On the road to a better security blueprint

Threat management involves identifying information technology system vulnerabilities and prescribing security measures to address them, so it would seem to be an ideal fit with enterprise architecture (EA).

After all, the purpose of EA is to design an organization’s business processes to better meet its mission and strategic goals, and a big part of that is identifying IT systems to help support and improve those business processes. The two disciplines are intrinsically linked: Without effective IT security, technology is more of a hindrance to efficient agency operations than a help.

It would also appear that there are sufficient policy directives for pairing EA and threat management. For example, the Office of Management and Budget requires federal agencies to include security as part of the EA progress reports they have to file each year.

And the Federal Information Security Management Act (FISMA), the principal driver for agency IT security efforts, requires a risk-management approach, which could flow naturally from an EA’s identification of critical data, IT systems and business processes.

However, experts say that despite the huge potential benefits of linking them, threat management and EA design rarely come together in practice. The reasons for this disconnect vary, though the obstacles blocking a closer link are hardly insurmountable, they say.

For example, tying FISMA more explicitly to an EA would give agencies a way to manage their IT security consistently over the long term that would better match their evolving business needs, said Chris Parker, chief executive officer of 4Front Security.

Instead, “FISMA is driven solely by the [current] need to secure IT,” Parker said. “Its requirements are open to interpretation, and they are not tied to agency business processes.” A separate hurdle is getting all the stakeholders working together. It is already difficult encouraging business managers and IT staff to hammer out an EA together. Involving IT security experts, who often work separately from the mainline IT staff, is yet another challenge.

“Many of the EA frameworks outside of the [military] world don’t discuss security at any practical level,” said Jan Popkin, chief strategist at Telelogic and a longtime player in the government EA arena. “But for it to be effective, you need a common ontology so that everyone understands what security means in [an EA] context.”

EA traditionally has been the province of the business side of the organization, and security has been added on after the IT architecture has been determined, he said. The goal should be for earlier and better collaboration among the business, general IT employees and IT security staffs.

Leaving security considerations out of the early stages of EA development can lead to costly mistakes, said Michael Farber, a vice president of Booz Allen Hamilton. If security people are not involved, then threat mitigation is not likely to be a central factor in the crafting of the EA. That raises the risk of making investments in what could ultimately be the wrong IT architecture for the business mission, he said.

“I’ve seen instances where funds were paid out and people thought they had met the security requirements but then had to go back and redo the whole thing because they hadn’t thought things through at the beginning,” Farber said.

Nipping problems in the bud
Rolling risk assessment into EA development from the start can yield major payoffs, both in the short term through immediate risk reduction and in the long term as agency missions and supporting IT systems evolve, said Roy Isbell, vice president of global government consulting services for the security vendor Symantec.

In developing the EA, officials could identify the threat profiles of all the business assets the EA describes. Then they could use a standard such as FISMA to select the proper security controls, Isbell said.

“Agencies would have to implement those controls and maintain them,” he said. “But they would also have an iterative process that provides a feedback loop for the risk assessment process.”

Such an approach probably would have identified the potential for problems like the recent one at the Department of Veterans Affairs, which lost control of information when a laptop computer that an employee had taken home was stolen, said Mark Perry, vice president of global security transformation services at Symantec.

The biggest challenge in using threat analysis to devise an appropriate enterprise protection program lies in assessing the value of the data, business processes and IT systems that need safeguarding, said Tim Braithwaite, a faculty member at the Federal Enterprise Architecture Certification (FEAC) Institute.

Knowing the value of those assets is particularly important in convincing agency executives to spend money on security, he said. However, scant efforts have been made to demonstrate the value IT contributes to improving business processes. IT security spending is in an even worse position, typically viewed grudgingly as a way to plug only the most obvious holes.

“The value of what IT does for the world is not understood,” Braithwaite said. “It’s never been truly analyzed, and the tools have not been provided to involve executives and other managers in the discussion.”

Braithwaite has devised a method for assessing value and risk called the Security Knowledge Framework, a derivative of the well-known Zachman Framework used in EA.

Braithwaite’s framework applies a positive worth to the various elements of an operation and calculates the penalty involved in not having what’s needed to support particular business activities.

There’s value to the business in having quality and timely data whose integrity is assured, for example. On the other hand, an operation will be negatively affected by not having data that can be trusted or is compromised in some way. Those calculations are tied directly to the security of the IT systems the organization uses.

Yet most organizations do not conduct this kind of exercise, leaving their efforts at IT security stuck in a reactive rather than a proactive mode.

If any part of the government will soon be using threat management and EA to ensure security it is the military. With the Defense Department’s focus on network-centric warfare and the Global Information Grid, security is a necessity to ensure the flow of information to warfighters.

That makes security an equal partner from the outset, said Jim Granger, technical director at the Navy Cyber Defense Operations Command.

However, cooperation among the players doesn’t always happen naturally, even in the Navy, he said. Those who favor security and those who favor easier access to systems are continually at odds. Granger hopes that as people are made more aware of security needs through mandated information assurance training, they will be more receptive to incorporating security and risk mitigation into all IT processes.

He also thinks it will become easier to standardize security-related processes because of the growing availability of enterprise-level security tools.

“Most definitely, I do believe that security and threat management will become standard components of EA in the future,” he said.

Think security early and oftenIndustry best practices dictate that you model your threats and responses at various layers of the enterprise architecture, said Michael Farber, a vice president at Booz Allen Hamilton.

As you apply risk mitigation based on that information, you will identify gaps in threat responses, he said.

If organizations don’t approach threat mitigation this way, they risk drafting enterprise architecture schematics or writing procurement requirements that don’t adequately account for security needs, he said.

— Brian Robinson

Plan of actionIt takes a fair amount of coordination to improve an agency’s information technology security posture by linking threat management with enterprise architecture (EA) planning. Specifically:

  • Definitions of terms used to describe vulnerabilities and threat mitigation are critical. That means that people in all areas of the operation — from mission managers to IT staff — must be involved in developing terms. Most security people will be in operational roles and won’t be involved in setting enterprise systems requirements, but they will need to be involved in defining risk-management terms.

  • The Achilles’ heel of any IT infrastructure is that no one person will know how all systems work and a process will have to be developed to integrate the expertise of people who may not be used to speaking with each other about these issues.

  • Many people may seem to be paying attention to threat management, but it’s likely they are focused narrowly on meeting requirements mandated by the Federal Information Security Management Act. It will take an active awareness campaign to switch their focus to EA.

  • It will generally be easier to teach IT people about the business aspects of EA than to teach business people about IT technicalities, so agencies should target their education efforts accordingly.

— Brian Robinson
X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.