ebook img

Security Architecture – How & Why (River Publishers Series in Security and Digital Forensics) PDF

234 Pages·2022·38.558 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Security Architecture – How & Why (River Publishers Series in Security and Digital Forensics)

Security Architecture – How & Why RIVER PUBLISHERS SERIES IN DIGITAL SECURITY AND FORENSICS Series Editors: ANAND R. PRASAD Deloitte Tohmatsu Cyber LLC in, Japan R. CHANDRAMOULI Stevens Institute of Technology, USA ABDERRAHIM BENSLIMANE University of Avignon France The “River Publishers Series in Security and Digital Forensics” is a series of comprehensive academic and professional books which focus on the theory and applications of Cyber Security, including Data Security, Mobile and Network Security, Cryptography and Digital Forensics. Topics in Prevention and Threat Management are also included in the scope of the book series, as are general business Standards in this domain. Books published in the series include research monographs, edited volumes, handbooks and textbooks. The books provide professionals, researchers, educators, and advanced students in the field with an invaluable insight into the latest research and developments. Topics covered in the series include­ • Blockchain for secure transactions • Cryptography • Cyber Security • Data and App Security • Digital Forensics • Hardware Security • IoT Security • Mobile Security • Network Security • Privacy • Software Security • Standardization • Threat Management For a list of other books in this series, visit www.riverpublishers.com The NEC and You Perfect Together: A Comprehensive Study of the Security Architecture – How & Why National Electrical Code Tom Madsen NNIT,Denmark Gregory P. Bierals Electrical Design Institute, USA River Publishers Published 2022 by River Publishers River Publishers Alsbjergvej 10, 9260 Gistrup, Denmark www.riverpublishers.com Distributed exclusively by Routledge 4 Park Square, Milton Park, Abingdon, Oxon OX14 4RN 605 Third Avenue, New York, NY 10017, USA Security Architecture – How & Why / by Tom Madsen. © 2022 River Publishers. All rights reserved. No part of this publication may be reproduced, stored in a retrieval systems, or transmitted in any form or by any means, mechanical, photocopying, recording or otherwise, without prior written permission of the publishers. Routledge is an imprint of the Taylor & Francis Group, an informa business ISBN 978-87-7022-584-7 (print) ISBN 978-10-0079-429-8 (online) ISBN 978-1-003-33938-0 (ebook master) While every effort is made to provide dependable information, the publisher, authors, and editors cannot be held responsible for any errors or omissions. Contents Preface xv List of Figures xix List of Tables xxi 1 Why Security? 1 1.1 BusinessPrevention . . . . . . . . . . . . . . . . . . . . . . 1 1.2 Measuring and Prioritizing Business Risk . . . . . . . . . . 2 1.3 SecurityasaBusinessEnabler . . . . . . . . . . . . . . . . 3 1.4 EmpoweringtheCustomers . . . . . . . . . . . . . . . . . . 4 1.5 ProtectingRelationships . . . . . . . . . . . . . . . . . . . 5 1.6 ToSummarize . . . . . . . . . . . . . . . . . . . . . . . . . 7 2 Why Architecture 9 2.1 OriginsofArchitecture . . . . . . . . . . . . . . . . . . . . 9 2.2 ManagingComplexity . . . . . . . . . . . . . . . . . . . . 10 2.3 Information Systems Architecture . . . . . . . . . . . . . . 10 2.4 Architectures . . . . . . . . . . . . . . . . . . . . . . . . . 