Five Essential Enterprise Architecture Practices to Create the Security-Aware Enterprise

Presented by

Five Essential Enterprise Architecture Practices to Create the

Security-Aware Enterprise

Presented by

:

Security efforts need to help the business achieve its objectives while reducing risk, whether the enterprise wants to: Launch a new Web site. Create a database. Build a collaboration platform. Embrace mobility. Move to Cloud computing.

The Enterprise Architect is Ideally Positioned to Help Improve IT Security.

Presented by

Everything with which the Enterprise Architect

is charged speaks directly to business

alignment–across technologies, workflows and

roles!

Presented by

The Enterprise Architect’s Charges* Include: :

Supporting enterprise goals.

Helping build and support business processes.

Enhancing organizational structure and culture.

Designing sustainable IT systems and applications.

*All of which must be done with security in mind.

Presented by

Business Alignment Falters When Security is Bolted on, not Built in.

!

Despite the importance of IT security in keeping data

and enterprise systems secure and ensuring that the

enterprise operates within regulatory compliance

requirements, the tendency is to add security onto systems

after they’ve been built.

Or worse, after they’ve been deployed.

Presented by

The High Cost of Failure ! Generally, it is much more difficult to add security to a system

after it has been designed or once deployed than it is to build

it right to begin with.

Worse yet, bolt-on approaches are more likely to lead to costly

security failures, such as breaches:

High Price of a Security Failure

Cost of a data breach $214 per compromised record

Average cost per data breach event $7.2 million

Source: Ponemon Institute U.S. Cost of a Data Breach report, 2011

Presented by

Driving Coordination, Effecting Change

Building inherently secure applications and systems requires tight, open and upfront coordination among many groups.

Enterprise architects are in the position to drive that coordination and effect the required change that depends on it.

Because their work is so integral to business alignment−and to driving the agility the enterprise requires to deliver better business service–enterprise architects have a firm understanding of how systems are being deployed, as well as knowledge of the business objectives behind these systems.

Presented by

Thus: ： The enterprise architect can drive value in aligning security

teams, quality assurance teams, developers, the office of the

CIO, and business managers and executives.

All those parties — in conjunction with the enterprise architect

— must work together to ensure that the focus and resources

necessary to maintain a secure IT posture are in place.

Presented by

Still, This Won’t Be Easy . . . …This may be the first time all of these groups work together early in the solutions creation process. Expect tension. For instance:

Security teams may request certain controls that could seem onerous to others involved in the effort (including enterprise IT architects).

Developers may view security as a roadblock at times–and shun its input.

Presented by

:59 percent of enterprise development teams are not

following quality and security processes "rigorously"

when developing new software.

26 percent have few or no secure software

development processes.

Only 48 percent claim to follow audit procedures

rigorously.

More than 70 percent felt that there was insufficient

security guidance for key technology models such as

cloud, virtualization, mobile devices and mainframes.

Taking the Lead, Breaking Bad Habits

Source: Creative Intellect Consulting, “The State of Secure Application Lifecycle Management.” The report was based on a survey of software development, IT and information security professionals around the world.

Presented by

”“We’d like to see organizations taking a multi-faceted

approach to tackling the…security challenge.

‘Secure by Design and Practice’ should be the call to action

adopted by organizations to address the software security

challenge more directly.”

—Bola Rotibi, founder of Creative Intellect Consulting

Presented by

Five Essential Enterprise Architecture Practices to Create

the Security-Aware Enterprise

1. Get executive sponsorship.

2. Foster a collaborative environment.

3. Pick, at first, easily attainable projects.

4. Evaluate security risks during planning &

design.

5. Build security processes into workflow.

Presented by

In order for enterprise architects to get security, operations

and other teams to work cohesively together, it’s helpful to

insert executive leadership into the process, so they can set

business objectives and expectations across teams. Should

security processes or communications break down, executive

leadership can reiterate those processes’ importance to the

business.

Without such political cover, efforts can quickly fray and

fall apart.

Step 1: Get Executive Sponsorship

Presented by

Setting the stage for the integration of security through the

development process will change how new initiatives are built,

and how the operations work together. Win political

sponsorship to get started by:

Showing business leaders the threats against the company.

Demonstrating how integrating security into a product or

application from the start can reduce risk.

