Embed Size (px)
Citation preview
Sherwood Applied Business Security Architecture (SABSA) Certification (the real McCoy)KURT DANIS, DAFCCISSP-ISSEP11 NOVEMBER 2017
1
In past ISSA meetings, I’ve presented briefs on Enterprise Security Architectures and the SABSA methodology itself… prior to attending the class.
To begin, we should define SABSA up front. SABSA is a methodology for developing risk‐driven enterprise information security and information assurance architectures and for delivering security infrastructure solutions that support critical business initiatives.
For examination purposes, the SABSA course (like any other fast track seminar) tends to define every model and definition, that you tend to loose site of the big picture. So, my goal is to compare and contrast a little…. To give meaning and purpose for SABSA so it makes more sense. I also want to relate the SABSA to the ISSAP.
As a refresher, the previous brief on SABSA was about:• SABSA lifecycle• SABSA model• SABSA matrix• Business Attributes Profile• a SABSA operational risk model
So, it turns out these things are all TRUE!
1
SABSA lifecycle2
Strategy & Planning
Design
Implement
Manage & Measure
REFERENCE: “At the heart of the SABSA methodology is the SABSA Model, a top‐down approach that drives the SABSA Development Process. This process analyses the business requirements at the outset, and creates a chain of traceability through the SABSA Lifecycle phases of ‘Strategy & Planning’, ‘Design’, ‘Implement’ and ongoing ‘Manage and Measure’ to ensure that the business mandate is preserved. Framework tools created from practical experience, including the SABSA Matrix and the SABSA Business Attributes Profile, further support the whole methodology.”
‐‐ p. 4, “Enterprise Security Architecture” white paper, by John Sherwood, Andrew
Clark, David Lynas, 2009
SOURCE: The SABSA Lifecycle is on p. 19, “Enterprise Security Architecture”
white paper, by John Sherwood, Andrew Clark, David Lynas, 2009
SABSA model3
The SABSA Model comprised of six layers, known as “LayeredArchitecture Views”.
REFERENCE: “At the heart of the SABSA methodology is the SABSA Model, a top‐down approach that drives the SABSA Development Process. This process analyses the business requirements at the outset, and creates a chain of traceability through the SABSA Lifecycle phases of ‘Strategy & Planning’, ‘Design’, ‘Implement’ and ongoing ‘Manage and Measure’ to ensure that the business mandate is preserved. Framework tools created from practical experience, including the SABSA Matrix and the SABSA Business Attributes Profile, further support the whole methodology.”
‐‐ p. 4, “Enterprise Security Architecture” white paper, by John
Sherwood, Andrew Clark, David Lynas, 2009
SOURCE: The SABSA model is on p. 9, “Enterprise Security Architecture” white paper, by John Sherwood, Andrew Clark, David Lynas, 2009
SABSA4
Interrogative questions are addressed for each of six layers; specifically for
• The Business View (i.e. Contextual Security Architecture)
• The Architect’s View (i.e. Conceptual Security Architecture)
• The Designer’s View (i.e. Logical Security Architecture)
• The Builder’s View (i.e. Physical Security Architecture)
• The Tradesman’s View (i.e. Component Security Architecture)
• The Service Manager’s View (i.e. Security Service Management Architecture)
SABSA uses business attributes to ensure that each and every business requirement is captured and risk assessed, and controls such as contingency plans are put in place to [exceed] the risk appetite of the company.
SOURCE: The SABSA matrix is on p. 16, “Enterprise Security Architecture” white paper, by John Sherwood, Andrew Clark, David Lynas, 2009
5SABSA business attributes profile
BusinessAttributes
StrategyAttributes
TechnicalAttributes
RegulatoryAttributes
Risk MgtAttributes
OperationalAttributes
ManagementAttributes
UserAttributes
The SABSA Business Attributes Profile is at the heart of the SABSA
methodology. It is this requirements engineering technique that makes SABSA
truly unique and provides the linkage between business requirements and
technology / process design.
