Vous êtes sur la page 1sur 1

Reference Architecture Version 1.

1
Guiding Principles
Define protections that enable trust in the cloud.
Develop cross-platform capabilities and patterns for proprietary and open-source providers.
Will facilitate trusted and efficient access, administration and resiliency to the customer/consumer. Business Operation Information Technology Presentation Services Security and Risk
Presentation Platform
Support Services Operation & Support Management
Provide direction to secure information that is protected by regulations.
The Architecture must facilitate proper and efficient identification, authentication, authorization,
administration and auditability. Presentation Modality End-Points
Centralize security policy, maintenance operation and oversight functions.
Access to information must be secure yet still easy to obtain.
(BOSS) (ITOS) Consumer Service Platform Enterprise Service Platform Mobile Devices
Mobile Device Management Company
Desktops
Speech Recognition
(IVR) Governance Risk & InfoSec
Delegate or Federate access control where appropriate.
B2E B2M
owned
Third-Party Public Kiosk Compliance Management
Social Portable Devices
Must be easy to adopt and consume, supporting the design of security patterns Colaboration Compliance Policy Management
The Architecture must be elastic, flexible and resilient supporting multi-tenant, multi-landlord platforms Compliance IT Operation Media B2B B2C
Handwriting Management Exceptions Self Assessment
Capability
Mapping
Fixed Devices Medical Devices Smart Appliances (ICR)
The architecture must address and support multiple levels of protection, including network, operating Search E-Mail e-Readers P2P Vendor Audit IT Risk Risk Portfolio Risk
Audit Planning Management Management Management Management Dashboard
system, and application security needs. Contact/Authority DRP IT Governance
Independent Third-Party Internal Maintenance Technical Awareness and Training Residual Risk Management
High Level Use Cases Audits Audits Audits Plan Test Architectrure Standards and
Information System Regulatory Management Management Governance Guidelines
Mapping
Intellectual Property Protection
Privilege Management Infrastructure

Data Governance
Resource
Management
PMO
Program
Portfolio
Management Application Services Identity Management
Domain Unique
Identifier
Federated IDM
Authentication Services
SAML
Token
Risk Based
Auth
Multifactor
Mgmnt
Segregation Maturity
Data Ownership /
Stewardship
Data
Classification
Handling / Labeling /
Security Policy of Duties Project
Mgmnt
Model Programming Interfaces Security Knowledge Lifecycle Integration Middleware Identity
Provisioning
Attribute
Provisioning
OTP
Smart
Card
Password
Management
Secure Disposal of Rules for Information Contractors Roadmap Biometrics Network
Clear Desk Policy
Data Leakage Prevention Remediation Authentication
Strategy Alignment Input Single Sign On
SaaS,
Rules for Validation Security
Authorization Services Middleware
Data Retention Attack Code Security Application Policy WS-Security Authentication
PaaS, IaaS Design Policy Definition
Patterns Samples Framwrok - ACEGI Enforcement
Patterns Identity Verification OTB AutN
Policy Principal Data
Operational Risk Human Resources Service Delivery Mangement Management
Connectivity & Delivery Resource Data Privilege Usage Management
Management Security Development Process Management
XACML
Keystroke/Session Password
Role
Operational Risk Committee Service Level Information Technology Obligation Logging Vaulting
Self-Service Software Quality Assurance Management
Privilege Usage Resource
Crisis Business Management Resiliency Application Stress and Out of the Box (OTB) AutZ Gateway Protection
Security
Management Impact Analysis Employee Employment Vulnerability Volume
Code Review
Key Risk Indicators Termination
Background
Agreements
Job
Objectives Internal SLAs
Availability Resiliency
Scanning Testing
Abstraction
Business Continuity Screening Descriptions
OLAs External SLAs Management Analysis
Threat and Vulnerability Management
Planning Testing Roles and Employee Vendor Management
Responsibilities Awareness Capacity Planning Compliance Testing Vulnerability Management
Risk Management Framework Service Dashboard

Information Services
Employee Code of Conduct Databases Servers Network Application Infrastructure DB
Business Technical
Assessment Assessment

Independent Risk Management Asset Management Application Performance Penetration Testing Threat Management
Service Operational Monitoring Service Delivery Reporting Services ITOS Problem
Management
Incident
Management
BOSS Internal External Source Code Scanning Risk Taxonomy
PMO Strategy Roadmap
Security Monitoring Services Costing Bugdeting Service
Catalog
SLAs OLAs Dashboard Data Mining Reporting Tools Business Intelligence Risk
Assessments
Data Process

