nluug - fall 2010 conference - it architecture and it security, 'a match made in heaven?

8/8/2019 NLUUG - Fall 2010 conference - IT Architecture and IT Security, 'a match made in heaven?'

1/48


2/48

Ir. Willem J. Kossen

Informatiebeveiliging enICT-Architectuur,

een 'match made in heaven


3/48

About @wkossen

The Statement

Some Reasoning

Some Discussion

Dont hesitate to tweet


4/48

---1---


5/48


6/48

@wkossen


7/48

http://willemkossen.nl/b

http://linkedin.com/in/willemkossenhttp://twitter.com/wkossen

http://stamstruik.nl

http://insecten.org

http://gazzary.nl

http://wkossen.myopenid.com


8/48

htt ://www.mxi.nl


9/48


10/48

---2---


11/48

Architecture?

Definition

anyone?


12/48


13/48

A set of design artifacts, that are relevant

for describing an object such that it can beproduced to requirements (quality) as well

as maintained over the period of its useful

life (change). The design artifact describe

the structure of components, their inter-

relationships, and the principles and

guidelines governing their design and

evolution over time.

Source: http://www.opensecurityarchitecture.org


14/48

Buildings

IT Architecture Building Architecture

FAIL


15/48

Diagram of stiffness of a simple square beam (A) anduniversal beam (B). The universal beam flange sections arethree times further apart than the solid beam's upper andlower halves. The second moment of inertia of the universalbeam is nine times that of the square beam of equal crosssection (universal beam web ignored for simplification)


16/48

VS.


17/48


18/48


19/48

Security

Definition

anyone?


20/48


21/48

Security betekent dat de architect

eerst moet inloggen voor hij wat

mag zeggen


22/48

Some sites attempt to use firewalls to solve

their network security problems.

Unfortunately, firewalls assume that "thebad guys" are on the outside, which is

often a very bad assumption (MIT)


23/48

Proper Diskette Care and Usage

(1) Never leave diskettes in the drive, as thedata can leak out of the disk and corrode the

inner mechanics of the drive. Diskettes should

be rolled up and stored in pencil holders.

(9) Periodically spray diskettes with insecticideto prevent system bugs from spreading.....

(13) Diskettes become "hard" with age. It's

important to back up your "hard" disks before

they become too brittle to use.

http://www.monster-island.org/tinashumor/humor/diskcare.html


24/48

Security provided by IT Systems can be

defined as the IT systems ability to beingable to protect confidentiality and integrityof processed data, provide availability ofthe system and data, accountability for

transactions processed, and assurancethat the system will continue to perform toits design goals



25/48

NEN 7510

ISO/IEC 17799


26/48

Defining

Tends to be hard

No-one agrees

Multi-

interpretable Inconsistent

Vague

Non conclusive

Impractical


27/48

What can we do?

Make lists

Talk by example

Roll-Your-Own !!! Use what works

Just choose


28/48

So much in common

About Real life Physical, information, behaviour, procedures, tech, etc

Business critical

Descriptive and normative Quality oriented

Needs awareness

Tend to make things a bit harder

and costly

Take thought, balance

and nuance


29/48

Architecture is:


30/48

Relation


31/48

What I Do

Samen Veilig

Open

Architectuur


32/48

IT Security Architecture The design artifacts that describe how the

security controls (= security

countermeasures) are positioned, and howthey relate to the overall IT Architecture.

These controls serve the purpose to

maintain the systems quality attributes,among them confidentiality, integrity,

availability, accountability and assurance.



33/48

---3---


34/48

Match Made in Heaven?


35/48

Architecture focuses on coherence,

principles, standards and buildingblocks,

Security applies aspects of those to real life


36/48

Architecture and Security are

interdependent. The one without the other

doesnt make sense


37/48

If separated, security remains limited to

Ad-Hoc conjuring up measures aimed at

risk reduction and generally towardstechnocracy. That tends to not help the

organisation.


38/48

Applying IT Security should be aimed at

providing the best experience for the user

or client with the least amount ofobstruction

That way organisational goals (including

change) can be met.


39/48

Architectural thinking supports that goal


40/48

This isnt automatic.

Awareness is needed:

Architectural awareness is a precursor for

security-awareness.


41/48

Architecture is (remember?)

Trends, standaarden, bestpractices,

Goals, strategy, vision, policy

Functional and operation requirements,

processes

Risks and other constraints (financial)

Development, design, build, exploitation

Security is present in all of the above


42/48

Again, the connection is architecture

security is one of the views onarchitecture.

Looking at security this way,

we improve desicionmaking,

we avoid risk,

we prevent tunnelvision, everybody profits from the

IT assets


43/48

Mensenwerk


44/48

If tijd>10min soundbite()


45/48


46/48

---4---


47/48

Lets Talk

Nabranders: [email protected]


48/48

nluug - fall 2010 conference - it architecture and it security, 'a match made in heaven?

Documents