A Risk Based Security Architecture

Approach

By Femi Ashaye

Developing Enterprise Role Based Access Control

Introduction

Retail Business Organisational Structure

Business Roles RelationshipsPeopleInformation Flow

New Business Processes

Customer Application

Manage Customer Account

Manage Error Transaction

Terminate Customer

Manage Credit

New Business Applications

CRM ERP BI SCM LegacyOnline Service

Business driver to improve an organizations’ customer payment

experience through new business processes and technology.

Requirement and Challenge

Provide rapid and reliable access to business support users across the

disparate and new business applications (CRM, ERP, SCM; etc)

supporting the business processes.

IT challenges identified:

• Operational risk arising from new business processes and use of

supporting application

• Consideration for data privacy laws and regulatory requirements

typically SoX and PCI-DSS.

Proposed a security strategy for developing an Enterprise based RBAC

(Role Based Access Control), as part of security services, using a Risk

Based Security Architecture to address major part of the challenges.

Enterprise Role Based Access Control• Regulates access to IT resources based on business functional

roles and control requirements.

Risk Based Approach• Risk management process identifies, assess and prioritize risk

based on understanding of likelihood of events occurring and impact to the business.

• Risk assessment provides initial understanding of type and level of control requirements to address risk.

Enterprise Security Architecture• Risk driven strategic approach to align business goals, objectives

and drivers with security requirements. • Security Architecture proposed is SABSA.• Based on Zachman Framework• SABSA incorporates ISO27000s; ITIL; CoBIT etc. to drive strategy.• Development process covered by SABSA Lifecycle: Strategy &

Concept > Design > Implement > Manage and Measure

Strategy Overview

Enterprise Role Based Access Control

Enterprise RBAC Model Relationship

User Role

Role

Hierarchy

Participates In

Executed byIn

clud

es

Sup

po

rted

by

M :N

M :N

1 : M

M:N

M:N

Performs

Ow

ned

by

Assign

ed

to

User/Role Constraint (SoD; Hierarchy)

OrganisationBusiness

Process

Business

Function (Task)

Permission

(Access

Operations On

Resources)

1 : M

Example IT risk management process (based on ISO 27005:2008)

including risk assessment.

Context Establishment

Risk Assessment

Ris

k C

om

mu

nic

ati

on

Risk Treatment Plan (inc

Acceptance) Mo

nit

or

Ris

k

an

d I

mp

rove

Ris

k M

an

ag

em

en

t P

rocess

Risk Based Approach

Data Privacy Laws

• PCI, HIPAA

• ISO 27001:2005

• ISO 27002:2005

• ISO 27005:2008

• ISO 27035:2011

• CobiT

• DPA, SoX..

Enterprise Security Architecture

Design • Develop security

service and solution

based on risk output

Manage & Measure• Review risk output from

solution against business

objectives and security

performance targets.

Strategy & Concept • Establish Context

• Risk Assessment

• Derive Control Objective

Implement• Implement and operate

security service and

solution

•Contextual•Conceptual

•Logical•Physical•Component•Operational

Output: Security

service is agreed

as part of risk

treatment plan.

Output:

Information relevant

to output of the

acceptable risk

against business

requirements is

captured

Output: Risk is prioritised after

evaluation of its impact to the

business goals and objectives

Output: Successful and failed output

from risk treatment plan is captured

SABSA lifecycle process

Business Drivers.

Select Business Attribute(s)

Define Business Attribute

Define Metric Type

Define Measurement Approach

Define Security Performance Target

Assess Risks and Define Control Objective

Define Security Strategies

Design Security Services

Implement Security Controls, Processes and Systems

Collect, Report & Evaluate Metrics

SABSA Delivery

Strategy and

Concept

Design

Implement

Manage & Measure

Security strategy for developing Enterprise RBAC

SABSA Layer SABSA Approach SABSA Lifecycle Enterprise RBAC Development

Contextual Business Strategy Strategy and Concept

Business Drivers (e.g. PCI-DSS Requirement 7.1); Business Role; Business Processes; Risk Assessment; Business Attributes

Conceptual Security Strategy Strategy and Concept

Control Objectives (e.g. SoD); Business Attributes Profile

Logical Security Service Design Security Policies; Authorisation Service; Functional Role Mapping

Physical Security Mechanism Design Identity and Access Management process and mechanism.

