Enterprise Security Architecture (ESA) is a relatively new concept to most business & IT stakeholders. However it is gaining an increase in adoption due to the need by the CISO’s of enterprises to strategically address information security debt and meet the increasing burden of Privacy related compliance. This post is going to collect some useful online resources which started to explore a creative method to build a mature enterprise security architecture.
IT vs Information Security vs Cyber Security vs Business Continuity vs Risk Management
IT vs Information Security vs Cyber Security vs Business Continuity vs Risk ManagementFrom: 9 steps to Cyber Security |
======================================================================
Following diagram is from Information Security Society Switzerland’s paper “What is Security Architecture”
Relationships & Dependencies between security architecture and relevand IT architecture:
1. Designing a security architecture should be a response to Business strategy and requirements.
2. The IT Strategy should be a response to the Business strategy and requirements.
3. The IT Reference Architecture(s) should be a response to the IT Strategy and Governance. The reference architecture will usually address multiple platforms.
4. The Reference Security Architecture(s) is part of the IT Architecture even if it is published as a separate document.
5. IT Security Risk Management, process and criteria. Are derived from the Business strategy and requirements.
6. A set of Baseline Controls is generated based on the Security Policy, Directives, Standards etc. By
Baseline Controls we understand mandatory minimum standards for the organisation. Input comes from the legal/regulatory environment, Benchmarking and published security “good practice” etc. see section 5 below.
7. Additional controls are derived from the Risk management process.
8. The security Architecture is the embodiment of the baseline and the additional security controls. It can also be defined to include the policies, directives, standards and the risk management process.
9. Some organisations use the term solution architecture to refer to the specific implementations derived from the reference architecture.
=============================================================
=============================================================
Enterprise Security Architecture – Security Controls Matrix. – from Rob Campbell’s website.
=============================================================
Security Layers – Protecting data in the modern age
- Physical layer:Fence, lobby, security guards, physical locks, badge readers, monitoring, vent & air conditioning, physical safes
- Perimeter Layer:Firewalls and NGFW, VPN, Reverse Proxies / Forward Proxies, IDS, SSO, MFA
- Network Layer: IPS, Email Security, Window Communication Control, WAD, Data acquisition network (DAN/SIEM), NAC & Logical Access Conrols, NTP, Wireless Network Security, Password Mgmt (Vaults), SOC, DLP, ATP
- Host Layer: Host based FWs, Anti Virus/Malware, Vulnerabilities scanning & Patching, CMDB and asset mgmt, server access control, OS hardening guidlines, MDM, PAM, Device Encryption, DLP
- Application Layer: SSL certs (data in flight), Role Base Access Control (RBAC/ABAC), Application Code review, Key mgmt systems, Sourcecode mgmt security
- Data Layer: Data encryption, Data Loss Prevention (DLP), Distributed denial of service, data backup / recovery
- Compliance Layer – Policy, Procedures, & Awareness
- Governance, Risk and Compliance Tools
- Business continuity and disaster recovery
- Certifications: SOC2, ISO27001, Privacy Shield, GDPR
- Change management
- Identity management and Identity Governance
- Security Awareness Training
- Incident Management
- HR Backgroudd Checks
- …etc
===========================================================
Zero Trust networks
– ScaleFT provides Zero Trust software which you can use to secure your internal servers and services.
– BeyondCorp
5 Steps to create a zero trust network
1. Identify your toxic data sources
2. Map the transaction flows regarding toxic data
3. Architect a zero trust network based on the toxic data sources and the way it’s used transitionally
4. Write your rules on your segmentation gateway based on expected behavior of the data (users and applications)
5. Monitor the network; inspect and log the traffic; update rules based on the intelligence you get from your security analytics systems