Demonstrating areas where cost of securing systems can be

reduced through integrating security processes with design.

Step 1: Get Executive Sponsorship

Presented by

This level of sponsorship should be easier today than it was

just a few years ago, as security is reporting less often to the

CIO’s office and increasingly to the board of directors. That’s

a level of recognition for their work that can’t be ignored by

any other groups associated with a project:

Step 1: Get Executive Sponsorship

Presented by

The Changing Reporting Structure for CISOs/Equivalent Information Security Leaders

Source: PricewaterhouseCoopers LLP: 2011 Global State of Information Security Survey* This calculation measures the difference between response levels over a three-year period from 2007 to 2010.

Step 1: Get Executive Sponsorship

Presented by

Encourage information security’s involvement as an enabler.

Engage with the CISO’s office as a consultative resource to

evaluate the business risk of new initiatives and have the staff

propose alternatives for reducing that risk.

Step 2: Foster a Collaborative Environment, Starting with the Security Team

Presented by

Step 2: Foster a Collaborative Environment, Starting with the Security Team

What would collaboration entail?

Example: A new application is to be built. The enterprise

architect can bring the security team into the picture during the

design phase to evaluate access controls, secure architecture

and deployment, and how such things as data encryption, digital

certificates and other components could be built to optimize

security and regulatory compliance for this effort and to apply to

future efforts as part of a wider EA blueprint.

Presented by

”“Most organizations’ enterprise IT architects find that they

are constantly battling with the information

security groups rather than truly consulting with them.”

—CISO at regional healthcare provider.

They translate IT security personnel’s natural caution as

meaning that the group default is to just say no.

Presented by

As this is probably the first time that groups ranging from

security to development have collaborated from the start of

a project, it’s advisable that the initial project not be a major

business initiative. An easy win, or a couple of easier wins, in

the beginning will help teams to learn how to work together

and get processes right, and build a foundation of credibility

and trust.

Step 3: Start with Easily Attainable Projects

Presented by

Step 3: Start with Easily Attainable Projects

Consider small-in-scope projects, such as a focused

departmental initiative. Examples include helping a team

build security into the initial design of:

A mobile application for a select group of field workers.

A new database for emerging market customers.

A new e-commerce application dedicated to a particular

segment of B-to-B clients.

Presented by

”“Whenever trying to effect organizational change, it's

always smart to start smaller, perfect those processes,

and then apply them more broadly over time.”

— Pete Lindstrom, Research Director at the market

research firm Spire Security.

Presented by

Step 4: Evaluate Risks During Planning & Design

Enterprise architects should focus on ensuring that the group

lets the security team do what it does best: find and evaluate

risk. If it's a database front-end being deployed on tablets, as

a simple example, have the security team do the vetting and

report back to the enterprise architect and the team for

remediation.

Presented by

Step 4: Evaluate Risks During Planning & Design

To rank risks and develop ways to mitigate them, ask the following questions:

How might the deployment of new technologies potentially introduce vulnerabilities and compromise workloads?

How is the data being collected and/or access classified?What job roles are permitted access?What credentials will be used for authentication?Has the application code had a security review? What industry or government regulations come into play?

?

Presented by

Step 5: Build Security Processes Into Workflow

Over time, the practice of designing security into new

initiatives will become part of the organizational fabric.

Security, operations and the enterprise architect’s office will

learn how to work effectively together.

Processes will be put into place that will improve the overall IT

security of the organization.

Checkpoints will be put into place so that the risk posture of

new initiatives can be evaluated as they move from design

through production.

After a few successes and lessons learned, the processes and

procedures put into place can be used throughout the

organization on all new initiatives.

Presented by

In Conclusion:Security coordination driven from the enterprise architect will:

:

Help align security with business objectives.

Secure new initiatives more cost-effectively.

Develop successful security processes that can be replicated

throughout the organization.

Lead to a decline in the risk of data breaches.

Lead to an increase in regulatory compliance.

Presented by

The End-State: :

“I firmly believe that having an enterprise architect who is a partner of the information security group (and vice versa) removes a number of barriers to the design and deployment of new solutions and allows them to be delivered quickly within policy guidelines and with acceptable levels of risk.”

—Enterprise architect, global engineering company