Component Security Products & Tools Design Application RBAC System;

Operational Security Service Management

Design User and Access Management Support

Enterprise RBAC Strategy

Implement covers enterprise to application role mapping and permission implementation.

Manage and Measure covers RBAC effectiveness against control objectives and compliance requirement.

Business Process

Business Process

Activities

Jobs

Control ObjectivesAssessed Risk

Business Drivers

Functional

Roles

(Application

resource

permission)

Business Process

Activity Tasks

supported by

Application

Business drivers supported by any one of identified high level business processes.

Specific departmental jobs (Business roles) created as part of organisation structure to support business process activities.

Risk assessed against business process to obtain likelihood of threat and impact to business

Functional roles created to carry out specific activity tasks/permissions based on business process and control (i.e. RBAC) objectives.

Control objectives obtained from assessed Risk.

Enterprise RBAC Development

Enterprise RBAC Development (cont’d…)

Transaction To Payment

Manage Error

Transactions

Ensure all our customers transactions are

correctly processed (Integrity-Assured)

Transaction Analyst

• Manage Disputed

Transactions

(Role X)

• Perform Dispute

Resolution

(Role Y)

Action to resolve error

transaction is unauthorised

leading to potential fraud

• Open Error

Transactions screen

• Search for relevant

transaction

• Submit transaction

for Validation

• Reinstate

Transaction

• Write Off Transaction

An enterprise RBAC developed through interplay between control objectives and

business drivers, using risks analyzed against existing business processes.

Employee validating the

transaction cannot authorise

changes to the same

transaction.

Protect against deliberate, accidental or negligent corruption of personal information that is processed by the systems.

Integrity-Assured

Integrity of information should be protected to provide assurance it has not suffered unauthorised modification.

Hard Metric – Reporting of all incidents of compromise. Number of incidents per period, severity and type of compromise.

Measure the number of incidents per period and classify each incident by type and severity.

Set targets for risk appetite. Max # of allowable modification (=0); Set reporting & analysis of incidents by type and severity.

Greenfield Exercise. Risks to assets is identified. Integrity based control objectives derived from business attributes and risk.

Define access controls against control objectives to protect against unauthorised modification of information

Test and execute the security services and access controls to enforce integrity assurance requirements.

Monitor control effectiveness based on targets. Number of actual modification; Reporting time for, & analysis of, incidents.

Enterprise RBAC Delivery

Strategy and

Concept

Design

Implement

Manage & Measure

Assess existing security state against control objectives. Measure security state against risk appetite and desired state.

Conclusion

Retail Business Organisational Structure

Business Roles RelationshipsPeopleInformation Flow

New Business Processes

Customer Application

Manage Error Transaction

Terminate Customer

Manage Credit

Manage Customer Account

New Business Applications

CRM ERP BI SCM LegacyOnline Service

Risk AssessmentFunctional Roles

Test Role

Audit Role

Control Objectives

Audit Access

RBAC Development and Management

Risk AssessmentFunctional Roles

Test Role

Audit Role

Control Objectives

Audit Access

Business able to determine acceptable risk treatment plan to treat RBAC

control objectives (constraints) like Separation of Duty conflicts based on

business risk level and business impact.

Business process change or improvement enabled through risk

assessment exercise.

Build team able to quickly deploy application capability to manage control

requirements or compensating controls as alternative.

Quick and correct on boarding of business users into appropriate

application groups for business readiness.

Service user access determined using similar strategy through alignment

with Service Design.

Real-time risk analysis and security performance target measurement

through security event monitoring supported by:

• IDAM deployed for controlling role and user life cycle management.

• Ability to capture role and user access related events enables

feedback for risk assessment and incident report and analysis.

Conclusion (cont’d...)

Risk Driven Security Architecture for Enterprise RBAC:

• Strengthen risk posture of the organisation in relation to data

access and compliance requirements.

• Traceability of RBAC requirements to address business goals,

objectives and drivers through risk assessment, risk treatment

plan and risk improvement.

Thank You.

Conclusion (cont’d...)