{"id":142,"date":"2022-10-23T11:02:48","date_gmt":"2022-10-23T11:02:48","guid":{"rendered":"https:\/\/sites.psu.edu\/jaredmcuevas\/?p=142"},"modified":"2022-10-23T11:02:48","modified_gmt":"2022-10-23T11:02:48","slug":"post-5-2-it-security-concepts-definitions","status":"publish","type":"post","link":"https:\/\/jaredmcuevas.com\/?p=142","title":{"rendered":"Post 5.2 \u2013 IT Security Concepts & Definitions."},"content":{"rendered":"

Summary<\/strong>.\u00a0 This week\u2019s second post will review key definitions for IT security, examine some best practices, and lastly we\u2019ll briefly look at some risks to supply chains based on digital disruption<\/em>.<\/p>\n

Key Take-Aways<\/strong>.\u00a0 I want to add two primary observations to the mainly factual information summarized below.\u00a0 First, security architecturenseems like it\u2019s often an afterthought and siloed to a separate \u2018department\u2019 in many organizations.\u00a0 In many situations, the design team first designs the optimal business solution \u2013 optimizing functionality or minimizing cost \u2013 and security concerns are addressed secondary or almost as an “add-on”. Of course, in high-security industries, this isn\u2019t the case, but I argue it\u2019s best to integrate security expertise into the earliest parts of the design and<\/em> implantation process.\u00a0 This is because nearly every vendor system contains some level of personal or proprietary information about the business or consumers, and building in security as an afterthought is sub-optimal. \u00a0The second \u2013 our supply chains are vulnerable to disruptions, and we should plan for the worst instead of hoping for the best.\u00a0 This includes hardening the business\u2019s enterprise architecture against the vulnerabilities we\u2019ve listed in Section 4.<\/p>\n

(1) Definitions.\u00a0 <\/strong>Security Governance, Security Management, & Security Operations<\/em>.<\/p>\n

It\u2019s important to differentiate between these three terms when building, managing, and maintaining the enterprise\u2019s security infrastructure.\u00a0 Governance applies enterprise-wide and generally begins with the executive level, setting guidelines, business rules, and IT regulations for all other parts of the enterprise.\u00a0 Generally, this is policy set at the highest level of the organization and governance offices usually reside with or report directly to headquarters.\u00a0 Security management is concerned primarily with resourcing (funding, personnel, etc.) to ensure security programs are properly resourced.\u00a0 Security management also reviews execution of the program at a more broad level \u2013 \u201cmetrics\u201d and can direct adjustments to operations to optimize performance.\u00a0 Security operations is where policy and management are executed \u2013 these can include building, maintaining, and running security platforms (McMillian and Scholtz, 2013) and firewall configuration, among others.\u00a0 Security operations are tactical implementation of security concepts.<\/p>\n

Source<\/u>: \u201cSecurity Governance, Management, and Operations Are Not the Same<\/em>\u201d, McMillian and Scholtz, Gartner, January 2013.<\/p>\n

(2)\u00a0 Review.\u00a0 <\/strong>Security Architecture<\/em>.<\/p>\n

IT\/enterprise architecture is generally divided into conceptual layers, and while models sometimes divide the layers differently or add sub-divisions, most models follow the same basic premise.\u00a0 The enterprise architecture is divided conceptually into layers \u2013 technology, applications, data\/information, business, and some models add strategy as a final layer.\u00a0 Each layer can and should maintain it\u2019s own architecture.\u00a0 So where does security architecture fit?\u00a0 According to McMillian and Scholtz, \u201cthe notion of \u2018security architecture\u2019 permeates all of the abstraction layers and many, if not all, of their components, applying a security focus in each case.\u201d\u00a0 In other words, security is part of each layer of the enterprise architecture.\u00a0 As engineers and other designers are composing the architecture, security experts should be present at every stage (planning, implementation, maintenance) to ensure security architecture and governance principles are incorporated.<\/p>\n

Source<\/u>. \u00a0“Definition: Security Architecture<\/em>“, McMillian and Scholtz, Gartner, 25 April 2018.<\/p>\n

(3) Security Best Practices<\/strong>.\u00a0 Recommendations for Improved Security<\/em>.<\/p>\n

