About the Author
Read an Excerpt
The ways businesses and people use technology today have created a state of paradox. Companies are trying to protect their core information assets and intellectual property while using externally hosted services, collaborating with partners and adopting agile, 'fail fast' approaches to business;1 employees are using their own devices and exchanging corporate data via social tools; consumers are looking for more privacy at the same time as sometimes being accused of oversharing.
As a result it has become difficult, if not impossible, to identify the boundaries of what was once termed 'corporate IT'. Today's technology environments need to encompass in-house data centres and cloud service providers, home desktops and facilities in airport lounges, smartphones and tablet computers, mobile networks and the wider internet.
In addition, technology is changing rapidly, creating a constant stream of headaches for anyone trying to secure it. While it is possible to identify today's generation of solutions, it is quite a stretch to imagine what will be in place in even two years' time as wave upon wave of innovations crash on the corporate landscape. A few years ago cloud computing was filling the column inches; then came big data and smart analytics; and today, the Internet of Things is the latest 'new thing'. Each augments, rather than replaces, the generations of technology that have gone before it.
Against this background, how can organisations consider information security? The genie is quite clearly out of the bottle: it no longer makes sense to simply 'secure' an application, device or data set and see the job as done. Rather, each element needs to be considered as part of a broader technological ecosystem.
Enter the information security architect, whose job is to make sense of it all and offer the best possible advice to organisations looking to minimise technology-related risks.
THE ESSENCE OF SECURITY ARCHITECTURE
At its heart, information security brings together three well-established concepts – to preserve the confidentiality, integrity and availability of an organisation's information assets. However, in this day and age, we need all standards, policies, mechanisms and approaches relating to IT – information security included – to function across our globally distributed, highly fragmented technology environments. As a result good security practices are becoming increasingly architectural, in that an understanding of the whole is as important as its parts.
Let us consider a 'simple' example – the use of an online customer relationship management (CRM) application to manage sales information, which is accessible from a variety of user devices, including employees' own smartphones. As soon as security questions start to be asked (such as 'How is the customer information protected against threats?') the example becomes a lot less simple: answering the question requires taking a wealth of issues into account, including:
how trusted is the online hosting provider;
?whether the sales person's smartphone has a security code enabled;
or, whether it can be accessed by family members.
Indeed, as Figure 1.1 illustrates, customer data can be in any one of a diverse range of places. None of these issues can be resolved simply, which demonstrates just how complex information security has become.
One option, of course, is to stop employees from using their own devices, but this needs to be weighed against the corporate advantage gained from allowing them to be used. Equally, will users of the CRM and other systems (considering that we are talking about everybody, from the receptionist to the chief executive) pay any attention to such edicts? Even if they do, focusing on the technology is a relentless task – new devices and services are released all the time, often rendering past policy statements redundant.
Equally clearly, it does not make sense to address any one element of the above example, without assuring the rest is secured to the same level. It is an old security adage that a chain is only as strong as its weakest link; the difference today is that we are dealing with chain-link fences, rather than single strands. Treating security requires considering the mesh of technologies and information sources as a whole, and deploying security controls – technical mechanisms as well as policies and procedures – at appropriate points.
Given such a broad remit, those tasked with delivering the security architecture for an organisation must be technology experts as well as proponents of change, able to drive beneficial security improvements across the business through the deployment or review of security controls which:
take into account the IT environment as a whole, rather than on a piecemeal basis;
fit business requirements for security, in terms of strategy, policy and process;
balance information risk against the cost of any countermeasures.
Security architects need not only to be up to date with the latest technologies and how they integrate and interact, but also to understand business models and risks, governance and compliance requirements, employee behaviours and expectations, the relationships with partners and consumers – the list goes on. In some cases, this will require hard choices. The security architect's role is not simply that of technician and enforcer, but also educator and facilitator, sometimes working at the highest levels of the organisation.
THE AIM OF THIS BOOK
This book seeks to help those interested in security architecture understand its founding principles and essence, as well as the skills and expertise security architects should bring to bear, and how to adopt the right spirit in what can be a complex and challenging environment. While examples are included, the need to understand the underlying principles is far more important than remembering the examples.
While this book is aimed at anyone with an interest in this field, to fully benefit, readers will gain from having a reasonable grounding in IT and general information security. As security architecture captures the security aspects of more general IT architecture topics, an understanding of what is meant by architecture in the enterprise context, across concepts and practice, can certainly help. A short introduction to these areas is provided in the text.