11 2.4.1 BusinessArchitecture . . . . . . . . . . . . . . . . 11 2.4.2 InformationArchitecture . . . . . . . . . . . . . . . 11 2.4.3 Applications Architecture . . . . . . . . . . . . . . 12 2.4.4 Infrastructure Architecture . . . . . . . . . . . . . . 12 2.4.5 Risk Management Architecture . . . . . . . . . . . 12 2.4.6 GovernanceArchitecture . . . . . . . . . . . . . . . 13 2.5 Enterprise Security Architecture . . . . . . . . . . . . . . . 13 2.6 Being a Successful Security Architect . . . . . . . . . . . . 15 2.7 Security Architecture Needs a Holistic Approach . . . . . . 15 2.8 WhatDoesArchitectureMean?. . . . . . . . . . . . . . . . 16 v vi Contents 3 Security Architecture Model 19 3.1 The SABSA� Model . . . . . . . . . . . . . . . . . . . . . 19 3.2 TheBusinessView . . . . . . . . . . . . . . . . . . . . . . 19 3.3 TheArchitect’sView . . . . . . . . . . . . . . . . . . . . . 22 3.4 TheDesigner’sView . . . . . . . . . . . . . . . . . . . . . 24 3.5 TheBuilder’sView . . . . . . . . . . . . . . . . . . . . . . 25 3.6 TheTradesman’sView . . . . . . . . . . . . . . . . . . . . 25 3.7 TheFacilitiesManager’sView . . . . . . . . . . . . . . . . 26 3.8 TheInspector’sView . . . . . . . . . . . . . . . . . . . . . 27 3.9 TheSecurityArchitectureModel . . . . . . . . . . . . . . . 28 4 Contextual Security Architecture 31 4.1 Business Needs for Information Security . . . . . . . . . . . 32 4.2 SecurityasaBusinessEnabler . . . . . . . . . . . . . . . . 32 4.2.1 On-DemandEntertainment . . . . . . . . . . . . . . 33 4.2.2 Value-Added Information Services . . . . . . . . . . 33 4.2.3 RemoteProcessControl . . . . . . . . . . . . . . . 33 4.2.4 SupplyChainManagement . . . . . . . . . . . . . . 34 4.2.5 Research and Information Gathering . . . . . . . . . 34 4.3 DigitalBusiness . . . . . . . . . . . . . . . . . . . . . . . . 34 4.3.1 OnlineBanking . . . . . . . . . . . . . . . . . . . . 36 4.3.2 B2B . . . . . . . . . . . . . . . . . . . . . . . . . . 36 4.3.3 OnlineGovernment . . . . . . . . . . . . . . . . . . 37 4.4 ContinuityandStability . . . . . . . . . . . . . . . . . . . . 37 4.4.1 RevenueGeneration . . . . . . . . . . . . . . . . . 37 4.4.2 CustomerService . . . . . . . . . . . . . . . . . . . 38 4.4.3 Reputation . . . . . . . . . . . . . . . . . . . . . . 38 4.4.4 ManagementControl . . . . . . . . . . . . . . . . . 39 4.4.5 OperatingLicenses . . . . . . . . . . . . . . . . . . 39 4.4.6 EmployeeConfidence . . . . . . . . . . . . . . . . 40 4.4.7 ShareholderConfidence . . . . . . . . . . . . . . . 41 4.4.8 OtherStakeholders . . . . . . . . . . . . . . . . . . 42 4.5 Safety-CriticalDependencies . . . . . . . . . . . . . . . . . 42 4.5.1 Remote Communications to Safety-Critical Systems . . . . . . . . . . . . . . . . . . . . . . . . 42 4.5.2 SystemsAssurance . . . . . . . . . . . . . . . . . . 43 4.6 Business Goals, Success Factors and Operational Risks . . . 44 4.6.1 BrandProtection . . . . . . . . . . . . . . . . . . . 44 4.6.2 FraudPrevention . . . . . . . . . . . . . . . . . . . 44 Contents vii 4.6.3 LossPrevention . . . . . . . . . . . . . . . . . . . . 45 4.6.4 BusinessContinuity . . . . . . . . . . . . . . . . . 45 4.6.5 LegalObligations . . . . . . . . . . . . . . . . . . . 46 4.7 OperationalRiskAssessment . . . . . . . . . . . . . . . . . 46 4.7.1 Risk/ThreatAssessment . . . . . . . . . . . . . . . 47 4.7.2 ThreatDomains . . . . . . . . . . . . . . . . . . . . 