grown from being a pure library, filing or computing feature to a mainstream management activity. From this evolutionary process the concept of “information architecture” has emerged in recent times. in keeping with some of sources the term “information architecture” changed into coined, or at least introduced to huge attention, by using Richard Saul Wurman within the mid-1970s at the American Institute of Architects’ national convention in Philadelphia with the convention theme entitled “information Architects” (Evernden and Evernden, 2003).
1.4: Technology Architecture (TA)
It is important to examine the technology architecture in the company to help applications and techniques. The technology architecture of most enterprises is pretty complex, concerning a selection of different technologies strolling on distinctive systems, every relying on a range of heterogeneous legacy platforms. making sure the security of those technologies whilst permitting business procedures sufficient get admission to information can be a frightening challenge. In order to make sure the security of data within this architecture it is important to construct a map of each piece of that architecture, and to understand how information moves among its components.
1.4 Enterprise Information Security Architecture (EISA)
The sphere of enterprise information security architecture (EISA) has generated plenty of interest within the recent years. EISA became first provided by Gartner detailing how security should be integrated into enterprise architecture. most companies lay declare to a few form of information security architecture, but, documentation of the methodology for adoption of information security architecture is lacking. EISA may be considered as the practice of applying a complete and rigorous approach for describing a current and/or future shape and conduct for a company’s security techniques, information security platforms, employees and organizational sub-units, in order that they align with the company’s core objectives and strategic direction. despite the fact that frequently associated strictly with information security technology, it relates more extensively to the security practice of enterprise optimization in that it addresses business security architecture, performance management and security process architecture as properly. EISA isn’t always a procedure for building a wall to guard the information systems of a company however is the architecture that guarantees information security aligns with the techniques and goals of the company whilst promoting seamless integration: –
architecture has its origins inside the building of staggering homes in cities and towns and this experience is properly understood by means of everybody. architecture, in the traditional context, is a set of guidelines and conventions by way of which buildings are created which serve the intended reason, each functionally and aesthetically. The concept of architecture is “one which helps our desires to stay, to work, to do business, to travel, to socialize and to pursue our entertainment. in the context of designing and building business computer platforms, the time period has been followed to mean “the rules and standards for the design and creation of computers, communication networks and the distributed commercial enterprise systems which can be implemented using those technologies” (Sherwood, Clark and Lynas, 2005).
Clearly information security architecture is going past the technology that a company adopts for its business. The purpose of information security architecture is to help the company gain targets in the current operational constraints or surroundings. This broader view of information systems architecture underlines the truth that technological elements are not the only drivers influencing the architecture. as an alternative it is simplest one of the concerns. companies which have not noted this truth regularly emerge as with architectures that fail to meet their business needs.
The finest challenge in information security is aligning with business goals. A 2007 survey by means of Deloitte and Touche LLP and Panemon Institute confirmed that fifty percent of North American security specialists’ time is spent on reactive and tactical activities which includes remediation of operational vulnerabilities. This disconnect between information security operations and strategic business goals adds stress to improved safety spending whilst risks, incidents and losses continue to expand. A framework that enables information security experts to align their activities with their company’s business is needed (Anderson, 2008).
Business companies in growing economies understand information security as a “nice-to-have”. most of the big financial sector-based totally companies, which might be more risk-conscious, implement information security as a gimmick to attract customers. It allows venture a good photo to clients. Others implement information security systems to comply with requirements mandated through parent organizations, or dictated through regulatory necessities. generally, the lower the capability to cause economic loss, the less interest accorded to information security requirements. There are the ones who’ve the belief that information security isn’t an immediate threat.
Chapter 2: Literature Review
In this chapter, the review will be including domain research and technical research. At the beginning of this chapter, the researcher will be discussing the similarities of information Security architecture systems that already exist and performing around the world. After that, the researcher will be explaining well in detail on how the researchers have set their information Security architecture systems.
