Wednesday, September 18, 2013

Defense in Depth within the Enterprise

A Technical and Solution Architecture perspective at implementing Defense in Depth within the Enterprise and Large Organizations.

I'm preparing a slide deck for my coming lightning talk on Defense in Depth within the Enterprise. The theme of the talk is what to expect when introducing a defense in depth approach into existing enterprise environments and how to respond to the issues that will arise from many different stakeholders. My reference points for this talk are from two primary enterprise level clients and a collection of smaller internet facing projects. As a solution or technical architect my perspective is mostly toward protecting personal information and how to design the solution to reduce the opportunity for an information security breach.

http://technet.microsoft.com/en-us/library/cc512681.aspx
The AGENDA:
My talk is limited to 20 minutes so I need to cover a lot of ground fairly quickly. Being succinct is my strategy to completeness.
  1. Description of Defense in Depth
    A brief description of the Defense in Depth security strategy. This is mostly to confirm understanding, set the shared vocabulary, and define the terms.
  2. Defense in Depth within the Enterprise
    Provide a holistic view of Defense in Depth within the enterprise environment, while also providing examples of implemented solution architectures. A technical and solution architect perspective will be used in this review. The talk wants to focus more on the how-to rather that the strategic.
  3. Issues toward implementation
    There are a plethora of issues that can arise when implementing defense in depth into the enterprise environment. These are not only technical and security related, but also operational and administrative or related to governance and compliance.
  4. Getting to finished
    Given the plethora of issues and their related stakeholders (sometimes tasked with conflicting missions), it is possible to find agreement on the architectural decisions required to deploy a defense in depth approach. During this talk I will discuss approaches to reaching agreement, and provide a few project examples of how we got to finished with resolving different issues.
If you are interested in attending this talk feel free to join us at our St. John's BSides event on October 18th.

Monday, September 16, 2013

Shepparding multi-stakeholder architectural decisions

What fun. I recently moved with my Family from an island off the west coast of Canada to as far east as you can get in North America; St. John's, Newfoundland. One of the benefits of this is I can become more involved in the technology community. My previous island life made it prohibitive to participate in social and technology events in the city. Now that I can participate, I will.

St. John's has a number of technology conferences (or events) in the fall. And one of these is aligned with the bsides security conference. I decided to participate by proposing a lightning talk, fortunately my talk was selected... what fun. The title and abstract of my talk is as follows; and will allow me to discuss my experience with shepparding multi-stakeholder architectural decisions to agreement.

Title: Defence in Depth: Approaches and Importance of Enterprise Architecture Security Decisions
Abstract: In this lightning talk we will explore one approach to getting multi-stakeholder agreement on Enterprise Architecture decisions focused on a defence in depth security model. Corporate enterprise technology environments can be large and complicated. And when it comes to making changes to the internet facing security environment both rigorousness and resistance to change increase. These increased challenges can be overcome with good project / process management, solid end-to-end architecture, and a comprehensive decision making template. In a nutshell, this talk explores the enterprise architecture decision.

Defence in depth is an age old practice.

Fortunately, over the last 15 years many of the projects I have worked on were internet facing and had security and privacy issues baked into the project. The bigger the project the more technical stakeholders were involved in designing, building and deploying the solution(s). utilizing all these technical people can make for a stronger and more comprehensive and well engineered solution. Coming to agreement across all the stakeholders can be difficult, for they sometimes have opposing tasks and responsibilities that are counter to another. With good process and a strong engineering mindset it is possible to find the common ground and build a solution where all stakeholders technical constraints can be met. This talk explores this process in the context of altering an existing network infrastructure and related governance groups to deepen defence in depth approaches to enterprise security.