Monthly Archives: July 2013

Enterprise Security – A Data Centric Approach

16 Tuesday Jul 2013

Posted by in Books, mindmap, Packt, Technology

6 Comments

Tags

, ,

Enterprise Data SecurityAs I work my way through the Aaron Woody book Enterprise Security: A Data Centric Approach to Securing the Enterprise I’ve been building a mind map of helpful notes -to help serve as a reminder or means to quickly drill back into the book for future reference.

The mind map has been build using freemind – it isn’t the prettiest of documents, but content is king here.

Freemind Mindmap as an image https://www.dropbox.com/s/u1ggk7exi6t0t3o/Enterprise%20Data%20Security.png  as a Freemind file https://www.dropbox.com/s/lf53fs63c4x1v91/Enterprise%20Data%20Security.mm freem,ind can be obtained from freemind.sourceforge.net/

Enterprise Security: A Data-Centric Approach to Securing the Enterprise – book review chapter 2

14 Sunday Jul 2013

Posted by in Book Reviews, Books, Packt, Technology

6 Comments

Tags

, , ,

Enterprise Security - A Data Centric Approach to Securing the Enterprise

Enterprise Security – A Data Centric Approach to Securing the Enterprise

Continuing with the review of Enterprise Security: A Data Centric Approach to Securing the Enterprise by Aaron Woody having given a bit of history and motivation for an alternate approach Chapter 2 of the book starts describing the data centric approach.

We start out looking at why network boundaries need to revisited – as a result of BYOD, closer integration with business partners, collapsed/simplified software stacks etc.  Then go into defining in more details the data centric views and how t go about building a trust model for identifying what needs to be secured. A trust model looks at the different dimensions that can impact data:

  • Data (what actually are we protecting – is the data your commercial crown jewels such as a customer list, classifying the data to understand its characteristics, where is it located and so on)
  • Processes – what can be done to data
  • Applications – systems interacting with data
  • Users – differentiated from roles – their relationship to the data employees, contractors, third parties etc
  • Roles – the roles people have to perform, system admins, data stewards etc
  • Risk – as you can never guarantee everything, what are the consequences of a breach
  • Policy & Standards – legal requirements e.g. HIPAA, PCI DSS, DPA plus internal corporate policies

With the guidance to help gather the information you can start to build a profile of your data and the need (or not) for security with challenges and risks that need be addressed to achieve this within an organisation.  All of which has to take into account of ‘data at rest’ (i.e. in databases, flat files etc) and ‘in motion’ transfers such as email, HTTP, FTP, SQLNet and so on.

The book then begins to talk about architectures that can reflect the considerations and needs of your data.

In terms of the writing, chapter is pretty direct and to the point which is great as long as you have some basic appreciation of security needs.  It would have been good to enrich the information with some examples (although the Appendix does illustrate a bit further). The ideal would have been to have a use case running through the book (perhaps at the end of each chapter applying some of the ideas to a fictitious scenario).

Useful Links

Enterprise Security: A Data-Centric Approach to Securing the Enterprise – book review

02 Tuesday Jul 2013

Posted by in Book Reviews, Books, Packt, Technology

Leave a comment

Tags

, , , , ,

I have started to review another book, this time Enterprise Security: A Data-Centric Approach to Securing the Enterprise by Aaron Woody. Based on the interest that my review of Getting Started with Oracle Event Processing 11g I thought I’d follow a similar approach of reviewing one or two chapters at a time, although because of other constraints possibly not as quickly as last time.

As an enterprise architect, and having worked within some more sensitive environments which means security typically has a lock the world down, particularly at the perimeter. But with an increasingly less practical as we become ever more connected. Not to mention the tighter the old approaches are applied, the more the business will by pass IT (e.g. Go acquire SaaS solutions without IT support), the net result being a home goal in undermining the very thing you’re trying to achieve. So the killer question is, can the book show another way that works matching the challenges ranging from SaaS (software as a service) to BYOD (bring your own device – i.e. connecting your own smart phone to systems and work with them on the move etc) against the backdrop of increasing data legislation and commercial fallout (customer loss etc) as a result of security breaches becoming public knowledge.

Chapter 1 is very much a good scene setter, providing some of the background as to how security approaches have evolved over the last 30 or so years. It sets out some clear perspectives on the challenges of applying security such as

  • making cases for investment
  • Applying security as an overlay on a solution rather than being an integral part of a design and the impacts this can cause
  • The challenges of stakeholders involved
  • The mentality of just locking the perimeter (when statistics regularly show that increasing data leakages are a result of accident or malicious actions by those inside the organisation

The book also challenges the mentality of security is the network, which a grave mistake as security impacts processes and roles just as much as it does the software and physical infrastructures.

This sets up for the journey for defining an alternate approach starting with defining the boundaries that should be considered.