2.2: Domain Research: Similar Systems
There are many different similar journals which available now with similar information security architecture ideas and methodologies. According to different researchers which they have done researches and system development about information Security architecture systems. The following are similar finding researches about security architecture systems from different researchers:
2.2.1: Enterprise information security, a review of architectures and frameworks from interoperability perspective.
The enterprise information security architecture (EISA) provides a framework upon which commercial enterprise security requirements, the risks and the threats are analyzed and a portfolio of the high quality incorporated enterprise security solutions be arranged together. Frameworks and models brought in the beyond six years have tested different components of EISA. The researchers found out the variety of the stated techniques and in this paper, first, they developed two facets in step with which these techniques are classified. Those facets are abstraction stage (holistic vs. partial) and architectural perspective (managerial vs. technical). As interoperability is the number one focus of their study and it is a broad idea, the researchers restrict their dialogue to holistic frameworks and models. In this regard, the researchers survey the outstanding holistic techniques particularly Gartner, SABSA, rise frameworks, AGM-based version and intelligent service-oriented EISA. Then, in the next step, the researchers evaluate the mentioned frameworks from technical, organizational and semantic interoperability factors.
Finally, the researchers concluded that not one of the frameworks, now not even the ones which can be holistic, practical and substantially elaborated, have explored interoperability certainly. They assert that the competitive advantages provided by interoperability, justify the expenses needed for implementing the incompatible principles of interoperability and security at the side of every other. Further, the researchers proposed that the requirements, which are common to each interoperability and security, have to be extracted and the importance of interoperability to EISA have to be apprehended (Shariati, Bahmani and Shams, 2011).
2.2.2: Enterprise Information Security Architectures
Enterprises are suffering in recent times to attain the stability among implementing the security controls within the corporation even as allowing the employees to increase the productiveness and communicate the information without difficulty. Enterprise security isn’t always most effective approximately protecting the infrastructure of the enterprise, however also the sensitive data flowing most of the corporation. Security of enterprise accomplished in generic manner via applying three methods:
This includes stopping the networks from intruders by way of avoiding security Breaches. That is commonly executed through implementation of firewalls.
This procedure makes sure of the detection of the attacks and the breaches, which can be accomplished over the network.
As soon as attack happens, recovery is crucial for stopping the information asset of the enterprise, which could damage because of the attack. For this, some recovery mechanisms are being employed by means of the enterprises.
2.2.4: Business Security Architecture: Weaving Information Security into Your Organization’s Enterprise Architecture through SABSA.
Information security is a vital aspect in organizational achievement, pushed by way of the need to protect information property. The non-stop evolution of external and internal threats and the related want to defend and secure information from exploitation of vulnerabilities has end up a battle for plenty corporations in each the public and private sectors. This battle is the direct result of the narrow awareness on operational security. Simply because the traces among enterprise and information technology have disappeared, so have the traces between commercial enterprise and information security. a few companies absolutely “check the box” by means of performing the minimum moves required to pass or meet mandated compliance requirements. Without practicing due diligence and via simplest meeting the minimum necessities, results in the reactive response of exploited vulnerabilities further to the increase of after the fact incident investigations. Corporations want to take a proactive technique the use of established methodologies recognized to incorporate security into information technologies and platform. The Sherwood applied business security architecture (SABSA) is a solution oriented technique for any business organization that seeks to allow its information infrastructure by making use of security solutions inside each layer of the enterprise.
The researcher describes how SABSA can be integrated into companies’ existing architectures making use of organizational enterprise drivers (Burkett, 2012).
2.2.5: I-SolFramework: An Integrated Solution Framework Six Layers Assessment on Multimedia Information Security Architecture Policy Compliance
Multimedia information security turns into a vital component for the enterprise’s intangible assets. Stage of self-belief and stakeholder relied on are performance indicator as successes corporation, it is imperative for corporations to use information security management system (ISMS) to successfully control their multimedia information assets. The
essential goal of this journal is to offer a novel practical framework technique to the development of ISMS, known as the I-SolFramework, carried out in multimedia information security architecture (MISA), it divides a hassle into six item domains or six layers, particularly corporation, stakeholders, tool & technology, policy, understanding, and tradition. Further, this framework additionally delivered novelty algorithm and mathematic models as dimension and assessment tools of MISA parameters (Susanto et al., 2012).
