Security and EA
A Thread Relevant to all Levels of
the EA Cube
Copyright © 2013 Curt Hill
Introduction
• EA Security has a broader
perspective than IT security
– EA Security include IT security
• It needs to be considered at every
level
• IT security typically lives in the
Applications and Systems as well as
the Network and Infrastructure
levels
• You should have previously seen
something on IT security
Copyright © 2013 Curt Hill
Types of Threats
• Physical threats
– Fire, flood, earthquake, etc
• Personal threats
– Unhappy employees, hackers,
terrorists
• Accidents
– Programming errors, unintentional
mistakes
Copyright © 2013 Curt Hill
Dangers
• The insider attack is particularly
deadly for the insider knows the
defense
• It is impossible to completely secure
the enterprise from all threats
– Typically too expensive
• Instead we must always balance
probability and cost of a risk with
the expense to defend against the
risk
Copyright © 2013 Curt Hill
Where to start?
• Historically, security is an
afterthought
– After we get burned, we make sure we
do not get burned again
• Enterprises now live in a world of
forest fires
– It is not a question of if a problem will
occur, but when
• Therefore security should be
considered in every project
– From the very beginning
– Demand security content in every
Copyright © 2013 Curt Hill
IT Security Program
• Every enterprise that can afford an
Enterprise Architecture program
needs an IT Security Program
• This includes one or more IT
professionals with IT security
training and experience
• They are involved in every IT project
in at least a consulting role
• The also advise the EA team on
security considerations
Copyright © 2013 Curt Hill
Security Program
• For each project (proposed or
existing) they
– Describe the threats and their sources
– Possible countermeasures
• They also produce Standard
Operating Procedures
– To certify IT projects
– Run existing installations
– Respond to incidents
Copyright © 2013 Curt Hill
IT Security Plan
• A guide discussing the security for
the enterprise
• Produced by the Security Program
• Has a number of sections that
address various groups within the
enterprise
– Executives
– Operations
• It contains:
– How to report incidents
– Standard Operating Procedures
Copyright © 2013 Curt Hill
– Threats
Areas of Interest
• The Security Program needs to deal
specifically with the following areas
of interest
–
–
–
–
Information security
Personnel security
Operational security
Physical security
• These are now considered in more
detail
Copyright © 2013 Curt Hill
Information security
• Design
– Projects must be required to have a
reasonable security element
• Assurance
– The quality of data must be protected
from unauthorized or accidental
change
• Authentication
– Data changes must be verified to
prevent incorrect access
• Access
– Ability to control who views and uses
Copyright © 2013 Curt Hill
Personnel security
• Authentication – users and
administrators must be verified
– What form must this take
• Security Training – Users must be
informed about security issues
• Procedures – What is the proper
way to use and access the system
– How to recognize, avoid and report
breaches
Copyright © 2013 Curt Hill
Operational security
• Risk assessment
– From highest to lowest levels of the
cube
• Component evaluation
– Component testing for vulnerabilities
• Remediation
– Patching vulnerabilities found by
evaluation
• Certification
– A process to verify that components
have fixed all known vulnerabilities
Copyright © 2013 Curt Hill
Operational security
• Standard Operating Procedures
– Those involved in operations must be
familiar with SOP
• Recovery
– Assessing and recovering from events
that disrupt operations
• Operational continuity
– After serious damage has occurred,
how operations would be restored
Copyright © 2013 Curt Hill
Physical security
• Building security
– Any room where the access is better
than from the internet
• Server rooms and network closets
– Protecting areas of particular
sensitivity
– A network closet is particularly
vulnerable and seldom visited
• Cabling
– Like a network closet, they are easy to
tap and seldom observed
Copyright © 2013 Curt Hill
Your Turn
• What sort of attacks would be
easiest at VCSU?
• What is the likelihood of such
attacks?
– What would an attacker gain?
Copyright © 2013 Curt Hill
Conclusions
• The reason we have an IT security
problem is that we have
underestimated the danger
• Prudent management requires
consideration of security at all levels
• The identification and mitigation of
threats is the task of those properly
trained
Copyright © 2013 Curt Hill