48 4.7.3 ThreatCategories . . . . . . . . . . . . . . . . . . . 48 4.7.4 RiskPrioritization . . . . . . . . . . . . . . . . . . 53 4.8 SABSA� RiskAssessmentMethod . . . . . . . . . . . . . 53 4.8.1 SABSA Risk Assessment Method: Step 1 . . . . . . 53 4.8.2 SABSA Risk Assessment Method: Step 2 . . . . . . 54 4.8.3 SABSA Risk Assessment Method: Step 3 . . . . . . 54 4.8.4 SABSA Risk Assessment Method: Step 4 . . . . . . 54 4.8.5 SABSA Risk Assessment Method: Step 5 . . . . . . 54 4.9 Business Processes and their Security . . . . . . . . . . . . 55 4.9.1 BusinessInteractions . . . . . . . . . . . . . . . . . 56 4.9.2 BusinessCommunications . . . . . . . . . . . . . . 56 4.9.3 BusinessTransactions . . . . . . . . . . . . . . . . 57 4.10 Organization and Relationships Impacting Business SecurityNeeds . . . . . . . . . . . . . . . . . . . . . . . . 57 4.11 LocationDependence . . . . . . . . . . . . . . . . . . . . . 58 4.11.1 The Global Village Marketplace . . . . . . . . . . . 58 4.11.2 RemoteWorking . . . . . . . . . . . . . . . . . . . 58 4.12 TimeDependency . . . . . . . . . . . . . . . . . . . . . . . 59 4.12.1 Time-Related Business Drivers . . . . . . . . . . . . 59 4.12.2 Time-BasedSecurity . . . . . . . . . . . . . . . . . 60 4.13 To Summarize: Contextual Security Architecture . . . . . . 61 5 Conceptual Security Architecture 63 5.1 ConceptualThinking . . . . . . . . . . . . . . . . . . . . . 64 5.2 BusinessAttributesProfile . . . . . . . . . . . . . . . . . . 64 5.3 ControlObjectives . . . . . . . . . . . . . . . . . . . . . . 65 5.4 Security Strategies and Architectural Layering . . . . . . . . 66 5.4.1 Multi-LayeredSecurity . . . . . . . . . . . . . . . . 67 5.4.2 Multi-Tiered Incident Handling . . . . . . . . . . . 67 5.4.3 Security Infrastructure Layered Architecture . . . . 68 5.4.4 The Common Security Services API Architecture. . . . . . . . . . . . . . . . . . . . . . 69 5.4.5 Application Security Services Architecture . . . . . 70 viii Contents 5.4.6 Placing of Security Services in the Architecture Layers . . . . . . . . . . . . . . . . . . . . . . . . . 71 5.4.7 Security Services in the Applications Layer . . . . . 71 5.4.8 Security Services in the Middleware Layer . . . . . 73 5.4.8.1 Explicit Security Services . . . . . . . . . 74 5.4.8.2 Implicit Security Services . . . . . . . . . 74 5.4.9 Data Management Security Services . . . . . . . . . 75 5.4.10 Security Services in the Network Layer . . . . . . . 76 5.4.11 Security Services for the Information Processing Layer . . . . . . . . . . . . . . . . . . . . . . . . . 78 5.4.12 Authentication, Authorization and Audit Strategy . . 79 5.4.13 Security Service Management Strategy . . . . . . . 82 5.4.14 SystemAssuranceStrategy . . . . . . . . . . . . . . 83 5.4.15 Directory Services Strategy . . . . . . . . . . . . . 84 5.4.16 Directory Services Strategy: Management . . . . . . 84 5.4.17 Directory Services Strategy: Objects . . . . . . . . . 85 5.5 Security Entity Model and Trust Framework . . . . . . . . . 87 5.5.1 SecurityEntities . . . . . . . . . . . . . . . . . . . 87 5.5.2 SecurityEntityNaming . . . . . . . . . . . . . . . 87 5.5.3 Security Entity Relationships . . . . . . . . . . . . . 87 5.5.4 Understanding and Modelling Trust . . . . . . . . . 88 5.5.5 Protecting Trust Relationships – Trust Brokers andPKI . . . . . . . . . . . . . . . . . . . . . . . . 90 5.5.6 TrustBrokerModelsthatWork . . . . . . . . . . . 