developing an architectural framework towards · pdf filedeveloping an architectural...

21
Developing an Architectural Framework towards achieving Cyber Resiliency Presented by Deepak Singh

Upload: vuongkhanh

Post on 28-Mar-2018

239 views

Category:

Documents


6 download

TRANSCRIPT

Developing an Architectural Framework

towards achieving Cyber ResiliencyPresented by

Deepak Singh

Presentation Content

Copyright © 2014 Secure Logic 2 www.securelogicgroup.com

Cyber Threat Landscape⁻ Cyber Attack and Threat Profile⁻ Cyber Threat Map

Cyber Security Counterintelligence (through) Architecture Modelling { CSCAM }⁻ Reference Architecture⁻ Network and Security Principles⁻ Data Flow

Copyright © 2014 Secure Logic 3 www.sec-logic.com

Cyber Threat Landscape⁻ Cyber Attack and Threat Profile⁻ Cyber Threat Map

Cyber Attack and Threat Profile

Copyright © 2014 Secure Logic 4 www.sec-logic.com

- Targeted Attacks vs Non-Targeted Attacks 50 : 50 ratio Attack source: Internal &External

- Top 3 Attack vectors

Compromised despite having people, processes, and technologies controls in place

Cyber Threat Landscape

“There are two types of companies: those that have been hacked and those that will be hacked.” Robert Mueller, FBI Director, speaking at the RSA Conference.

0% 2% 4% 6% 8% 10% 12% 14% 16% 18%

Loss of Confidential or Proprietaryinformation,

Denial-of-Service

Financial Fraud

Cyber Threat Map

Copyright © 2014 Secure Logic 5 www.sec-logic.com

Cyber Threat Landscape

PersonalGain

PersonalFame

Curiosity

Mo

tiva

tio

n

Attackers’ ExpertiseSource – NSS Labs

Script-Kiddy

Hobbyist Hacker

Expert

Theft

Author of

ToolsVandalism

Fastest growing segment

Tools created by experts now used by less-

skilled criminals, for personal gain

Hobbyist Hacker

Expert

Cyber Threat Map

Copyright © 2014 Secure Logic 6

Cyber Threat Landscape

www.sec-logic.com

Threat agents• Conflict in Nations• Organized Criminals• Radical activists• Cyber-vandals• Data miner• Malicious Employees• Recognition• Unintentional Errors

Threat Vectors• Motivation• Means• Money• Assets of interest

MY ASSET

Business Cybersecurity

Objective

7

Cyber Threat Landscape

Technology Domain

DDOS

Firewall

IPS

AV

HIDS

FIM

Operational Domain

Change Mgt

SIEM

Version Control

www.sec-logic.com Copyright © 2014 Secure Logic

Business Domain

Objective

Strategy

Requirements

Copyright © 2014 Secure Logic 8 www.sec-logic.com

Cyber Security Counterintelligence (through) Architecture Modelling { CSCAM }⁻ Reference Architecture⁻ Network and Security Standards ⁻ Data Flow

Reference Architecture

Copyright © 2014 Secure Logic 9 www.sec-logic.com

C-SCAM

The model and methodology for developing risk-driven enterprise information architecture and for delivering sustainable ICT solutions that support critical business initiatives.

The framework is based on these industry standards:SABSA - Applied Business Security ArchitectureTOGAF – Enterprise Information Architecture FrameworkISO 27001 – Information Security Management System

Reference Architecture

Copyright © 2014 Secure Logic 10 www.sec-logic.com

C-SCAM

BusinessDrivers

Key Points:

Services Anytime Anywhere

Community and Industry Collaboration

Citizen Focused Services

Better Information Sharing

Financial and Performance Management

Driver 2020

Strategy 2020

ICT Re-investment pool

Reference Architecture

Copyright © 2014 Secure Logic 11 www.sec-logic.com

C-SCAM

BusinessDrivers

AttributesProfiles

Key Points:

Entities and their Relationship

Supplier and Consumption Channels

Contextual Architecture dependencies

IT Network and Security attributes

IT Services Modelling

Reference Architecture

Copyright © 2014 Secure Logic 12 www.sec-logic.com

C-SCAM

BusinessDrivers

AttributesProfiles

StrategyAlignment

Key Points:

Commoditise Data Services

Create a Marketplace for external Providers

Promote the use of Virtualisation

High Specification Security Standards

Enable Compliance

Reference Architecture

Copyright © 2014 Secure Logic 13 www.sec-logic.com

C-SCAM

BusinessDrivers

AttributesProfiles

StrategyAlignment

Control& EnablementObjectives

Domain &Trust Models

Key Points:

Defines logical and physical boundaries

Set of elements with common security policy

Determines network segregation and controls

Determines Data Flow between Domains, Zones

Enable information exchange

Reference Architecture

Copyright © 2014 Secure Logic 14 www.sec-logic.com

C-SCAM

BusinessDrivers

AttributesProfiles

StrategyAlignment

Control& EnablementObjectives

Domain &Trust Models

Scenarios&Design

Patterns

Scenario 1: Co-Location/ Self Managed

Agency/Service Provider A migrates all of their data centre infrastructure to the GovDC facility once in place, Agency A operates their data centre infrastructure as a co-located facility, independent from other agencies and marketplace suppliers located within the facility