REFERENCE: “At the heart of the SABSA methodology is the SABSA Model, a top-down approach that drives the SABSA Development Process. This process analyses the business requirements at the outset, and creates a chain of traceability through the SABSA Lifecycle phases of ‘Strategy & Planning’, ‘Design’, ‘Implement’ and ongoing ‘Manage and Measure’ to ensure that the business mandate is preserved. Framework tools created from practical experience, including the SABSA Matrix and the SABSA Business Attributes Profile, further support the whole methodology.”‐‐ p. 4, “Enterprise Security Architecture” white paper, by John Sherwood, Andrew Clark,
David Lynas, 2009
SOURCE: The business attributes profile is on p. 20, “Enterprise Security
Architecture” white paper, by John Sherwood, Andrew Clark, David Lynas, 2009
SABSA model of operational risk 6
This diagram shows THREATS and OPPORTUNITIES diametrically opposed. The hope is the balance will be in our favor so the OPPORTUNITIES outweigh the THREATS. If not we go back to the drawing board with the SABSA lifecycle process.
“With specific reference to risk management, the benefit is the optimisation of the basket of risks (the balance between opportunities and threats) by the diversification of risks across the entire enterprise. Thus, when we talk about ‘enterprise architecture’ ‘or ‘enterprise security architecture’, it is with this concept of enterprise in mind that we do so. “-- p. 3, “Enterprise Security Architecture” white paper, by John Sherwood, Andrew Clark, David Lynas, 2009
SOURCE: The operational risk model is on p. 22, “Enterprise Security Architecture” white paper, by John Sherwood, Andrew Clark, David Lynas, 2009
Architecture7
The word architecture conjures up vintage orthographic drawings. This one shows the floor plan, 4 elevation views, a section view, and an Isometric view.
Likewise, SABSA attempts to create several views (perspectives) for the purpose of communicating a final enterprise security design.
From an ISO standard, Architecture is defined as “The fundamental organization of a system, embodied in its components, their relationships to each other and the environment and the principles governing its design and evolution” (ISO/IEC 42010:2012).
The SABSA white paper, states the information systems architecture must account for Goals, Environment, and Technical capabilities. (p. 3)
SOURCE: “Enterprise Security Architecture” white paper, by John Sherwood, Andrew Clark, David Lynas, 2009
7
COBIT: Meeting Stakeholder Needs8
As mentioned, SABSA is touted as the security architecture that integrates with other Enterprise Architectures such as COBIT. Once the student looks into COBIT, it becomes clear that the COBIT theme is very close to the SABSA theme.
COBIT says, “Enterprises exist to create value for their stakeholders. Consequently, any enterprise—commercial or not—will have valuecreation as a governance objective. Value creation means realizing benefits at an optimal resource cost while optimizing risk.”
Source: COBIT 5: A Business Framework for the Governance and Management of Enterprise IT. Original file name: COBIT‐5_res_eng_1012.pdf
8
DoD IEA
Provide stakeholders with a strategic level architecture with more detailed reference architectures that sets the direction for transforming the current IE to a more effective, secure, and efficient IE.
Establish a common enterprise foundation to guide and inform IT planning, investment, acquisition and operational decisions in achieving the future, objective IE.
Facilitate the transformation to a Joint Information Environment (JIE)and deliver effective and efficient information and service sharing.
9
Purpose:
Now, what if you had a concept where each DoD system was a lump of information? Then clump the lumps all together and try to establish a structured architecture. This would be called, the DoD Information Enterprise Architecture (or IEA).
Source: DoD Information Enterprise Architecture (IEA) v2.0, Overview Briefing, 29 August 2012
Original brief differs slightly from slide. The original text said:• Second bullet: “Provide a common enterprise foundation…”• Third bullet said, “The DoD IEA provides a clear, concise description of what the DoD IE
must be and how its elements should work together to accomplish the transformation to a JIE and deliver effective and efficient information and service sharing.”
9
10
…Similar to SABSA’s Biz Attributes Profile
DoD IEA taxonomy
The DoD IEA, has a Taxonomy. Family categories in blue boxes on top are:• Connect, Access, and Share; • Operate and Defend; and • Govern.
10
ISSAP11
Domain Previous ISSAP Domain Names New ISSAP Domain Names1 Access Control Systems & Methodology Identity and Access Management
Architecture2 Communications & Network Security Security Operations Architecture3 Cryptography Infrastructure Security4 Security Architecture Analysis Architect for Governance, Compliance,
and Risk Management5 Technology Related Business Continuity
Planning (BCP) & Disaster Recovery Planning (DRP)
Security Architecture Modeling
6 Physical Security Considerations Architect for Application SecurityCertification Exam Outline, Effective Date: July 2017
Pay attention to the human figure with an open ended wrench. As suggested by the image, the slide topic is more technical than strategic. The ISSAP cert is relatively technical; but demands a strategic view.
