Security Architecture – How & Why (River Publishers Series in Security and Digital Forensics)

Cover
Half Title
Serie Page
Title Page
Copyright Page
Table of Contents
Preface
List of Figures
List of Tables
1: Why Security?
	1.1: Business Prevention
	1.2: Measuring and Prioritizing Business Risk
	1.3: Security as a Business Enabler
	1.4: Empowering the Customers
	1.5: Protecting Relationships
	1.6: To Summarize
2: Why Architecture
	2.1: Origins of Architecture
	2.2: Managing Complexity
	2.3: Information Systems Architecture
	2.4: Architectures
		2.4.1: Business Architecture
		2.4.2: Information Architecture
		2.4.3: Applications Architecture
		2.4.4: Infrastructure Architecture
		2.4.5: Risk Management Architecture
		2.4.6: Governance Architecture
	2.5: Enterprise Security Architecture
	2.6: Being a Successful Security Architect
	2.7: Security Architecture Needs a Holistic Approach
	2.8: What Does Architecture Mean?
3: Security Architecture Model
	3.1: The SABSAr Model
	3.2: The Business View
	3.3: The Architect’s View
	3.4: The Designer’s View
	3.5: The Builder’s View
	3.6: The Tradesman’s View
	3.7: The Facilities Manager’s View
	3.8: The Inspector’s View
	3.9: The Security Architecture Model
4: Contextual Security Architecture
	4.1: Business Needs for Information Security
	4.2: Security as a Business Enabler
		4.2.1: On-Demand Entertainment
		4.2.2: Value-Added Information Services
		4.2.3: Remote Process Control
		4.2.4: Supply Chain Management
		4.2.5: Research and Information Gathering
	4.3: Digital Business
		4.3.1: Online Banking
		4.3.2: B2B
		4.3.3: Online Government
	4.4: Continuity and Stability
		4.4.1: Revenue Generation
		4.4.2: Customer Service
		4.4.3: Reputation
		4.4.4: Management Control
		4.4.5: Operating Licenses
		4.4.6: Employee Confidence
		4.4.7: Shareholder Confidence
		4.4.8: Other Stakeholders
	4.5: Safety-Critical Dependencies
		4.5.1: Remote Communications to Safety-Critical Systems
		4.5.2: Systems Assurance
	4.6: Business Goals, Success Factors and Operational Risks
		4.6.1: Brand Protection
		4.6.2: Fraud Prevention
		4.6.3: Loss Prevention
		4.6.4: Business Continuity
		4.6.5: Legal Obligations
	4.7: Operational Risk Assessment
		4.7.1: Risk/Threat Assessment
		4.7.2: Threat Domains
		4.7.3: Threat Categories
		4.7.4: Risk Prioritization
	4.8: SABSA R Risk Assessment Method
		4.8.1: SABSA Risk Assessment Method: Step 1
		4.8.2: SABSA Risk Assessment Method: Step 2
		4.8.3: SABSA Risk Assessment Method: Step 3
		4.8.4: SABSA Risk Assessment Method: Step 4
		4.8.5: SABSA Risk Assessment Method: Step 5
	4.9: Business Processes and their Security
		4.9.1: Business Interactions
		4.9.2: Business Communications
		4.9.3: Business Transactions
	4.10: Organization and Relationships Impacting Business Security Needs
	4.11: Location Dependence
		4.11.1: The Global Village Marketplace
		4.11.2: Remote Working
	4.12: Time Dependency
		4.12.1: Time-Related Business Drivers
		4.12.2: Time-Based Security
	4.13: To Summarize: Contextual Security Architecture
5: Conceptual Security Architecture
	5.1: Conceptual Thinking
	5.2: Business Attributes Profile
	5.3: Control Objectives
	5.4: Security Strategies and Architectural Layering
		5.4.1: Multi-Layered Security
		5.4.2: Multi-Tiered Incident Handling
		5.4.3: Security Infrastructure Layered Architecture
		5.4.4 The Common Security Services API Architecture
		5.4.5: Application Security Services Architecture
		5.4.6: Placing of Security Services in the Architecture Layers
		5.4.7: Security Services in the Applications Layer