91 5.5.7 ExtendedTrustModelsforPKI . . . . . . . . . . . 92 5.5.8 LevelsofTrust . . . . . . . . . . . . . . . . . . . . 92 5.6 SecurityDomainModel . . . . . . . . . . . . . . . . . . . . 93 5.6.1 SecurityDomains . . . . . . . . . . . . . . . . . . . 93 5.6.2 Inter-Domain Relationships . . . . . . . . . . . . . 95 5.6.3 TrustinDomains . . . . . . . . . . . . . . . . . . . 95 5.6.4 Secure Interaction Between Domains . . . . . . . . 96 5.6.5 SecurityAssociations . . . . . . . . . . . . . . . . . 96 5.6.6 LogicalDomains . . . . . . . . . . . . . . . . . . . 96 5.6.7 PhysicalDomains. . . . . . . . . . . . . . . . . . . 96 5.6.8 Multi-Domain Environments . . . . . . . . . . . . . 96 5.6.9 Applying the Security Domain Concept . . . . . . . 97 5.7 VPNConcept . . . . . . . . . . . . . . . . . . . . . . . . . 97 5.7.1 FirewallConcept . . . . . . . . . . . . . . . . . . . 98 5.8 SecurityLifetimesandDeadlines . . . . . . . . . . . . . . . 99 Contents ix 5.8.1 RegistrationLifetimes . . . . . . . . . . . . . . . . 99 5.8.2 CertificationLifetimes . . . . . . . . . . . . . . . . 100 5.8.3 Cryptographic Key Lifetimes . . . . . . . . . . . . . 100 5.8.4 PolicyLifetimes . . . . . . . . . . . . . . . . . . . 101 5.8.5 RuleLifetimes . . . . . . . . . . . . . . . . . . . . 101 5.8.6 PasswordLifetimes . . . . . . . . . . . . . . . . . . 101 5.8.7 StoredDataLifetimes . . . . . . . . . . . . . . . . 101 5.8.8 DataSecrecyLifetimes . . . . . . . . . . . . . . . . 102 5.8.9 UserSessionLifetimes . . . . . . . . . . . . . . . . 102 5.8.10 SystemSessionLifetimes . . . . . . . . . . . . . . 102 5.8.11 ResponseTime-Out. . . . . . . . . . . . . . . . . . 103 5.8.12 Context-Based Access Control . . . . . . . . . . . . 103 5.9 To Summarize: Conceptual Security Architecture . . . . . . 104 6 Logical Security Architecture 107 6.1 BusinessInformationModel . . . . . . . . . . . . . . . . . 108 6.1.1 InformationArchitecture . . . . . . . . . . . . . . . 108 6.1.2 Static and Dynamic Information . . . . . . . . . . . 109 6.2 SecurityPolicies . . . . . . . . . . . . . . . . . . . . . . . 110 6.2.1 Security Policy: A Theoretical View . . . . . . . . . 110 6.2.2 Security Policy Architecture . . . . . . . . . . . . . 111 6.3 SecurityServices . . . . . . . . . . . . . . . . . . . . . . . 112 6.3.1 Common Security Services and Their Descriptions . 112 6.4 SecurityServiceIntegration . . . . . . . . . . . . . . . . . 114 6.4.1 UniqueNaming . . . . . . . . . . . . . . . . . . . . 114 6.4.2 Registration . . . . . . . . . . . . . . . . . . . . . . 115 6.4.3 PublicKeyCertification . . . . . . . . . . . . . . . 115 6.4.4 Credentials Certification . . . . . . . . . . . . . . . 115 6.4.5 DirectoryService . . . . . . . . . . . . . . . . . . . 115 6.4.6 Directory Service Information Model . . . . . . . . 116 6.4.7 Directory Service Naming Model . . . . . . . . . . 117 6.4.8 Directory Service Security Model . . . . . . . . . . 117 6.4.9 AuthorizationServices . . . . . . . . . . . . . . . . 118 6.4.10 EntityAuthentication . . . . . . . . . . . . . . . . . 119 6.4.11 UserAuthentication . . . . . . . . . . . . . . . . . 119 6.4.12 Communications Security Services . . . . . . . . . 119 6.4.13 Message Origin Authentication . . . . . . . . . . . 120 6.4.14 Message Integrity Protection . . . . . . . . . . . . . 120 6.4.15 MessageReplayProtection . . . . . . . . . . . . . . 121

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.