The Information Systems Security Architecture Professional (ISSAP) is a CISSP who specializes in designing security solutions and providing management with risk‐based guidance to meet organizational goals. ISSAPs facilitate the alignment of security solutions within the organizational context (e.g., vision, mission, strategy, policies, requirements, change, and external factors).
Q: Why do domains for (ISC)² credential exams change?A: Domains change because it is a reflection of a change in the knowledge, skills and abilities, as indicated by experts throughthe Job Task Analysis process.Q: When will these changes go into effect?A: The changes will begin on Saturday, July 1, 2017.Q: What impact do these changes have on (ISC)² training materials?A: All Official (ISC)2 ISSAP Training Courses commencing by May 5, 2017 will be available for enrollment. New training courseswill be made available in the fourth quarter of 2017 pending new ISSAP curriculum
11
SYSTEMS ARCHITECTProcedure Guide (2014)
An abstract expression of IA solutions that assigns and portrays IA roles & behavior among a set of IT assets, and prescribes rules for interaction & connection.
12
IA architecture
A draft DISA publication written by Ms. Angela Landress.
The SYSTEMS ARCHITECT Procedure Guide is an enterprise security architecture that is clearly complements the DoDAF.
Source: p.5 of the DISA Systems Architect Procedure Guide, Version 1 Release 1, 10 JANUARY 2014
12
SYSTEMS ARCHITECTProcedure Guide (2014)
May be expressed at one of three levels: DoD information system-wide DoD Component-wide Defense-wide
13
IA architecture
The author writes:
“DoD Component‐wide and Defense‐wide IA architectures provide a uniform and systematic way to assess and specify IA across multiple, interconnecting DoD information systems, and to ensure that they take advantage of supporting IA infrastructures.”
Allow me to outline her ideas on planning Architecture.
Source: p.5 of the DISA Systems Architect Procedure Guide, Version 1 Release 1, 10 JANUARY 2014
13
SYSTEMS ARCHITECTProcedure Guide (2014)
Determine the IA Architecture Determine the Appropriate DoD Trust Model Determine Intended Use of Architecture Identify the Business Goals Categorize the System Identify the Risk Mitigation Factors Analyze Constraints that will affect Design
14
Tasks to Plan architecture
In addition, there’s a chapter on designing a System Architecture, addressing Scope, and the idea of Fit for Purpose; and what Views to develop. And lastly, there’s a section on writing up a specification for developing the Architecture development process.
Source: pp. 5 ‐ 17 of the DISA Systems Architect Procedure Guide, Version 1 Release 1, 10 JANUARY 2014
14
Systems Architect Training Checklist15(2013)
In 2013, DISA gave the DoD a way to evaluate a Systems Architect with a checklist. It maps exactly to the technical aspects of the DISA Systems Architect Procedure Guide. The Systems Architect in the eyes of DISA requires a good deal of “under the hood” knowledge.
KSAs according to the Joint Cyberspace Training and Certification Standards (JCT&CS) can be checked by a training manager.
The next three slides give insight about certifications for a British IA Architect.
15
CREST Registered Technical Security Architect (CR TSA)
Knowledge in a common set of core skills for systems architects Exam intended to drive beneficial security change to:
o Fit business requirements for securityo Mitigate the risks and conform to the relevant security policieso Balance information risk against cost or countermeasures
16
CREST REGISTERED TECHNICAL SECURITY ARCHITECT (CRTSA) EXAMINATIONThe CRTSA is aimed at individuals seeking to align themselves with the role of a Senior Security Architect. Successful candidates will have a strong technical ability aligned with suitable experience to recommend high level solutions as necessary. The exam guide states that without adequate technical understanding it is not possible to perform a satisfactory and meaningful risk assessment of the implications of a particular architecture.
InfoSec Skills Cyber Career Academy states their PCIIAA course prepares the student to challenge either the British Computer Society’s Practitioner Certificate in Information Assurance Architecture (PCiIAA) exam or the CREST Registered Technical Security Architect (CRTSA) exam for Senior or Lead Practitioners.
