Thursday, November 6, 2014

Enterprise Architecture Practice - Capabilities

Enterprise Architecture (EA) function now have an unprecedented chance to lead the way in identifying new business opportunities, thanks to the innovations in the web and mobile technologies and businesses realizing the business advantages of such advancements. EA serves a strategic business purpose by enabling business capabilities to be implemented via IT architecture and related IT delivery processes.

Though Enterprise Architecture is not a very new practice, the maturity level is still not the optimal in most enterprises. Seeing the benefits that the EA function can bring to the table,  many enterprises are attempting to setup the EA practice within, but are in fact struggling to get it right. EA not just science and not just art as well. It is a combination of art and science. Successful EA practice has been found to being able to demonstrate certain key capabilities. In the EA world, there is no such thing as 'one size fits all', as it is highly dependent on the enterprises' business, its objectives, goals, strategies and priorities, which is never the same across enterprises.

While the objective of this blog is to discuss about the key capabilities that the EA function should be able to demonstrate, it is also good to highlight out what EA is not.

What EA is not:
  • EA is NOT a project
  • EA is NOT about review 
  • EA is NOT a one-time activity
  • EA is NOT for IT
  • EA is NOT a strategy
  • EA is NOT all about cost-reduction
  • EA is NOT one-man show

A successful EA practice should consider practicing and demonstrating the following key capabilities:

Staying Relevant

As we all know, it is highly unlikely that an architectural solution that works well for one enterprise will work well for another in the same industry domain. This is because each enterprise has its own vision and mission to win over the competition and constantly wish to stand alone in the crowd in certain key areas. Staying relevant helps the EA function in aligning strategic and operational views of business with the underlying technology and service delivery processes. For this reason, the EA practice should strive to understand the vision, mission and strategies of the enterprise and continue to stay aligned to the same, so that the architectural solutions continue to stay relevant for the enterprise.

Technology & Architecture Vision

No doubt that modern enterprise largely depend on technology and in certain cases, the business in fact is driven by technology. Irrespective of whether technology drives the business or not, technology is a key enabler of the business. So, it becomes essential to have a technology vision, which is aligned to the business vision. It is needless to mention that having a vision will not be just enough, and the same shall be driven down to the operational processes and practices. Every architecture and governance process should derive the technology vision as envisaged and so the solutions continue to stay relevant and yield the intended results. The technology vision and strategy shall be such that leverages both new tech innovations and existing capabilities that will enable the business to achieve the target state. 

The goal of the architecture vision is to articulate how the proposed architecture will enable the business goals, respond to the strategic drivers, conform to the principles, and addresses the stakeholder concerns and objectives.

Transforming and automating operations

While leveraging the existing knowledge and resources is key in saving costs, it is important for the EA function to stay on top of the technology and business innovations and explore opportunities of leveraging the same so that the enterprise stays on course of achieving its target mission and vision. This is where the EA teams should consider leveraging Agile approaches, so that the target reference architecture also stays dynamic and relevant. The EA framework shall have an evolution cycle, so as to improve the framework itself and similarly the architecture solutions should also be continually evolved based on feedback and availability of enabling technologies and innovations.

It is needless to mention here that the EA function shall equally consider the 'Business As Usual' as any transformational initiative should not derail the enterprise from achieving its intended mission and vision.

Being the Change Leader

EA is all about bringing change for the good. i.e. EA programs is all about driving the enterprise from its current state to the target reference state, which is nothing but identifying and driving changes to various resources at various levels, so that the target state is achieved. This is yet another key capability that come down to the old adage of building “better, faster, cheaper” systems that provide agility to change or expand capabilities, in response to ever-changing business requirements. EA function leads the planning for these new system and technology capabilities, ensuring the best solutions to the business requirements by providing blueprints and implementation road maps to the design and delivery teams. They also provide a service to the other organizational functions by ensuring compliance of these solutions at critical design and delivery milestones.

Mitigating risk

As the emphasis shifts from cleaning up the legacy of systems and technologies to better planning and governance of new IS and IT initiatives, we see a corresponding shift in the role of the EA practice. The focus shifts from driving out costs to reducing risks associated with new programs, while ensuring timely delivery of new capabilities. 

Every architectural initiatives shall be subject to a risk review and decisions shall be made based on the business value expected out of it. The changing business and regulatory conditions might also impact the solutions and at times could end up the enterprises not being able to realize the intended value out of it. This where the "Fail Fast" approach would help in making the right decisions. Periodic reviews of the change or transformational projects should be conducted with a view to ascertain whether the intended value is not impacted with the current conditions. Thus being able to manage and mitigate the risks well is a key capability that the EA practice should demonstrate.