Scenario 2: Hybrid co-location / Managed Services

Agency/Service Provider B migrates their UNIX infrastructure to the GovDC facility They choose to replace the remainder of their infrastructure with services sourced from private sector suppliers via GovDC’s service catalogue

Scenario 3: Fully Managed Services

Agency/Service Provider C has an equipment refresh coming up and they need new infrastructure instead of procuring new capacity and infrastructure, they purchase a fully managed service from inside GovDC and migrate to the facility

Key Points:

Agile and scalable take-up model

Modular and Easy Integration

Standard procedures for on boarding

Reference Architecture and Design Blueprints

Ensure Sustainability and Stability

Reference Architecture

Copyright © 2014 Secure Logic 15 www.sec-logic.com

C-SCAM

BusinessDrivers

AttributesProfiles

StrategyAlignment

Control& EnablementObjectives

Domain &Trust Models

Scenarios&Design

Patterns

Zone Placement

Agency

Traffic

Applications

3. External Cloud Access Domain

provides a common interaction point

to consume external cloud services

1. DMZ Domain protects the

application, data domains and sub-

domains (zones) by confirming

identity and trust prior to allowing

access to these “protected”

domains and zones

5. Services Backbone: provided by

GovDC, offers robust, secure

connectivity between agency

resources

2. Internal Protection Domain

houses agency compute and

storage resources, along with a

growing number of common

services accessible to agency

business applications

4. Secure Administration Domain

provides segregated privileged user

access to the systems application,

data domains and sub-domains

(zones)

Reference Architecture

Copyright © 2014 Secure Logic 16 www.sec-logic.com

C-SCAM

BusinessDrivers

AttributesProfiles

StrategyAlignment

Control& EnablementObjectives

Domain &Trust Models

Scenarios&Design

Patterns

Zone Placement

Services &Mechanism

Products &Tools

DMZ Services Stream

- Internet Gateway Services- IDS / IPS as a Service- Proxy Gateway Services- E-mail Gateway Services- Firewall as a Service- Remote Access Services- Application Delivery Services

Secure Administration Domain

- Encryption as a Service- Hardware Security Module (HSM) as a Service- Cryptographic Key Management Services- Authentication as a Service- Enterprise Policy Services- DNS as a Service- Vulnerability Management Services

Internal Protection Domain

- Identity Management Services- IP Address Management as a Service- Application Delivery Services- Proxy Gateway Services- DLP as a Service- Collaboration Services- Mobile Device Management as a Service

Key Points:

Services Anytime Anywhere

Clear Roadmap to’ Services’ model

Solution ‘Traceability’ and ‘Completeness’

Key benefits today vs Future enablement

‘As a Service’ design modelling

Reference Architecture

Copyright © 2014 Secure Logic 17 www.sec-logic.com

BusinessDrivers

AttributesProfiles

StrategyAlignment

Control& EnablementObjectives

Domain &Trust Models

Scenarios&Design

Patterns

Zone Placement

Services &Mechanism

Products &Tools

Service Management

Matrix

ArchitecturalGovernance

Key Points:

Baseline Standards established

Policy and Procedures Framework

Enable Compliance & Assurance

Enable Agency Certification program

Integrated Risk Management model

Data Flow

Copyright © 2014 Secure Logic 18 www.sec-logic.com

X

X

Key Points:

Data Flow enables info sec assurance

Data integrity and confidentially maintained

Enables Accountability and controls Visibility

Collaboration with standardised approach

Enable Baseline Security practise

Private Government Marketplace

Internal Protection Domains and Zones

DMZ

External Domains(Internet)

Allowed Not Allowed

XX

Private Government Marketplace

Internal Protection Domains and Zones

External or Internal Protected User Network

Allowed Not Allowed

XX

XX

DMZ

Support

Zone(s)

Secure Admin DomainInternal Protection Support Zone(s)

External or Internal Protected User Network

Allowed Not Allowed

X

XX

SAZ

DMZ

Support

Zone

Secure Admin DomainInternal Protection Support Zone

DMZ

DMZ Data Flow Privileged system access to the PGM protected domain

Privileged system access to the DMZ domain

Network and Security Principles

Copyright © 2014 Secure Logic 19 www.sec-logic.com

The following requirements must be met when using physically separate or virtualised network infrastructure.

network and security devices facing unclassified protection zones (e.g. unprotected) must exist on physically separate hardware to other domains

network and security devices used for service redundancy and high availability must run on physically separate hardware to ensure a single hardware failure will not impact availability

network and security devices used for the secure administration zone must run on physically separate hardware to the systems being administered to ensure protection, segregation and availability during failures

network connectivity to servers for administration and monitoring should be through separate server network interface cardsproduction infrastructure must exist on physically separate hardware to non-production infrastructure.

About Us

Copyright © 2014 Secure Logic 20 www.sec-logic.com

Sydney, Singapore, Shanghai & Kuala Lumpur

Secure Logic is committed to developing partnerships with customers who demand a combination of expertise and technical capabilities that deliver innovative solutions for achieving operational maturity.

Sustainability

Stability

Future Growth

Service Category

Thank You

About Secure Logic

Secure Logic was started in 2006 by a group of highly skilled IT professionals looking to redefine IT security. We work across the globe helping businesses identify their IT security needs and align them to their business drivers.

Today, Secure Logic’s consultants work with many key banking and finance organisations, enterprises of all sizes, and government departments assisting them to meet security compliance and governance requirements.

For more information

Visit – www.securelogicgroup.com.au