In their article Top Trends in Cybersecurity 2022<\/em>, Firstbrook, Olyaei, et. al. recommend moving beyond traditional views of security as a \u201ccastle-keep\u201d and using several more interactive ways to probe, understand, and improve security architecture.\u00a0 The enterprise should examine its vulnerabilities with the help of several processes:<\/p>\n

(a) Conduct \u2018enterprise attack surface gap analysis\u2019 which can determine gaps in the enterprise security system\u2019s ability to detect and defend against external threats.<\/p>\n

(b) Employ technologies known as \u2018attack surface management\u2019 (ASM) to better understand the internal and external connections and dependencies for IT and security.\u00a0 These technologies can also assist in modeling improvements and mitigating or eliminating gaps in the defense.<\/p>\n

(c) Use simulations to determine gaps and vulnerabilities. Run realistic simulations employing a \u201cred team\u201d tasked with identifying vulnerabilities.<\/p>\n

(d) Internally and amongst the IT staff, run drills \u2013 \u2018response plans\u2019 \u2013 to keep the team aware of policies and practice actions in the case of cyber security breaches or loss of service.<\/p>\n

(4) Digital Supply Chain Risk<\/strong>. \u00a0Analysis by Katell Thielemann<\/em>.<\/p>\n

The last several years have been extremely disruptive to supply chains globally.\u00a0 An additional risk (add another one to the list of COVID, climate change effects, and armed conflicts) to highly interdependent global supply chains are digital disruptions<\/em>.\u00a0 Digital supply chain risks generally fall into four main categories according to Thielemann at Gartner:<\/p>\n

(a) Disruption can be caused by the loss or disclosure of private information<\/strong> (customer data), business information<\/strong> (for example, schematics for a manufacturing product), and\/or classified information<\/strong> (government sector).\u00a0 If secured information is breached, it can cause huge setbacks in production, loss of competitive advantage, or lawsuits and loss of money.<\/p>\n

(b) The physical and digital infrastructure<\/strong> of the enterprise network is vulnerable to cyber attack (among other factors such as energy loss, natural disasters, etc.).\u00a0 If targeted cyber attacks disrupt a network for a prolonged period of time, the cascading effects can affect the entire supply chain.<\/p>\n

(c) \u201cAttacks through common commercial and open-source software<\/strong> used in business and IT operations\u201d. \u00a0When I think of common commercial software, I think of large corporations such as Adobe, Oracle, Microsoft.\u00a0 It is a natural responsibility of these software providers to maintain security as part of their product offering, but its also critical that enterprise architects and other IT professionals who integrate<\/em> third-party software are not creating vulnerabilities via that integration.<\/p>\n

(d) Most of us think of attacks against the enterprise network or its secured information.\u00a0 However, our fourth category of risk is the \u201cthe exploitation of security flaws in the digital products sold to customers\u201d<\/strong>.\u00a0 If a digital business sells or otherwise provides a piece of software to consumers which has a critical security flaw \u2013 and doesn\u2019t catch and patch the software \u2013 the effects could be both legal and monetary.\u00a0 The effects of such a mistake could effect every vendor in the supply chain depending on how interconnected their software is.<\/p>\n

Source<\/u>.\u00a0 “Top Trends in Cybersecurity 2022<\/em>“, Firstbrook, Olyaei, et. al., Gartner, 18 February 2022.<\/p>\n","protected":false},"excerpt":{"rendered":"

Summary.\u00a0 This week\u2019s second post will review key definitions for IT security, examine some best practices, and lastly we\u2019ll briefly look at some risks to supply chains based on digital disruption. Key Take-Aways.\u00a0 I want to add two primary observations to the mainly factual information summarized below.\u00a0 First, security architecturenseems like it\u2019s often an afterthought […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-142","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/jaredmcuevas.com\/index.php?rest_route=\/wp\/v2\/posts\/142","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jaredmcuevas.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jaredmcuevas.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jaredmcuevas.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jaredmcuevas.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=142"}],"version-history":[{"count":0,"href":"https:\/\/jaredmcuevas.com\/index.php?rest_route=\/wp\/v2\/posts\/142\/revisions"}],"wp:attachment":[{"href":"https:\/\/jaredmcuevas.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=142"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jaredmcuevas.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=142"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jaredmcuevas.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=142"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}