Overseeing investments

It is natural for enterprises to look for Return on Investments (RoI), as the capital has a cost. The EA practice shall consider the cost of capital and the investment requirements for various change initiatives and work with the related other functions to ensure that the benefits are quantified so as to ensure the investments yield desired returns. In cases where the benefits are not directly quantifiable, the EA team shall identify such indirect benefits derived out of such investments and shall ascertain the monetary value in a best possible manner. 

Governing the architecture

As said earlier, EA function is not a project and it is a continuous function. EA function shall put in place necessary framework to monitor and manage the architectural activities in a constant basis. Business architects in the EA function monitor the project portfolio, while IT architects govern technology solutions, leveraging reference architectures to build the future state in alignment with strategic road maps. The governance principles shall be applied to various architecture activities with an objective to ensure the strategy alignment, risk management, measuring & monitoring, optimal resource utilization.

Integrating people, processes, and technology
Considering the innovation around the areas of web, mobile, big data powered by social media, modern enterprises are looking forward to leverage these to derive maximum business value. In this direction, to stay competitive and relevant to the customer business, most successful organizations are rapidly moving towards the system of engagement architecture supported by digital collaboration platforms and social strategies devised by EA where EA would create an effective social governance model and an overall enterprise strategy. It necessitates a pervasive social layer that spans many different system of records and departments within an organization. Discussion would also enlighten more focus on expanding social footprint by delivering consistent digital experience and utilizing social content and online communities to increase collaboration with customers and other stakeholders.

Monday, November 3, 2014

Information Security - Cost Analysis

Reports indicate that the Information Security is now a Board Agenda and the security spending by enterprises is on the rise. This is more because of the raise in the data breaches worldwide and the increased hacking and cyber attacks. This impacting all enterprises, be it small, medium or large and across various segments, i.e. not only financial but also all domains. The increased exposure and financial damages associated with security risks have pushed enterprises to increase the budget allocations and mitigate if not avoid such risks.

The following recent predictions of Gartner influence the Information Security spending among enterprises:

  • By 2015, roughly 10% of overall IT security enterprise product capabilities will be delivered in the cloud.
  • Regulatory pressure will increase in Western Europe and Asia/Pacific from 2014.
  • By year-end 2015, about 30% of infrastructure protection products will be purchased as part of a suite offering.
  • By 2018, more than half of organizations will use security services firms that specialize in data protection, security risk management and security infrastructure management to enhance their security postures.
  • Mobile security will be a higher priority for consumers from 2017 onward.

In the best interests of the investors, any spending or investment should be backed up with an appropriate cost-benefit analysis. Applying this cost-benefit-justifications to Information Security function is gaining focus but remains a challenge. Quantification forms the basis for being able to perform the cost-benefit analysis. The advantages of quanti fication are its accuracy, objectivity, and comparability. In addition, quanti cation is the basis for calculations and statistical analyses. While costing is a comparatively easier aspect, quantifying the benefits is still a challenge as it depends on the occurrence of uncertain events.

Starting with the idea of a Return on Security Investment (ROSI) several concepts have been developed to support the decision for or against an information measure. On way to do this is to apply the concept of Net Present Value (NPV). NPV-Formula for information security investments could be as below:

The following are the four aspects of Information Security costs:

  • Information Security Management - This is about the costs associated with the Information Security function, which comprises of People, Process and Technology. Though quantifying this aspect of the cost is straightforward, measuring the benefits is not.
  • Incidental costs of Information Security related decisions - As we all know, Information Security is a cross functional task and every personnel and process in the organization need to contribute towards Information Security. As such, implementation of any security control will cause additional overhead in other departments or functions. For instance, regulating the fair use of the Internet will require some extent of involvement from the HR function in the form of policies, code of conduct, ethics etc. Quantifying of both costs and benefits is not as easy.
  • Cost of capital for Security investments - Like any investment, capital invested in security function has a cost and quantifying this element of cost is not at all a challenge.
  • Costs arising out of security incidents - This is more like a Risk Management and all the principles of measuring the risks apply here as well. The risk measure for security incidents can be measured as a product of the probability and the impact. However quantifying this in absolute value requires the identification of the impacted information and / or related resource and the value of such resource. Many people have opined that information is the currency of the organization, but it has a dynamic value, i.e. the value of information depends not only on its significance to the organization but also its significance to others.

