Architecting Security NERCOMP 9/24/2007 Mark Poepping Head IT Architect Computing Services Carnegie Mellon Outline • Drivers, History, Measures of Success • Perspective: IT Charter; IT Infrastructure • IT Security 1/10/08 Carnegie Mellon 2 Drivers The Security Glass Really IS Half-Empty • Negative Drivers – Crisis Response – Risk Avoidance – Death of a Thousand Cuts • Where’s the “Yippee!”? – Security is not an end-user feature – Security is an enterprise imperative • Find, Organize, Serve YOUR Drivers 1/10/08 Carnegie Mellon 3 History • IT is young – 1960, 1970, 1980 • IT Security is younger – 1988 • Growing a Discipline – Between, among, in spite of, but ultimately for Applications, Systems, Networking... – All in service of those wondrous customers – Necessity is the mother of invention • But it’s nice to think ahead… 1/10/08 Carnegie Mellon 4 Reference • EDUCAUSE Leadership Strategies, Volume 8: “Computer and Network Security in Higher Education”, Luker and Peterson, 2003 EDUCAUSE – IT Security and Academic Values – Organizing for Security – Risk – Liability – Policy – Architecture – Security Education 1/10/08 Carnegie Mellon 5 Success • Structural – Drain the Swamp – Integrated Discipline: build Security in – Defined, Sustained Activity • Prevent, Detect, Remediate, Investigate – Managed Risk - Limiting Loss • There will always be surprises • Tactical – Fight off the Alligators – Handle the Priorities – Functioning with Security • We still get the work done, just more safely 1/10/08 Carnegie Mellon 6 Perspective: IT Charter • Facilitate and Automate – Needs of the Business • In: Manufacturing, Instruction, Research • For: ERP, Financials, HR, SIS • On: Marketing (CRM, Web, CMS) – Needs of Users • Communications, Documents, Presentation • Entertainment, Personal Expression 1/10/08 Carnegie Mellon 7 IT Infrastructure Leverage Commonalities • Enterprise and IT-focused reasons – Technical - Efficiency of effort/investment – Functional - Policy and control • Audit, regulation, asset management • User-focused reasons – Common user information across applications – One way to do each thing – One person to call 1/10/08 Carnegie Mellon 8 IT Infrastructure (15 years ago) • Networks – Voice – Data – Dialup, Local, Wide Area • Systems – Server platforms; Hardware, OS (proprietary) – Maybe NOS or File Systems – Accounts • Applications – Business – ERP, Fin, HR – Computer Labs – Personal Productivity - Email, Doc/Presentation • Operations – Machine Rooms, backups • Help desk 1/10/08 Carnegie Mellon 9 New IT Infrastructure • Networks • Information Security, Compliance – Wireless, VPN, Mobility – Firewall/IDS/IPS, Defense-in-depth – Network Access Control – Data Classification, Policy – VoIP Services, E911 – Incident response, Forensics – International/Multi-home – SOX, E-Discovery, FERPA, connectivity HIPAA, CALEA • Systems • Application Infrastructure – Open source servers and services – Web delivery (portal/SaaS) – Virtualization – platforms + storage – Enterprise Data/Service – Client Diversity (SOA/ESB) • Middleware – Data Warehouse, Document Mgmt – Identity Management – Course Management, Repositories • Authn/r – Research – Data/Cycles/Storage • Internal/External Federation – IT-Enabled (e.g. Keycards, HVAC) • Entitlement/service provisioning • Operations/Support – Unified messaging – DR/BC; Emergency Response • Anti-messaging (A/spam,A/Virus) – 24x7x360 (global operation) – Sharing/collaboration – Insource, Outsource – CMDB, Monitoring, Logging 1/10/08 Carnegie Mellon 10 Networks • Wireless, VPN, Mobility • Network Access Control • VoIP Services, E911 • International/Multi-home connectivity 1/10/08 Carnegie Mellon 11 Systems • Open source servers and services • Virtualization – platforms + storage • Client Diversity 1/10/08 Carnegie Mellon 12 Middleware • Identity Management – Authn/r – Internal/External Federation – Entitlement/service provisioning • Unified messaging – Anti-messaging (A/spam,A/Virus) • Sharing/collaboration • CMDB, Monitoring, Logging 1/10/08 Carnegie Mellon 13 Information Security, Compliance • Firewall/IDS/IPS, Defense-in-depth • Data Classification, Policy • Incident response, Forensics • SOX, E-Discovery, FERPA, HIPAA, CALEA 1/10/08 Carnegie Mellon 14 Application Infrastructure • Web delivery (portal/SaaS) • Enterprise Data/Service (SOA/ESB) • Data Warehouse, Document Mgmt • Course Management, Repositories • Research – Data/Cycles/Storage • IT-Enabled (e.g. Keycards, HVAC) 1/10/08 Carnegie Mellon 15 Operations/Support • DR/BC; Emergency Response • 24x7x360 (global operation) • Insource, Outsource 1/10/08 Carnegie Mellon 16 Secure that Infrastructure • Boiling the new ocean – Structural • A lot of people to teach • Can’t Bolt it on • Need a system – Tactical • A lot of software/productivity to protect • Need some tools • They will evolve as structure co-informs 1/10/08 Carnegie Mellon 17 IT Security • Bottom-up – security immediacies, practice – Examples, situations, remediation – Issues, use cases, policy • Top to Bottom – Security Architecture – Evolve development process – Build Securely • Top-upward – Business architecture and goals – Risk assessment, enterprise priority, high-level policy 1/10/08 Carnegie Mellon 18 Top-Upward • Uh 1/10/08 Carnegie Mellon 19 Top-Upward • Conditions – Reporting Structure – Situational History • Crisis or foresight – Organizational Self-awareness – Geo-Political, Financial, Social Conditions – Alumniacal Realities and Retention of Faculties – Not just a Security issue • Potential Action – Head-on – Supporting • Engage your CIO - help with models, translation, timing – Wait-n-see • Build perspective, look for opportunities 1/10/08 Carnegie Mellon 20 Top to Bottom - What • Model Security Architecture – Principle, Practice, Control, but further… – Value Measures in line with Organization • Buy a new server or a faster firewall? • Establish Security Operations – Prevent, Detect, Remediate, Investigate – Policy, Training/Awareness • Integrate Security into Processes – Security consideration early in project cycle • Standard processes - proposal, decision, review • Security Profile as software service attribute (portfolio) – Periodic review of standard operational practice • Manage changes, evolution 1/10/08 Carnegie Mellon 21 Top to Bottom - How • Define an Agenda – Path to improvement • Can’t “do everything now” • Focus on Total Value – Functional roadmap • Tactical – stuff for you • Structural – helping others • With the rest of the organization – Shouldn’t mandate what we can’t sustain – Expose, Support new work for others 1/10/08 Carnegie Mellon 22 Bottom-Up • Acquire and use tools based on: – What your bosses want – What your peers do – What you believe you can achieve • Can’t live without • Can’t live with • Simplest to do at the time – Best of breed? • What they’ll sell you • What you can afford • What you can sustain • Filling Time or Creating Value – Beware of diminishing returns (i.e. the deadly rathole) – “Must I be in this business? Can I ever get out?” 1/10/08 Carnegie Mellon 23 Architecting Security NERCOMP 9/24/2007 Mark Poepping Head IT Architect Computing Services Carnegie Mellon