Skills required include: Wireless Networking, Virtual Private Networks, Understanding the uses of ICMP messages, etc.
16
17
Architect Role defined Senior-level enterprise architect w/dedicated Security team or
Enterprise Architecture (EA) team Responsibilities = Business, Technical, Procedural, and
Administrative
Modern approach to IT in business, known as Enterprise Architecture such as TOGAF, MODAF, DODAF, and Zachman
Practitioner Certificate in Information Assurance Architecture (PCIIAA)
Stepping up from the technical / tactical, the British Computer Society (BCS) has a PCIIAA certification. (Version 1.2, February 2016)
In their words, the IA Architect, may also be referred to in industry as the Security Architect (SA). “When attempting to build an architecture that is considered secure, the architect must first understand the business environment the systems need to provide for, as well as the technical controls that are available to the Architect that can be called upon to address the threats against confidentiality, integrity and availability.”
The examination comprises of two multiple choice question sections.• Section A contains 60 simple multiple questions each worth one mark• Section B contains 25 scenario based complex multiple choice questions with a maximum of 65
marks available.Passing requires a minimum of 81/125 (65%). Exam time is two hours.
The Chartered Institute for IT is the business name of The British Computer Society (BCS)We’re championing the global IT profession by giving practitioners the career development support they deserve. Through our certification and professional development portfolio, we set the professional standards in the industry, guiding practitioners through their careers and providing employers with expertly trained people that add value to the business.
17
18
Foundation level: Systems Development Intermediate level: Enterprise and Solution ArchitecturePractitioner level: Enterprise and Solution Architecture
Integrating Off-the-Shelf Software SolutionsSystems Design TechniquesSystems Development EssentialsSystems Modelling Techniques
Solution dev’t and architecture
Source: http://certifications.bcs.org/category/15625
Not about Security
The Brits refer to non‐security IT Architecture as Solution development and architecture. British Computing Society or BCS have these levels as shown on the slide.
18
Questions19
19
DoD Cybersecurity Policy Chart 20
The DoD Cybersecurity Policy Chart may be called a kind of Governance architecture. The
chart shows a system of Policies organized in groups. The main groups are Organize, Enable, Anticipate, Prepare, and Authorities. Of itself, the policy chart has no constructive value.
Allow me to read the architecture definition from the ISO 42010:
“The fundamental organisation of a system, embodied in its components, their relationships to each other and the environment and the principles governing its design and evolution” (ISO/IEC 42010:2012).
20
SABSA foundation course outline
Section 1 – SABSA Executive Summary Section 2 – SABSA Certification Program Section 3 – SABSA Principles & Objectives Section 4 – SABSA Framework Overview Section 5 – Business Requirements & SABSA Attributes Profile Concept Section 6 – SABSA Risk & Opportunity Concept Section 7 – SABSA Policy Architecture Concept Section 8 – SABSA Architecture Strength-in-Depth Engineering Concepts Section 9 – SABSA Governance, Roles & Responsibilities Concepts
21
21
SABSA foundation course outline22
Section 10 – SABSA Domain Concepts Section 11 – SABSA Time & Perf. Mgt Concepts Section 12 – Asset Architecture & Mgt Section 13 – Risk & Policy Mgt Architecture Section 14 – Transformation & Service Arch. Section 15 – Entity & Trust Framework Section 16 – Inter-domain Security Associations Section 17 – Service Sequencing & Perform.
22
SABSA blog
[Before SABSA] I would look at different methodologies for security testing, I would think of solutions in terms of the OSI model and what security services were required (authentication, authorization, auditing, etc).
23
Source: http://jarrodloidl.blogspot.com/2010/
Jarrod, an Information Security Specialist from Melbourne, Australia writes about his concept of Security Architecture.
23
SABSA blog
[After SABSA,] I learned that the often disparate array of compliance standards, ISO standards, architecture frameworks and so on need not be. They can all integrate together. Once you understand the business you can begin to build that picture. Architecture frameworks (TOGAF, SABSA, Zachman, etc) are simply a "method of organized thinking". SABSA is the concrete which enables me to put together all the other building blocks together.