		5.4.8: Security Services in the Middleware Layer
			5.4.8.1: Explicit Security Services
			5.4.8.2: Implicit Security Services
		5.4.9: Data Management Security Services
		5.4.10: Security Services in the Network Layer
		5.4.11: Security Services for the Information Processing Layer
		5.4.12: Authentication, Authorization and Audit Strategy
		5.4.13: Security Service Management Strategy
		5.4.14: System Assurance Strategy
		5.4.15: Directory Services Strategy
		5.4.16: Directory Services Strategy: Management
		5.4.17: Directory Services Strategy: Objects
	5.5: Security Entity Model and Trust Framework
		5.5.1: Security Entities
		5.5.2: Security Entity Naming
		5.5.3: Security Entity Relationships
		5.5.4: Understanding and Modelling Trust
		5.5.5: Protecting Trust Relationships – Trust Brokers and PKI
		5.5.6: Trust Broker Models that Work
		5.5.7: Extended Trust Models for PKI
		5.5.8: Levels of Trust
	5.6: Security Domain Model
		5.6.1: Security Domains
		5.6.2: Inter-Domain Relationships
		5.6.3: Trust in Domains
		5.6.4: Secure Interaction Between Domains
		5.6.5: Security Associations
		5.6.6: Logical Domains
		5.6.7: Physical Domains
		5.6.8: Multi-Domain Environments
		5.6.9: Applying the Security Domain Concept
	5.7: VPN Concept
		5.7.1: Firewall Concept
	5.8: Security Lifetimes and Deadlines
		5.8.1: Registration Lifetimes
		5.8.2: Certification Lifetimes
		5.8.3: Cryptographic Key Lifetimes
		5.8.4: Policy Lifetimes
		5.8.5: Rule Lifetimes
		5.8.6: Password Lifetimes
		5.8.7: Stored Data Lifetimes
		5.8.8: Data Secrecy Lifetimes
		5.8.9: User Session Lifetimes
		5.8.10: System Session Lifetimes
		5.8.11: Response Time-Out
		5.8.12: Context-Based Access Control
	5.9: To Summarize: Conceptual Security Architecture
6: Logical Security Architecture
	6.1: Business Information Model
		6.1.1: Information Architecture
		6.1.2: Static and Dynamic Information
	6.2: Security Policies
		6.2.1: Security Policy: A Theoretical View
		6.2.2: Security Policy Architecture
	6.3: Security Services
		6.3.1: Common Security Services and Their Descriptions
	6.4: Security Service Integration
		6.4.1: Unique Naming
		6.4.2: Registration
		6.4.3: Public Key Certification
		6.4.4: Credentials Certification
		6.4.5: Directory Service
		6.4.6: Directory Service Information Model
		6.4.7: Directory Service Naming Model
		6.4.8: Directory Service Security Model
		6.4.9: Authorization Services
		6.4.10: Entity Authentication
		6.4.11: User Authentication
		6.4.12: Communications Security Services
		6.4.13: Message Origin Authentication
		6.4.14: Message Integrity Protection
		6.4.15: Message Replay Protection
		6.4.16: Non-Repudiation
		6.4.17: Traffic Confidentiality
	6.5: Application and System Security Services
		6.5.1: Authorization
		6.5.2: Access Control
		6.5.3: Audit Trails
		6.5.4: Stored Data Integrity Protection
		6.5.5: Stored Data Confidentiality
		6.5.6: System Configuration Protection
		6.5.7: Data Replication and Backup
		6.5.8: Trusted Time
	6.6: Security Management Services
		6.6.1: Security Measurement and Metrics
		6.6.2: Intrusion Detection
		6.6.3: Incident Response
		6.6.4: User Support
		6.6.5: Disaster Recovery
	6.7: Entity Schema and Privilege Profiles
		6.7.1: Entity Schemas
		6.7.2: Role Association
		6.7.3: Authorization, Privilege Profiles and Credentials
		6.7.4: Certificates and Tickets
	6.8: Security Domain Definitions and Associations
		6.8.1: Network Domains
		6.8.2: Middleware Domains
		6.8.3: Application Domains