A common way of categorising and structuring costs in a repeatable and comparable way is required to manage the associated challenges. Building on that basis it becomes possible to identify cost-drivers and to analyse di fferent security management approaches like the following:

  • Balance Sheet Oriented Approach - where the costs are categorized and quantified under personnel, hardware, software and services. This approach does not take into consideration of the cross functional aspect of the security function.
  • Life Cycle Oriented Approach - where the costs are categorized and quantified against the various life cycle phases of the security function. Typically, the life cycle of the security function would be in the lines of Plan - Do - Check - Assess, in which case the costs are quantified with respect to each of the life cycle phases. This approach takes the project management approach and can be useful for quantifying the incremental cost of a specific security initiative, but this approach will not be useful for assessing the costs for the security management function as a whole.
  • Process Oriented Approach - where the costs are categorized into direct and indirect costs at process level. Direct costs could comprise of People and Technology and the Indirect costs could comprise of cost allocated by various functions towards a specific process, the quantified costs of risk avoidance and risk mitigation. This approach can be customized further to suit the varying needs of the enterprise.
  • Control Oriented Approach - where costs are categorized with respect to individual security control, which can be added up to ascertain the cost for a security area. However this approach has challenges abound in putting a standard approach and framework for ascertaining the costs at control level. The costs that every control comprise of are that of a share in the fixed organizational overhead, in addition to the variable costs of people, technology and the processes.
  • Layer Oriented Approach - where information security costs are categorized against the different layers of the ISMS layers, namely Management System, People & Processes, Architecture & Concepts, Operational Measures and Pre-requisites.

While quantifying the benefits is not very easy, by applying the Quantitative Risk Analysis techniques, the cost of not implementing a specific security process or control can be ascertained, which can be considered as the benefit of implementing the control or process. Another technique that can be useful to categorize and visualize the cost-benefits is the modeling and simulation.

Sunday, September 28, 2014

Information Security Controls Relating to Personnel

Information Security in an organization largely focusses on the Confidentiality, Integrity and Availability of data, information and related resources. While the risk of threats are increasing, study says that the threat is more from the inside than from the outside. This has mandated the need for framing polices, procedures and controls around the employees of the organization, so that such risks arising from within can be mitigated or managed well.

Whilst personnel security controls cannot provide guarantees, they are sensible precautions that provide for the identity of individuals to be properly established. In circumstances where risk assessments indicate that the necessary thresholds are met, they provide for checks to be made of official and other data sources that can indicate whether individuals may be susceptible to influence or pressure which might cause them to abuse their position or whether there are any other reasons why individuals should not have access to sensitive assets.

Personnel security aims to:
  • reduce the risk of loss, damage or compromise of Australian Government resources by providing assurance about the suitability of personnel authorised to access those resources
  • create an environment where those accessing Australian Government resources are aware of the responsibilities that come with that access and abide with their obligations under the PSPF
  • minimise potential for misuse of Australian Government resources through inadvertent or deliberate unauthorised disclosure
  • support a culture of protective security.

Controls designed around the following aspects would certainly help an organization to achieve the said purpose:

Information security awareness and training

Organizations must have a program to provide information security awareness and training for personnel on an on-going basis, focusing on information security policies including topics such as responsibilities, consequences of non–compliance, and potential security risks and counter–measures. It is human nature to lose or forget training content over time. Providing ongoing information security awareness and training helps keep personnel aware of issues and their responsibilities.

Information security awareness and training programs are designed to help personnel to: become familiar with their roles and responsibilities; understand and support security requirements; and learn how to fulfil their security responsibilities. Methods that can be used to continually promote awareness include logon banners, system access forms and departmental bulletins or memoranda.

Specific controls may be designed around the following aspects of information security awareness training:
  • Accessibility of the Information Security Policies and Procedures
  • Number and type of such programs to be offerred to personnel
  • Degree and content of information security awareness and training, which may be based on the roles of employees and on the target systems to which they have access to.
  • A scoring system for employees designed to establish the level of awareness by employees. A gamified approach would work better here.
  • Establishing responsibility and accountability for security of the information assets.
  • Review and feedback system for content and process improvement

Authorisations and Security Clearances

Depending on the roles and responsibilities, the employees gain access to various systems, data and information. It is important that only appropriately authorised, cleared and briefed personnel are allowed access to various such systems. For the purpose the systems, data and other information resources shall be identified and classified based on the sensititivity. Similarly, a mapping of various roles that would have different types of access on such resources is also created. This mapping will typically be based on the "need to know". Exceptions are also documented and are handled with additional clearances or approvals.

Employees seeking access to a system need to have a genuine business requirement to access the system as verified by their manager. Once a requirement to access a system is established, giving personnel only the privileges that they need to undertake their duties is imperative. Providing all personnel with privileged access when there is no requirement for privileged access can be a significant threat to a system. Any temporary access to information resources shall be time bound and the same shall be subject to close observation. Similarly, during emergency situations, privilege escalation may be required to carry out certain critical tasks. Such authorizations shall be documented and appropriate additional authorization shall be mandated.

