What an ESA will provide is the following :
- a vision of how network segregation will be implemented in alignment with the enterprise architecture
- a guide to where new network devices and applications should be located in the actual network based on their function/risk/required connectivity
- a source of high level application security requirements for new application development projects
- a point of reference for security policy and standards for standards related to network security, access control, etc.
Ways in which you would use the ESA or concepts in it every day would include the following :
- analysing and reviewing firewall rule change requests (perhaps in conjunction with firewall management standard, process and procedure.)
- analysing requests for business partner connections and suggesting where they should be connected
- responding to security incidents by using it to provide simplified situation reports
- using it as a reference in post security incident analysis. (e.g. We had a problem because a lack of input validation in the web application as suggested in the ESA led to an SQL injection vulnerability that was exploited by automated malware)
- communicating security policy to employees (e.g. You can't run a webserver from here it needs to go there )
- determining placement of security infrastructure like IDS sensors, identity management servers etc.
An ESA that meets these objectives and provides this functionality is essential to efficient operation of many information security processes. So much so that I was driven to writing a template I'm calling SHIRO to help me in updating the ESAS that I need to work with in my engagements to provide the above functionality.
If you have any positive thoughts about ESA I'm always willing to hear them in the comments section below
2 comments:
Good post, Matthew.
I've found that there are two other benefits of an ESA:
1. Willingness (or otherwise) of an organisation to commit to an ESA is one indication of how serious they are about security (qualifier: the ESA is necessary but not sufficient proof).
2. Taking an organisation through the journey of discovery in filling in the details for an ESA is enlightening for all concerned.
Dave Shaw
I'm reading the 'Enterprise Security Architecture' book by John Sherwood, Andrew Clark and David Lynas atm. If this is something you're working on, then this is mandatory reading if you haven't done so. I think his book will resonate quite strongly with you as well.
Post a Comment