Many current security controls and architectures were developed with the concept of a perimeter—a well-defined (if mostly virtual) boundary between the organization and the outside world. In these models of cybersecurity, the focus is network- or system-centric. In the system-centric model, the emphasis is on placing controls at the network and system levels to protect the information stored within. An alternative model is data-centric, which emphasizes the protection of data regardless of its location.
With the advent of the Internet, outsourcing, mobile devices, cloud and other hosted services, the perimeter has expanded considerably. Consequently, there are significant new risk and vulnerabilities to confront in this hyper-connected and extended environment. The perimeter, then, is an important line of defense that protects the enterprise against external threats, and its design should reflect a proactive stance toward preventing potential risk.
An important component of the security perimeter is the Internet perimeter. This perimeter ensures secure access to the Internet for enterprise employees and guest users residing at all locations, including those involved in telecommuting or remote work. In order to provide security of email, front-end mobile and web apps, domain name system (DNS), etc., the Internet perimeter should:
• Route traffic between the enterprise and the Internet
• Prevent executable files from being transferred through email attachments or HTTP responses
• Monitor network ports for rogue activity
• Detect and block traffic from infected internal end points
13 ISACA, CISM Review Manual 2015, USA
14 Ibid.
• Control user traffic bound toward the Internet
• Identify and block anomalous traffic and malicious packets recognized as potential attacks
• Eliminate threats such as email spam, viruses and worms
• Enforce filtering policies to block access to web sites containing malware or questionable content
The perimeter should also provide protection for virtual private networks (VPNs), wide area networks (WANs) and wireless local area networks (WLANs).
For VPNs, this protection should be threefold:
1. Terminate VPN traffic from remote users
2. Provide a hub for terminating VPN traffic from remote sites 3. Terminate traditional dial-in users
VPN traffic is first filtered at the egress point to the specific IP addresses and protocols that are part of the VPN service. A remote user can only gain access after being authenticated.
For WANs, security is provided by input/output system (IOS) features. Unwanted traffic can be blocked from the remote branch using input access lists, and IP spoofing can be mitigated through L3 filtering. Organizations that are very concerned about privacy may choose to encrypt traffic on their WAN links.
InteRdependencIes
As previously discussed, modern IT architectures are usually decentralized and deperimeterized. This includes a growing number of cloud-based platforms and services, as well as a shift in computing power and utilization patterns toward intelligent mobile devices such as tablet PCs or smartphones. As a consequence, both the number of potential attack targets outside the organizational boundary and the number of attack vectors have grown. Conversely, the degree of control over deperimeterized environments has been significantly reduced, especially in enterprises permitting partial or full integration of user-owned mobile devices (i.e., bring your own device [BYOD]). These changes have important ramifications for security architecture.
In distributed and decentralized IT architectures, the third-party risk is likely to increase, often as a function of moving critical applications, platforms and infrastructure elements into the cloud. For platforms, storage infrastructure and cloud-based data repositories, the focus of cybersecurity is shifting toward contracts and service level agreements (SLAs). Simultaneously, third-party cloud providers are facing an increased risk of attacks and breaches due to the agglomeration and clustering of sensitive data and information. In addition to concerns about third-party services, there is significant legal risk. Enterprises experiencing a loss of sensitive data may not be in a position to bring an action against the perpetrators because the cloud provider often has to initiate legal action.
Regardless of the generic information security arrangements made by an enterprise, there are often exposed areas within IT architectures. Cybercrime and cyberwarfare perpetrators continue to aim at “weak spots” in architectural elements and systems. In contrast to indiscriminate and opportunistic attacks, APTs and cybercrime always rely on preparatory research and insight into the target enterprise. This, in turn, raises the level of exposure for weak or unsecured parts of the overall architecture. These vulnerable spots include legacy systems, unpatched parts of the architecture, “dual persona” use of mobile devices and many others.
Cybersecurity Fundamentals Study Guide 2015 45
secURItY ARchItectURes And FRAmewoRks
A great number of architectural approaches currently exist, and many of them have evolved from the development of enterprise architecture. Although their specific details may differ, they all generally aim to articulate what processes a business performs and how those processes are executed and secured. They articulate the organization, roles, entities and relationships that exist or should exist to perform a set of business processes.
Similarly, models of security architecture typically fall into two categories: process models and framework models.
Frameworks allow a great deal of flexibility in how each element of the architecture is developed. The essence of a framework is to describe the elements of architecture and how they relate to one another, while a process model is more directive in its approach to the processes used for the various elements.
sABsA And the zAchmAn FRAmewoRk
Just as there are many different types of business enterprises, there are many different approaches to security architecture. For example, the Zachman framework approach of developing a who, what, why, where, when and how matrix (shown in exhibit 3.1) is shared by Sherwood Applied Business Security Architecture (SABSA). The matrix contains columns showing aspects of the enterprise that can be described or modeled, while the rows represent various viewpoints from which those aspects can be considered. This approach provides a logical structure for classifying and organizing design elements, which improves the completeness of security architecture.
Exhibit 3.1: SABSA Security Architecture Matrix
Source: Sherwood Applied Business Security Architecture (SABSA), 1995-2008. All rights reserved. Used with permission.
www. sabsa.org.
the open gRoUp ARchItectURe FRAmewoRk (togAF)
Another architecture framework is The Open Group Architecture Framework (TOGAF). Developed by The Open Group in the 1990s, this high-level and holistic approach addresses security as an essential component of the overall enterprise design. TOGAF’s objective is to ensure that architectural development projects meet business objectives, that they are systematic and that their results are repeatable. Exhibit 3.2 depicts the TOGAF architectural process and its relationship to businesses operations.
Exhibit 3.2: TOGAF Enterprise Architecture Framework TOGAF Capability Framework
The method produces content to be stored in the Repository, classified according to the
Enterprise Continuum
culture of the capability Sets targets, KPIs, plans and
budgets for architecture roles
Cybersecurity Fundamentals Study Guide 2015 47