24
Source: http://jarrodloidl.blogspot.com/2010/
Later, Jarrod writes, “…’architecture’ however, is never complete. It is a living breathing organism. Each project or each pass is an attempt to iteratively build up your understanding of the business. Each project is an opportunity to build upon those building blocks ‐ re‐use what you can or tailor to suit where appropriate. You never have a perfect "target". It just keeps moving. We've known that security is a journey, not a destination ‐but seeing this through the eyes of an architecture framework is a very different thing. I think its like trying to describe being a parent to someone who doesn't have kids.”
The SABSA framework integrates with just about every relevant standard or framework you can think of (ITIL, COBIT, ISO27000 series, etc) and a way for running security programs. In this brief, I will follow this thread and even a non‐related technical architecture thread.
24
About SWIFT
Society for Worldwide Interbank Financial Telecommunication (SWIFT) --Provides network that enables financial institutions to send and receive information about financial transactions in a secure, standardized and reliable environment.
Linked more than 11,000 financial institutions in more than 200 countries and territories. 2015 msg average > 15 million/day
SWIFT is a cooperative society under Belgian law owned by its member financial institutions with offices around the world.
HQ in Belgium, near Brussels.
25
SABSA blog: Jarrod, an Information Security Specialist from Melbourne, Australia writes, “In case people reading this think this is all high level fluff, the guys who developed this were the architects for Swiftnet (the system banks use to transfer funds internationally).”Source: http://jarrodloidl.blogspot.com/2010/
Risk management is…underpinned by a very strong risk culture that is captured in the motto: “Failure is Not an Option” (FNAO).
SWIFT lines of defence:(1) Management: responsible for developing and implementing strong reliability and
security frameworks(2) Risk and compliance functions: responsible for the overall risk frameworks(3) Audit functions: reporting by an external security audit firm
SOURCE: SWIFT Customer Security Programmehttps://www.swift.com/about‐us/discover‐swift/information‐security?tl=en#
25
SWIFT customer security program26
Source: https://www.swift.com/myswift/customer‐security‐programme‐csp#
26
What was missing?
Ultimately, renders a final design to stakeholders
Provides traditional EA with security dimension
SABSA matrix has a complementary Service Mgt Matrix
Confusion from course: Entire course references the SABSA matrix
27
So, the question after those former briefs is, “What was missing?”
• The biggie is SABSA is a tool to capture and synthesize perspectives to determine a final design. Renders a final design to stakeholders. To quote one person from a blog article,
“Architecture frameworks (TOGAF, SABSA, Zachman, etc) are simply a "method of organized thinking"
• A means to model the security dimension for the Traditional Enterprise Architecture• SABSA matrix has a duplicate matrix that was developed from an ITIL perspective. So
the image now is a 5x6x2 matrix. Remember the IT service mgt discipline that evolved about the same time as TQM; recall Dr. W. Edwards Deming.
• The SABSA course is taught taking 4 blocks at a time…and geometrically references the SABSA matrix. People get lost if they don’t pick‐up on the geometry.
27
28
Here is a slide from the SABSA course. A corner of the SABSA matrix (pink, blue, and yellow) is of to the left. While the 6x5x2 matrix is in the lower LH corner.
28
Course City Trainer Price Date SABSA Foundation Seattle John Czaplewski $3,760.00 13 Nov 2017 to 17 Nov 2017
SABSA Foundation Toronto John Czaplewski $4,150.00 20 Nov 2017 to 24 Nov 2017
SABSA Foundation Washington DC John Czaplewski $3,760.00 22 Jan 2018 to 26 Jan 2018
SABSA Foundation Sacramento John Czaplewski $3,760.00 05 Feb 2018 to 09 Feb 2018
SABSA Foundation Chicago John Czaplewski $3,760.00 26 Feb 2018 to 02 Mar 2018
SABSA Foundation Montreal John Czaplewski $4,150.00 19 Mar 2018 to 23 Mar 2018
SABSA Foundation Dallas John Czaplewski $3,760.00 02 Apr 2018 to 06 Apr 2018
SABSA Foundation Toronto John Czaplewski $4,150.00 07 May 2018 to 11 May 2018
SABSA Foundation Newark John Czaplewski $3,760.00 18 Jun 2018 to 22 Jun 2018
SABSA Foundation Atlanta John Czaplewski $3,760.00 06 Aug 2018 to 10 Aug 2018
SABSA course offerings29
29