2.2.6: ARSA: An Attack-Resilient Security Architecture for Multihop Wireless Mesh Networks
Multihop wireless mesh networks (WMNs) are finding ever-growing recognition as a viable and powerful solution to ubiquitous broadband internet access. This journal addresses the safety of WMNs that is a key impediment to huge-scale deployment of WMNs, however thus far gets little attention. The researchers first thoroughly discover the precise security requirements of WMNs for the first time within the literature. Then, they suggest ARSA, an attack-resilient security architecture for WMNs. In comparison to a conventional mobile-like solution, ARSA gets rid of the need for establishing bilateral roaming agreements and having actual-time interactions among potentially severe WMN operators. With ARSA in area, every user is no longer bound to any specific network operator, as he or she ought to do in current cell networks. Alternatively, she or he acquires a typical pass from a third-party broker wherein to recognize seamless roaming throughout WMN domains administrated by using distinctive operators. ARSA supports efficient mutual authentication and key settlement each between a user and a serving WMN domain and between users served by way of the same WMN domain. Further, ARSA designed to be resilient to a huge range of attacks (Zhang and Fang, 2006).
3: Potential Issues in Information Security Architecture for the organization
Firstly, security services offer confidentiality, integrity, and availability services for any system in the world. The security services are applied as safety services which including authentication and authorization, detection services, inclusive of monitoring and auditing, and response services, incident reaction and forensics. These services have served because the goals and targets for Information Security Architecture for decades. This report describes a way to map, identify and investigating those potential issues into unique enterprise security architecture of the company in order to be used for developing a great Information Security Architecture. As an IT manager and Chief information security officer (CISO) need to guide, leading the engineer team and work hard together as the team in order to fulfill the project. At the end, the company will get benefit on this report.
The following is diagram which showing the potential issues in the existing design and implementation of Information Security Architecture for the company and plan to make better Information Security Architecture for the company as well.
Figure 1: Information Security Architecture for the company and Plans
3.0: Risk Management
This enterprise security architecture blueprint takes risk management as serious issue which a lot of companies are facing till today in the world. risk is made from property, threats, vulnerabilities, and countermeasures.
A risk management centric technique permits for the security architecture to be agile in responding to business goals. Risk is a feature of threats exploiting vulnerabilities in opposition to property or asset. The threats and vulnerabilities can be mitigated by way of deploying countermeasures. The risk control procedure implements risk evaluation to make sure the company’s risk exposure is in step with risk tolerance objectives. This doesn’t suggest that conduct is uniformly threat averse or risk seeking. The platform has to tackle the ideal stage of risk primarily based on company objectives. As IT manager and CISO of the company needs to identify and elaborate the risks and how to overcome them to the CEO of the company in order the CEO to have idea and its effects to the company.
Figure 2: Risk Equation
In additional, as IT engineering team of the company, the goal of the engineering team on risk management is to allow a company to take the risks if it’s necessary and to prepared on how to tackle the risks through designing and deploying countermeasures that permit for practical business risk. Also, the role of the information security architecture is not to influence the company faraway from risk, however as a substitute to teach the company top management (such as CEO) about the risks they’re taking and provide countermeasures that allow the business to take as a lot risk as suits company’s goals.
3.1: Security policy and standards
The company policies and standards that govern the platform’s design and deployment. The security policy describes each what’s allowed in addition to not allowed within the platform. security standards have to be prescriptive steerage for humans developing and operating platforms, and need to be subsidized by reusable services anywhere realistic. that is very crucial; it is no longer appropriate for enterprise security to solely characteristic as an arbiter; security within the company desires architecture and design advocates, and backing at runtime. security policy and standards aren’t end goals in themselves, they need to be subsidized by a governance version that guarantees they’re in use, and that it is practically feasible to develop, deploy, and running platforms primarily based on company purpose. As IT engineering team of the company will develop better security policies and standards in order to help the company to go into larger markets.
