Main Page

From The Secure Arc Wiki

(Difference between revisions)
Jump to: navigation, search
m (Made a minor modification to the plurality of our clients)
(Updated the front page to better summarise what we're all about)
Line 1: Line 1:
-
[[Image:ZoneModel.png|400px|right]]
+
[[Image:RiskMatrix-350px.png|right]]Very few organisations have the resources to achieve absolute security and when customers are involved there is typically more to be gained from usability with some margin for risk anyway.
-
Secure Arc offer Security Architecture [[Consulting_Services|consulting services]] primarily in the Identity Management (IDM) and J2EE space for large enterprises. These services span the entire software development life-cycle, including [[The_Secure_Arc_Methodology|methodology,]] infrastructure and software design, deployment guidance and software development.
+
-
All stages can involve some form of [[Information_Asset_Classification|Information Asset Classification,]] [[Threat_Model|Threat Modeling]] and [[Architectural_Decisions|Risk Assessment.]]
+
Security Architecture is all about weighing up the cost to secure vs the potential cost of a breach.
-
With our repeatable and adaptable [[Secure_Arc_Reference_Architecture|Security Reference Architecture]] we can provide day 1 guidance to ensure the overall solution architecture is developed in a secure manner and the threats facing a given system are clearly identified and mitigated where practical. Our [[Logical_Security_Zone_Pattern|Trust Model]] has been adopted as the enterprise wide network security architecture for the entire organisation at some of our clients.
+
The key is to identify what you need to protect, where it needs protecting, how much is at stake if it’s compromised and consequently how much you should spend on securing it to reduce the risk.
-
This [[Secure_Arc_Reference_Architecture|Security Reference Architecture]] is derived from the same ISO standards that have been adopted and built on across a number of large regional and international corporations.
+
The processes required to thoroughly achieve this are exhaustive, time consuming and to a large extent require specialist assessment and input.
 +
 
 +
The Secure Arc [[Secure_Arc_Reference_Architecture|Security Reference Architecture]], while thorough, is built on a very simple model for laying out an enterprise architecture.
 +
 
 +
The underlying principle simply requires the architect to “pick a box” for a node and then assess and abide by the rules associated with that decision. Where the rules can’t be adhered to, the associated threats should be identified and assessed.
 +
 
 +
[[Image:ZoneModel-350.png|left]]The [[Logical_Security_Zone_Pattern|Logical Zone Model]] represents the server and network segmentation created in a typical enterprise architecture. The basic rules define what a node is allowed to communicate with, which can be summarised as “other nodes within the same or adjacent Zones.”
 +
 
 +
With this model adopted, it is relatively simple to identify where [[Information_Asset_Classification|Information Assets]] are transferred to and from and where they are stored. If it’s sensitive information, it should be stored in the right-most trusted Zone and the rest of the architecture should be designed to support that. If it must pass through the Staff Intranet (the Internally Uncontrolled Zone) it should be thoroughly protected from the associated [[Threat_Model|risks]] associated with such an exposure.
 +
 
 +
This model can be used to identify existing threats in your current architecture as well as provide guidance for new solutions. Both old and new solutions can co-exist and associated threats will be clearly visible and assessable.

Revision as of 09:56, 25 September 2008

Very few organisations have the resources to achieve absolute security and when customers are involved there is typically more to be gained from usability with some margin for risk anyway.

Security Architecture is all about weighing up the cost to secure vs the potential cost of a breach.

The key is to identify what you need to protect, where it needs protecting, how much is at stake if it’s compromised and consequently how much you should spend on securing it to reduce the risk.

The processes required to thoroughly achieve this are exhaustive, time consuming and to a large extent require specialist assessment and input.

The Secure Arc Security Reference Architecture, while thorough, is built on a very simple model for laying out an enterprise architecture.

The underlying principle simply requires the architect to “pick a box” for a node and then assess and abide by the rules associated with that decision. Where the rules can’t be adhered to, the associated threats should be identified and assessed.

The Logical Zone Model represents the server and network segmentation created in a typical enterprise architecture. The basic rules define what a node is allowed to communicate with, which can be summarised as “other nodes within the same or adjacent Zones.”

With this model adopted, it is relatively simple to identify where Information Assets are transferred to and from and where they are stored. If it’s sensitive information, it should be stored in the right-most trusted Zone and the rest of the architecture should be designed to support that. If it must pass through the Staff Intranet (the Internally Uncontrolled Zone) it should be thoroughly protected from the associated risks associated with such an exposure.

This model can be used to identify existing threats in your current architecture as well as provide guidance for new solutions. Both old and new solutions can co-exist and associated threats will be clearly visible and assessable.

Personal tools