Enterprise Architecture Requirements
At the enterprise level, security requirements are generally going to devolve to the security infrastructure that will support the enterprise architecture. That is, the conceptual
Lightweight Directory Access Protocol.
“security services” box in the enterprise conceptual diagram will have to be broken out into all the various services that will comprise those security services that will form an enterprise security infrastructure.
Because we have moved infrastructure security architecture outside the boundaries of our scope and focus, there are no specific requirements given beyond the examples outlined in this chapter. Certainly, each of the following architectures that has some relationship to a larger organization will necessarily consume portions of a security infrastructure. Therefore, we assume for the relevant subsequent assessment examples that a security infrastructure is in place and that it includes at least the following:
- • Firewalls that restrict network access between network segments, ingress, and perhaps, egress form the enterprise architecture
- • An ability to divide and segment sub-networks to trusted and untrusted areas that define levels of access restriction
- • An administrative network that is separated and protected from all other networks and access to which is granted through an approval process
- • A security operations Center (SOC) which monitors and reacts to security incidents
- • An intrusion detection system (IDS) whose feeds and alerts are directed to the SOC to be analyzed and, if necessary, reacted to
- • The ability to gather and monitor logs and system events from most if not all systems within the enterprise architecture
- • An audit trail of most if not all administrative activities that is protected from compromise by administrators
- • An enterprise authentication system
- • Some form of enterprise authorization
The foregoing list, while not exhaustive, will provide touch points into the enterprise security architecture for the example analyses in Part II.
- 1. U.S. Senate Committee on Commerce, Science, and Transportation. (March 26, 2014). A “Kill Chain” Analysis of the 2013 Target Data Breach. Majority Staff Report for Chairman Rockefeller.
- 2. Open Web Application Security Project (OWASP). (2013). Some Proven Application Security Principles. Retrieved from https://www.owasp.org/index.php/ Category:Principle.