3.2: Information Security Architecture by Gartner
Information Security Architecture by Gartner is a strategic framework architecture that permits the improvement and operations workers to align efforts, Also Information Security Architecture by Gartner can drive platform enhancements which aren’t feasible to make at a task stage. For example: A given software development task won’t be capable of make a business case to buy an PHP security Gateway for advanced internet services security, however at the architecture degree, architects can probably discover several projects that might leverage one of these reusable service. Based on this example, the Information Security Architecture by Gartner provides stepped forward PHP internet services security which simplified programming model for software developers, and saves development prices.
Risk control, security policy and standards, and security architecture govern the Information Security Architecture and defensing in depth architecture via design steering, runtime assist, and guarantee services. security metrics are used for choice assist for risk management, security policy and standards, and security architecture. The security architecture need to have a reference implementation for software developers and different IT body of workers to evaluation what capabilities the security mechanisms plays, and the way to overcome them.
3.3: Security Techniques / Processes
These are techniques which performed within risk management, Information Security Architecture by Gartner and security policy and standards. Also, Security Techniques are divided into small domains with different engineers and models in order to conquer different issues (problems) in the company.
3.3.1: Threat management
Threat management concerns with the threats to platforms which includes virus, Trojans, worms, malicious hackers and intentional and accidental platform misuse through insiders or outsiders as well. Threats fluctuate from vulnerabilities in that threats are the ones that breach or try to breach security regulations, mechanisms and standards. The safety gaps which are exploited by means of threats are known as vulnerabilities.
Threat management components and techniques consist of:
? safety monitoring
? Internet software Firewall
? Security Incident control techniques
? Security occasion management platform
The threat surroundings are inherently unpredictable and in big element out of manipulate of the company. software developers can help the security group in knowledge attack vectors and signatures to reveal for, however it is not possible to predict all threats, which means that threat control has a big detection and reaction element. monitoring platforms and audit services at diverse degrees inside the platform can become aware of threats that avoid anticipated paths and controls. As IT engineering team of the company identified the threats which might attack the company’s security systems.
3.3.2: Identity management
Identity management concerns with the communication, reputation, and utilization of identity in the company. identification control consists of directories, multi-aspect authentication, federation, and so forth. All access management is based on identification, a critical difficulty to information Security Architecture, the excellent of the platform’s authentication and authorization can’t be more potent than the identification management technique. identification control architecture is critical to identify factors of leverage throughout tasks, due to the fact identification control components are frequently no longer capable of guide a business case personally. Strategically the company need to align funding, architecture, and implementation inside the identification area to boom the high-quality and power of identification. The main advantage is to enhance the authentication, authorization, and auditing services for the platform as an entire. The use of the identification control architecture comes via mapping the problem request’s claims to coverage enforcement selection workflow and the item’s safety version, frequently inside the shape of group and/or function club. This is very crucial inside the company whereby someone can use somebody credentials to log in to the company’s platform for wrong doing. So, as an IT manager and Chief information security officer (CISO) need to explain to the employees regarding this issue for better information security of company.
3.3.3: Vulnerability management
Vulnerability management is the combination of techniques and technologies for reporting, and mitigating regarded vulnerabilities. The vulnerabilities might also be living at any platform layer such as database, running platform, servers, and so forth. The specialized equipment used exploring for acknowledged vulnerabilities. it is vital to differentiate threat management and vulnerability management. The threat management consists of many unknown mysteries attacker strategies and objectives. The attackers will pick out presently unknown vulnerabilities however there are numerous acknowledged vulnerabilities that the security crew can act on, even as the risk panorama is inherently less predictable that means protection is reactive to threats and may be usually proactive in the direction of handling recognized vulnerabilities. This issue has direct implications on prioritization, and making an investment in those regions, due to the fact vulnerability control has a greater predictable lifecycle based totally on the recognized amount of many vulnerabilities. As IT engineering team of the company identified the vulnerability parts of company’s platform and come up with the solution as well.