The book does not provide examples in any technical depth, nor does it go into detail about information security practices. Additional guidance is available from the references and further reading sections at the end of the book.
While readers are likely to be involved in the design, definition or review of security strategy, policy, or practice, or the specification, deployment or operation of technical security controls, these are not essential prerequisites. Some reference literature around information security and assurance can be long-winded and dry, so above all, this book aims to be both readable and informative.
Terminology can be a difficult area, particularly in security circles. For example, the term 'security control' is defined by some sources to mean a general statement about a security requirement ('all backups must be encrypted') whereas others define it to mean a specific mechanism ('backup encryption'). The term can also be domain-specific, for example the activities conducted by airport security are also called security controls. Equally, an organisation may have its own views on or traditions governing how terms are used. So, the priority for someone looking to apply the principles in this book is to define terms for their own organisation and be consistent in their use. Where possible, ISO definitions are used in this book; a glossary of terms is provided.
The terms 'data' and 'information' are used interchangeably. While it is understood that in other contexts, information is seen as a refined form of data, in security risk management terms the needs are usually the same for both. So, for example, 'data security' and 'information security' are synonymous for the purposes of security architecture. Equally, while the term 'information assurance' is described in Chapter 2, the term 'information security' is adopted when talking about general aspects in this book. The term 'information technology' is used in preference to (the more clunky) 'information and communications technology'.
While this book references a number of other disciplines, notably enterprise architecture and enterprise management, it does not cover these in any detail. For enterprise architecture I recommend The Open Group Architectural Framework (TOGAF) and for enterprise management the Information Technology Infrastructure Library (ITIL) and Control Objectives for Information and related Technology (COBIT).
For retailers and their financial partners, the current Payment Card Industry – Data Security Standard (PCI-DSS) offers a good source of information on compliance practices these sectors are required to meet, to process any form of payment cards. In addition, the Information Commissioner's Office provides useful information on the protection and processing of personal data. References to all of the above are provided in the references and further reading sections at the end of the book.
Finally, while national and international standards have been referenced throughout the book, it has been written in the UK, based primarily on UK law. Practitioners should have an awareness of the standards and regulations that apply to their own sectors and geographies.CHAPTER 2
INFORMATION SECURITY ARCHITECTURE FUNDAMENTALS
Newcomers to the field of information security may wonder where on earth to start, given the rapidly shifting technological landscape that exists today. Even over the past decade, IT has moved from being an arm's-length set of capabilities – as corporate systems, mostly accessed via fixed desktops – to becoming an intrinsic part of everything that the business, its employees and customers do.
The good news is that we do have a starting point, which is to remember what we are trying to secure – not technology for its own sake, but the information it processes and transmits. In this chapter we review some of the areas that are making information security so challenging. We then look at the essentials of information security in the context of the modern organisation, to see how and where security architecture needs to respond.
INFORMATION SECURITY IN A CHANGING WORLD
The latest waves of information technology have profoundly affected business and economic models across all sectors and geographies, and are having a significant impact on the nature of business risk. Just a few years ago, for example, email was seen as relatively new and a major target for attack; then came instant messaging systems, open to malicious communications and offering the potential for fraud; shortly after that, Voice over Internet Protocol mechanisms such as Skype were considered to be high-risk and needing to be treated with some urgency.
Each generation of technology has been seen to constitute a major threat when it emerged, and no doubt each still does. However, just as past technologies have been superseded, so more recent developments are creating new opportunities for both the malicious and the stupid to do harm:
Teleworking is becoming the default way of working, rather than the exception, for large numbers of staff at many organisations. This has a highly disruptive impact on the notion of physical protection. For example, traditionally the idea of securing 'on-site' versus 'off-site' equipment made sense; today, however, two staff members may meet in a café to exchange information using a non-corporate-issue USB stick. Security managers can quickly become unstuck if they treat remote workers and equipment in the same way as office-based, corporate IT.
Mobile devices, smartphones and tablets are rapidly overtaking desktop computers as end-user computing devices, changing the way people interact with online and corporate services. While they enable people to work more flexibly, they are also easier to steal or lose. An added complication is the fact that people are increasingly using their own devices at work – so-called 'bring your own device' (BYOD). New device capabilities are causing new issues – for example cyber-bullying via photo apps such as Snapchat, or the use of encrypted messaging such as Blackberry Messenger, which was used during the riots of 2011.
