Developing an Architectural Framework towards achieving Cyber Resiliency Presented by Deepak Singh
Presentation Content Cyber Threat Landscape Cyber Attack and Threat Profile Cyber Threat Map Cyber Security Counterintelligence (through) Architecture Modelling { CSCAM } Reference Architecture Network and Security Principles Data Flow www.securelogicgroup.com Copyright 2014 Secure Logic 2
Cyber Threat Landscape Cyber Attack and Threat Profile Cyber Threat Map Copyright 2014 Secure Logic 3
Cyber Attack and Threat Profile Cyber Threat Landscape - Targeted Attacks vs Non-Targeted Attacks 50 : 50 ratio Attack source: Internal &External - Top 3 Attack vectors Financial Fraud There are two types of companies: those that have been hacked and those that will be hacked. Robert Mueller, FBI Director, speaking at the RSA Conference. Denial-of-Service Loss of Confidential or Proprietary information, 0% 2% 4% 6% 8% 10% 12% 14% 16% 18% Compromised despite having people, processes, and technologies controls in place Copyright 2014 Secure Logic 4
Motivation Cyber Threat Map Cyber Threat Landscape Personal Gain Theft Fastest growing segment Personal Fame Curiosity Vandalism Hobbyist Hacker Expert Author of Tools Tools created by experts now used by lessskilled criminals, for personal gain Script- Kiddy Hobbyist Hacker Expert Attackers Expertise Source NSS Labs Copyright 2014 Secure Logic 5
Cyber Threat Map Cyber Threat Landscape Threat agents Conflict in Nations Organized Criminals Radical activists Cyber-vandals Data miner Malicious Employees Recognition Unintentional Errors Threat Vectors Motivation Means Money Assets of interest MY ASSET Copyright 2014 Secure Logic 6
Business Cybersecurity Objective Cyber Threat Landscape Objective Strategy Requirem ents Business Domain Change Mgt SIEM Version Control Operational Domain DDOS AV Firewall HIDS IPS FIM Technology Domain Copyright 2014 Secure Logic 7
Cyber Security Counterintelligence (through) Architecture Modelling { CSCAM } Reference Architecture Network and Security Standards Data Flow Copyright 2014 Secure Logic 8
Reference Architecture The model and methodology for developing risk-driven enterprise information architecture and for delivering sustainable ICT solutions that support critical business initiatives. C-SCAM The framework is based on these industry standards: SABSA - Applied Business Security Architecture TOGAF Enterprise Information Architecture Framework ISO 27001 Information Security Management System Copyright 2014 Secure Logic 9
Reference Architecture Business Drivers Driver 2020 C-SCAM Strategy 2020 Key Points: Services Anytime Anywhere Community and Industry Collaboration Citizen Focused Services Better Information Sharing Financial and Performance Management ICT Re-investment pool Copyright 2014 Secure Logic 10
Reference Architecture C-SCAM Business Drivers Attributes Profiles Key Points: Entities and their Relationship Supplier and Consumption Channels Contextual Architecture dependencies IT Network and Security attributes IT Services Modelling Copyright 2014 Secure Logic 11
Reference Architecture C-SCAM Business Drivers Attributes Profiles Strategy Alignment Key Points: Commoditise Data Services Create a Marketplace for external Providers Promote the use of Virtualisation High Specification Security Standards Enable Compliance Copyright 2014 Secure Logic 12
Reference Architecture Business Drivers Attributes Profiles Strategy Alignment Control& Enablement Objectives C-SCAM Domain & Trust Models Key Points: Defines logical and physical boundaries Set of elements with common security policy Determines network segregation and controls Determines Data Flow between Domains, Zones Enable information exchange Copyright 2014 Secure Logic 13
Reference Architecture Business Drivers Attributes Profiles Strategy Alignment Control& Enablement Objectives Domain & Trust Models Scenarios& Design Patterns Scenario 1: Co-Location/ Self Managed C-SCAM Agency/Service Provider A migrates all of their data centre infrastructure to the GovDC facility once in place, Agency A operates their data centre infrastructure as a co-located facility, independent from other agencies and marketplace suppliers located within the facility Scenario 2: Hybrid co-location / Managed Services Agency/Service Provider B migrates their UNI infrastructure to the GovDC facility They choose to replace the remainder of their infrastructure with services sourced from private sector suppliers via GovDC s service catalogue Scenario 3: Fully Managed Services Key Points: Agile and scalable take-up model Agency/Service Provider C has an equipment refresh coming up and they need new infrastructure instead of procuring new capacity and infrastructure, they purchase a fully managed service from inside GovDC and migrate to the facility Modular and Easy Integration Reference Architecture and Design Blueprints Standard procedures for on boarding Ensure Sustainability and Stability Copyright 2014 Secure Logic 14