3.4: Defense in depth
defensing in depth is based at the belief that each security management is susceptible one way or the other, however that if one element fails any other control at a separate layer nevertheless gives safety services to mitigate the harm. For instance, a company web server can be compromised, however if the web server process executes interior the company which constrains the attack’s privileges to release further attack, then the opportunity of a cascading failure is decreased. every stage of the defensing in depth tool has its very own precise security abilities and constraints. The center safety services are authentication, authorization, and auditing practice in any respect ranges of the defensing in depth tool. For instance, audit logging happens at platform network, software, server and information get right of entry to stages. The IT engineering team of the company’s task is to discover the right mixture of the center security services at every stage within the stack to supply a cohesive protection posture that displays the company’s risk management goals.
3.4.1: Host security
This security involved with get entry to control at the servers and workstations. Host Intrusion Detection platforms discover host anomalies and security activities. Host Integrity tracking assessments and protects the integrity of the important documents and applications at the host. Baseline Configuration Scanners offer guarantee that the platforms in use inside the area meet the policy and requirements at a granular stage. Those scanners can be computerized to guide exceptionally allotted and huge scale environments. As IT engineering team of the company will propose great technique to make sure the documents and valuable information to secure.
3.4.2: Application security
This application security offers with 2 major concerns which are shielding the code and services running on the platform, who’s connecting to them, and what’s output from the applications via a mixture of secure coding practices, static evaluation, threat modeling, participation inside the Software development lifecycle, software scanning, and fuzzing. Secondly, handing over reusable program protection services including reusable authentication, authorization, and auditing services allowing developers to construct protection into their platform. security regularly collaborates with software program architects and developers in this place to construct security into the platform. As IT engineering team of the company will propose to CEO the procedures on how to protect more the platform.
3.4.3: Network security
This network security offers layout and operations for protection mechanisms for the network. Please be aware this differs from assuming that “the network is secure” that is the fourth fallacy of allotted computing. network security mechanisms, including platform firewalls and network intrusion detection software, are typically a handy and scalable factor to use protection controls and are crucial locale for outlining chokepoints and zones. Zones outline logical and/or physical limitations around a set of platform. Chokepoints outline places to pass barriers into and out of zones, in which unique security issues observe. As IT engineering team of the company will propose to CEO the procedures on how to protect more the platform. For instance, using the DMZ pattern for the company platform.
3.4.4 Risk Metrics
Risk metrics helps to determine the general assets, and their attendant countermeasures, threats, and vulnerabilities. Because risk metrics are targeted on assets, they permit the security architecture to be measured in enterprise phrases. Also, risk metrics technique helps the IT engineering team of the company to tell CEO about protection posture based totally on data this is harvested from the security techniques, particularly vulnerability management and risk management, and the defensing in depth stack.
This is the last section of this study. The aims and objectives of this research, related details about related information Security Architecture and literature review on all the primary variables were explained and analyzed accordingly. However, Information Security Architecture by Gartner was a strategic framework architecture which used to come up the brilliant plan for the company.
As IT engineering team of the company identified the threats which might attack the company’s security systems. Those threats included virus, Trojans, worms, malicious hackers and intentional and accidental platform misuse through insiders or outsiders as well. Threats fluctuate from vulnerabilities in that threats are the ones that breach or try to breach security regulations, mechanisms and standards.
In addition, the risk management were discussed and explained well in this report in order to help CEO of the company to understand risk and awareness when he decide the company to go into larger international market.
However, as an IT manager and Chief information security officer (CISO) assisted, guided, leading the engineer team and work hard together as the team in order to fulfill the project so that the company will get benefit from this report. Also, as an IT manager and Chief information security officer (CISO) managed to develop solid security architecture plans with a diagram (shown on figure 1) for the company so that the company will be sure on engaging on larger international market without having any doubts of losing money or assets.