SIEM Event Database Application Honey End-Point Charge


Back
Investment
Budgeting
CMDB
Knowledge
Management
Classification Ownership
Infrastructure Protection Services
Platform Mining Monitoring Monitoring Pot Monitoring
Contracts
Recovery
Plans Data Governance Security Monitoring HR Data
White
Listing
Server End-Point
Event Cloud E-Mail Market Threat Counter Non- Service Change Audit Business
(Employees & Anti-Virus, Anti- Host
Correlation Monitoring Journaling Intelligence Risk Production Management Management Findings Strategy Anti- HIPS / Host HIPS /HIDS
Threat Contractors)
Spam, Anti-Malware Firewall
Assessments Data Session Authorization Authentication Application Network Computer
Virus HIDS Firewall
SOC Portal Management Events Events Events Events Events Media Hardware Based
Service Support
Events
Forensic Tools
Lockdown Trusted Assets
Managed Security Knowledge Branding Information Data
Network
Services Base Protection
Anti-Phishing
Service Support Service
Leakage
Metadata
Segregation
User Directory Services Firewall
Content
DPI
Inventory Control
Content
Filtering White Listing
HIPS NIPS Filtering
User Behavior & Configuration Events Events
Real-time internetwork defense (SCAP)
Profile Patterns Rules Transformation Services NIPS / Wireless
(Metadata)
Risk Management Active DBMS
NIDS Protection Application
Configuration Management Knowledge Database Directory
LDAP X.500
Repositories Link Layer Network Security XML Applicance Application Firewall Real
Privilege Repositories Repositories
Repository Events Services Meta Time
Software Usage Events
Legal Services Internal Investigations Capacity Planning
Management
Physical Inventory Configuration
Management
GRC RA BIA Directory
Black Listing Filtering Secure Messaging Secure Collaboration Filtering

Forensic e-Mail Virtual Services


Contracts E-Discovery Automated Asset Configuration Database Registry Location Federated
Analysis Journaling (CMDB) Change ACLs CRLs Compliance NIPS DLP eDiscovery Directory
Discovery Management DR & BC Services Services Services
Data Protection
VRA TVM Monitoring Events EVents
Incident Response Legal Logs Events Services
Plans
Preparation
Incident Management Problem Management Data lifecycle management
Automated Event Root Cause Meta Data Data
Security Incident Data Masking Data Tagging
Response Ticketing Classifiation Analysis Control De-Identification

Self-Service Ticketing
Trend
Analysis
Problem
Resolution Internal Infrastructure
Infrastructure Services Virtual Infrastructure
eSignature
(Unstructured data)
Life cycle
management
Data Obscuring Data Seeding

Cross Cloud Security Incident


Orphan Incident Management
Response
Facility Security Patch Servers Desktop “Client” Virtualization Storage Virtualization Data Leakage Prevention Intellectual Property
<<insert Jairo’s content>
Block-Based Virtualization Prevention
Knowledge Management Controlled Physical Asset
Management Local Session-
Remote
VM-Based Host-Based
Storage
Network-Based
Data Discovery
Intellectual Digital Rights
Based (VDI) LDM LVM Appliance
Network End-Point Server
Compliance Monitoring Secure Build Device-
Best Trend Security Job Security
Access Handling Image Management LUN Based Switched
(Data in Transit) (Data in Use) (Data at Rest) Property Management
Electronic Service Discovery
Benchmarking Barriers
practices Analysis Aids FAQ Surveillance Data
Security Patrols
Physical
Authentication Software
Hardware
Application Virtualization Virtual Cryptographic Services
Equipment Client
Application
Server
Application
Workspaces File-Based Virtualization Key Management PKI
Signature
Services
Data-in-use
Encryption (Memory)
Change Management Release Environmental Risk Management Streaming Streaming
Synchronous Asynchronous
Change Management Physical Security
Equipment Power Maintenance Keys Keys Data-in-Transit
Encryption
Data-at-Rest Encryption
(DB, File, SAN, Desktop,

Domain
Location Redundancy
Service Approval Mobile)
Review Server Virtualization Network Database (Transitory, Fixed)

SABSA Provisioning Workflow


Board
Scheduling
Virtual Machines (Hosted Based) Virtualizaton
Network Address
Virtualization

Testing Version
Container Storage Availability
Space

ITIL v3
Planned Changes
Build Control Network Full Paravirtualization Hardware-Assisted
Virtualization
IPv4 IPv6 Mobile Device

Project Operational
Emergency Virtualization
Policies and Standards
Process or Changes Chages
Changes Source Code
Management
Services Services Services OS TPM Virtual External Internal Operational Security Baselines Job Aid Guidelines Role Based Awareness
Solution
Data
TOGAF Network
Segementation
Authoritative
Time Source
VIrtualization Virtualization Memory
(VLAN) (VNIC)
Smartcard
Virtualization
Information Security
Policies
Technical Security
Standards
Data/Asset Classification
Best Practices &
Regulatory correlation

JERICHO

Chief Architect: Jairo Orea


Lead Architects: Marlin Pholman, Yaron Levi, Dan Logan.
Team: David Sherr, Richard Austin , Vern Williams, Anish Mohammed, Harel
Hadass, Phil Cox, Yale Li, Price Oden, Tuhin Kumar, Rajiv Mishra, Ravila White,
Scott Matsumoto, Rob Wilson, Charlton Barreto, Ryan Bagnulo, Subra
Kumaraswamy.
Date: 07/20/2011
Revision: 12th Review