Payment cards and associated information have emerged as a significant area of concern for IT security professionals. Such is the significance of payment card data that the major card providers have established an independent organisation, the PCI-DSS Council, to deliver a fully regulated model which defines mechanisms and practices for its protection. This requires organisations to employ independent accredited approved security vendors and their employed qualified security assessors to assess and certify in-scope payment card data environments in accordance with PCI-DSS Council rules.
Public cloud computing involves the delivery of scalable IT services running on hosted servers and using the internet as transport. Benefits are variously cited as scalability, cost-effectiveness and ease of deployment. However, security ramifications include dependency on (potentially untrusted) third parties, location sensitivity and increased potential for surveillance, as well as consumerisation-linked risk from individuals subscribing to services themselves. Cloud computing models are also diversifying – for example, hosting and co-location companies are now offering hybrid models such as 'private hosted cloud'.
Social networking builds on the public cloud, enabling people to interact, collaborate and share information using publicly available, free-to-use services such as Google, Twitter and Facebook. Many corporate, entertainment and sport websites also build in a social element. As a result customers can have more direct relations with organisations; the downside is that they may also complain, loudly and globally. Some social sites have been criticised for failing to protect the privacy of their users – as the adage goes, 'If the service is free, you are the product.' Hackers are also known to trawl social networks for personal information that can be used for targeted email attacks.
Data centre virtualisation is where computer servers run multiple workloads using software to emulate a physical computer. Today's top-end servers can run tens of 'virtual' machines. While these can be relocated relatively easily, they have to be secured as individual computers. In addition, they rely on a virtual machine management console, which is often seen as the weakest link from a security perspective – a username/password breach can deliver access to the entire estate of virtual machines. Third-party software suites that deliver management information for virtualised environments also create a significant attack surface for hackers.
Broadband and mobile networking make it easier to work from home or on the move. While higher-bandwidth connections tend to be restricted to municipal areas (which is as much a problem for itinerant workers as those living in rural areas), the level of available bandwidth continues to increase, driving the demand for remote working. Note that the latest 4G mobile technologies operate more quickly than Wi-Fi, potentially driving people towards using their own, potentially less secure mobile devices, connected to less trusted networks, for data transfers and communications. Access control and authentication, end-point security, and the protection of corporate data across multiple devices will continue to deliver complex challenges for the IT security professional.
Big data analytics relies on the continuing phenomenon of Moore's law – that the number of transistors on a chip will double every 18 months. Just as data volumes are expanding as we become able to generate data in greater and greater quantities, so the ways in which data can be stored and analysed are expanding, for example using analytics platforms such as Hadoop. However, such technologies also create new opportunities for hackers, not least because greater volumes of data need to be protected; equally, privacy concerns exist around the ability to identify individuals from analysis of aggregated data.
The Internet of Things (also known as machine-to-machine communications) presents another manifestation of Moore's law, in that as processors become cheaper and more powerful, it becomes possible to connect an increasing range of devices to the internet. This creates new possibilities – for example, smarter buildings and cars – but also creates a new set of security risks. Not least among these is the protection of connected equipment and generated data; for example, the Stuxnet computer worm was designed to attack industrial control systems running the Supervisory Control and Data Acquisition (SCADA) protocol. Equally, the internet of things raises a number of potential privacy concerns, illustrated by the case of London bins being used to track passers-by, via their mobile phone signatures.(Continues…)
Excerpted from "Security Architect"
Copyright © 2014 BCS Learning & Development Ltd.
Excerpted by permission of BCS The Chartered Institute for IT.
All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.
Table of Contents
List of figures, xi,
Author's note, xii,
1. INTRODUCTION, 1,
2. INFORMATION SECURITY ARCHITECTURE FUNDAMENTALS, 7,
3. INFORMATION SECURITY ARCHITECTURE ACTIVITIES, 30,
4. THE SECURITY ARCHITECT'S ROLE AND SKILL SET, 64,
5. STANDARDS, TOOLS AND TECHNIQUES, 99,
6. CAREER PROGRESSION AND RELATED ROLES, 115,
7. A DAY IN THE LIFE OF A SECURITY ARCHITECT, 121,
8. CONCLUSION, 123,
Appendix Security architecture document review checklist, 125,
Further reading, 129,