		6.8.4: Security Service Management Domains
		6.8.5: Policy Interactions Between Domains
	6.9: Security Processing Cycle
	6.10: To Summarize: Logical Security Architecture
7: Physical Security Architecture
	7.1: Business Data Model
		7.1.1: File and Directory Access Control
		7.1.2: File Encryption
		7.1.3: Database Security
		7.1.4: Security Mechanisms in SQL Databases
		7.1.5: Distributed Databases
	7.2: Security Rules, Practices and Procedures
		7.2.1: Security Rules
		7.2.2: Security Practices and Procedures
	7.3: Security Mechanisms
		7.3.1: Mapping Security Mechanisms to Security Services
		7.3.2: Cryptographic Mechanisms and Their Uses
		7.3.3: Encryption Mechanisms
		7.3.4: Data Integrity Mechanisms
		7.3.5: Public Key Certificates
		7.3.6: Digital Signature Mechanisms
		7.3.7: Cryptographic Key Management Mechanisms
		7.3.8: Cryptographic Services Physical Architecture
		7.3.9: Other Cryptographic Mechanisms
	7.4: User and Application Security
	7.5: Platform and Network Infrastructure Security
		7.5.1: Resilience
		7.5.2: Performance and Capacity Planning
		7.5.3: Platform Security
		7.5.4: Hardware Security
	7.6: To Summarize: Physical Security Architecture
8: Component Security Architecture
	8.1: Detailed Data Structures
		8.1.1: Inter-Operability
		8.1.2: ASN.1
		8.1.3: Extensible Markup Language (XML)
		8.1.4: Relationship between ASN.1 and XML
		8.1.5: Standard Security Data Structures
	8.2: Security Standards
		8.2.1: International Organization for Standards (ISO)
		8.2.2: International Electrotechnical Commission (IEC)
		8.2.3: Internet Engineering Task Force (IETF)
		8.2.4: American National Standards Institute (ANSI)
		8.2.5: International Telecommunication Union (ITU)
		8.2.6: Institute of Electrical and Electronics Engineers (IEEE)
		8.2.7: Information Systems Audit and Control Association (ISACA)
		8.2.8: Object Management Group (OMG)
		8.2.9: The World Wide Web Consortium (W3C)
	8.3: Security Products and Tools
	8.4: Identities, Functions, Actions and ACLs
		8.4.1: Web Services
		8.4.2: XML Schema
		8.4.3: Simple Object Access Protocol (SOAP)
		8.4.4: Web Services Security and Trust
		8.4.5: XML Encryption
		8.4.6: XML Signature
		8.4.7: SOAP Extensions: Digital Signature
		8.4.8: Security Assertion Markup Language (SAML)
		8.4.9: XML Benefits
		8.4.10: XML Security Architecture Issues
	8.5: Processes, Nodes, Addresses and Protocols
		8.5.1: Protocol Stack
		8.5.2: Hypertext Transfer Protocol (HTTP/S)
		8.5.3: TLS
		8.5.4: IPsec
		8.5.5: DNSSEC
	8.6: Security Step-Timing and Sequencing
	8.7: To Summarize: Component Security Architecture
9: Security Policy Management
	9.1: The Meaning of Security Policy
		9.1.1: A Cultural View
		9.1.2: Structuring the Content of a Security Policy
		9.1.3: Policy Hierarchy and Architecture
		9.1.4: Corporate Security Policy
		9.1.5: Policy Principles
		9.1.6: More About the Least-Privilege Principle
		9.1.7: Information Classification
		9.1.8: System Classification
		9.1.9: CA and RA Security Policies
	9.2: Application System Security Policies
	9.3: Platform Security Policies
	9.4: Network Security Policies
	9.5: Other Infrastructure Security Policies
	9.6: Security Organization and Responsibilities
	9.7: Security Culture Development
	9.8: Outsourcing Strategy and Policy Management
	9.9: To Summarize
10: Security Architecture – Cisco & Microsoft
	10.1: Use Case
	10.2: SABSA
	10.3: Contextual
	10.4: Conceptual
	10.5: Logical
	10.6: Physical
	10.7: Component
		10.7.1: Cisco
		10.7.2: Azure
	10.8: Final Thoughts
Index
About the Author