Reference Architecture Business Drivers Attributes Profiles Strategy Alignment Control& Enablement Objectives C-SCAM Domain & Trust Models Scenarios& Design Patterns Agenc y Traffic Applications Zone Placement 1. DMZ Domain protects the application, data domains and subdomains (zones) by confirming identity and trust prior to allowing access to these protected domains and zones 3. External Cloud Access Domain provides a common interaction point to consume external cloud services 2. Internal Protection Domain houses agency compute and storage resources, along with a growing number of common services accessible to agency business applications 4. Secure Administration Domain provides segregated privileged user access to the systems application, data domains and sub-domains (zones) 5. Services Backbone: provided by GovDC, offers robust, secure connectivity between agency resources Copyright 2014 Secure Logic 15
Reference Architecture Business Drivers Attributes Profiles Strategy Alignment Control& Enablement Objectives Domain & Trust Models Scenarios& Design Patterns - Internet Gateway Services - IDS / IPS as a Service - Proxy Gateway Services - E-mail Gateway Services - Firewall as a Service - Remote Access Services - Application Delivery Services DMZ Services Stream C-SCAM Zone Placement Services & Mechanism Products & Tools Secure Administration Domain - Encryption as a Service - Hardware Security Module (HSM) as a Service - Cryptographic Key Management Services - Authentication as a Service - Enterprise Policy Services - DNS as a Service - Vulnerability Management Services Key Points: Services Anytime Anywhere As a Service design modelling Solution Traceability and Completeness Clear Roadmap to Services model Key benefits today vs Future enablement Internal Protection Domain - Identity Management Services - IP Address Management as a Service - Application Delivery Services - Proxy Gateway Services - DLP as a Service - Collaboration Services - Mobile Device Management as a Service Copyright 2014 Secure Logic 16
Reference Architecture Business Drivers Attributes Profiles Strategy Alignment Control& Enablement Objectives Domain & Trust Models Service Management Matrix Scenarios& Design Patterns Zone Placement Services & Mechanism Architectural Governance Products & Tools Key Points: Baseline Standards established Policy and Procedures Framework Enable Compliance & Assurance Enable Agency Certification program Integrated Risk Management model Copyright 2014 Secure Logic 17
Data Flow Allowed Not Allowed Allowed Not Allowed External Domains (Internet) External or Internal Protected User Network DMZ Secure Admin Domain Internal Protection Support Zone(s) DMZ Support Zone(s) Private Government Marketplace Internal Protection Domains and Zones DMZ Data Flow Private Government Marketplace Internal Protection Domains and Zones Privileged system access to the PGM protected domain Allowed Not Allowed External or Internal Protected User Network Key Points: Data Flow enables info sec assurance Data integrity and confidentially maintained Enables Accountability and controls Visibility Collaboration with standardised approach SAZ DMZ Support Zone Secure Admin Domain Internal Protection Support Zone DMZ Enable Baseline Security practise Privileged system access to the DMZ domain Copyright 2014 Secure Logic 18
Network and Security Principles The following requirements must be met when using physically separate or virtualised network infrastructure. network and security devices facing unclassified protection zones (e.g. unprotected) must exist on physically separate hardware to other domains network and security devices used for service redundancy and high availability must run on physically separate hardware to ensure a single hardware failure will not impact availability network and security devices used for the secure administration zone must run on physically separate hardware to the systems being administered to ensure protection, segregation and availability during failures network connectivity to servers for administration and monitoring should be through separate server network interface cards production infrastructure must exist on physically separate hardware to non-production infrastructure. Copyright 2014 Secure Logic 19
About Us Secure Logic is committed to developing partnerships with customers who demand a combination of expertise and technical capabilities that deliver innovative solutions for achieving operational maturity. Sustainability Stability Future Growth Service Category Sydney, Singapore, Shanghai & Kuala Lumpur Copyright 2014 Secure Logic 20
Thank You About Secure Logic Secure Logic was started in 2006 by a group of highly skilled IT professionals looking to redefine IT security. We work across the globe helping businesses identify their IT security needs and align them to their business drivers. Today, Secure Logic s consultants work with many key banking and finance organisations, enterprises of all sizes, and government departments assisting them to meet security compliance and governance requirements. For more information Visit www.securelogicgroup.com.au