Specific controls may be designed around the following aspects:
  • Existence of a process for ascertaining employee's background and trust worthiness
  • Documented inventory of information assets with appropriate security and sensitivity classification
  • Documented roles and responsibilities of personnel
  • Establishing the identity of the employees or contractors as the case may be
  • Mapping of roles with the information assets
  • Authorization for process for grant of privileges
  • Change management process for privilege escalation or downgrade
  • Maintenance of Access logs with necessary details
  • Periodic review and audit of authorizations and access logs

Internet Usage

Use of internet is a major source of security breaches as it may facilitate external threats in the form of malware, virus. etc. There shall be a fair use policy with respoect to Internet, which shall set out the Do's and Don'ts for the employees. Employees should be made aware on how to report any suspicious contact and what suspicious contact is, especially contact from external sources using Internet services. Organizations should implement measures to monitor their personnel’s compliance with their internet usage policies.

Employees need to take special care not to accidentally post sensitive or classified information on public websites, especially in forums, blogs and social networking sites. Employees holding any key position may attribute an appropriate disclaimer that such posts carry his personal views and do not bind the organization.

The following specific controls may help in implementing the policies and procedures around this aspect:
  • Existence of a Fair Use Policy
  • Collection of logs and data for monitoring violations to such policies
  • Initiation of disciplinary action against policy violations
  • Enforce appropriate system security and privacy policies for internet usage
  • Monitor the use of unspecified or unauthorized websites or applications that access internet.0

Saturday, September 13, 2014

Principles of Information Governance

With the evolution of tools and technologies around big data, the variety and volume of customer information collected has increased many fold. This also requires the responsible use of such information by the organization. Many countries have promulgated legislations to regulate the use and protection of such information in every organization.

The set of multi-disciplinary structures, policies, processes and controls that are used to manage the customer information and thereby supporting the current and future reglatory, legal and operational requirements make up the Information Governance framework of the organization. Information governance goes beyond retention and disposition to include privacy, access controls, and other compliance issues. It is interesting to note that big data innovators recognize the importance of governance to the success of their projects.

The Principles identify the critical hallmarks of information governance and provide both a standard of conduct for governing information and metrics by which to judge that conduct. In doing so, they give assurance to the public and society at large that organizations of every kind are meeting their responsibilities with respect to the governance of information.

Transmational organizations looking forward to demonstrate the highest level of maturity in the Information Governance design their Governance framework based on the following key principles:


Accountability to is key for the success of any program and on the same lines, for the Information Governance, to be successfull shall have an accountable senior leader, who shall oversee the governance practices and should require regular reporting for monitoring purposes. The organization should adopt policies and procedures to guide its workforce and agents and ensure its program can be audited and continually improved to support the organization’s goals.

An information governance program should at the minimum:
  • Establish an information governance structure for program development and implementation
  • Designate a qualified accountable person to develop and implement the program
  • Document and approve policies and procedures to guide its implementation
  • Remediate identified issues
  • Enable auditing as a means of demonstrating the organization is meeting its obligations to both internal and external parties

A high maturity organization would demonstrate the following:
  • The organization’s senior management and its governing board place great emphasis on the importance of information governance. 
  • The records manager directs the records management program and reports to an individual in the senior level of management. 
  • The chief information governance officer and the records manager are essential members of the organization’s governing body. 
  • The organization’s initial goals related to accountability have been met, and it has an established process to ensure its goals for accountability are routinely reviewed and revised. 


An organization’s processes and activities relating to information governance shall be documented in an open and verifiable manner. Documentation shall be available to the organization’s workforce and other appropriate interested parties within any legal or regulatory limitations, and consistent with the organization’s business needs. Transparency of the organization’s governance practices must extend to definitions of appropriate information uses and the processes for ensuring compliance with policies on appropriate information use.

An information governance program includes its information management and information control policies and procedures. To ensure the confidence of interested parties, records documenting the information governance program must themselves adhere to the fundamentals of information management.

At the highest maturity level, an organization should practice and demonstrate the following:
  • The organization’s senior management considers transparency as a key component of information governance. 
  • The software tools that are in place assist in transparency. 
  • Requestors, courts, and other legitimately interested parties are consistently satisfied with the transparency of the processes and the organization’s responses. 
  • The organization’s initial goals related to transparency have been met, and it has an established process to ensure its goals for transparency are routinely reviewed and revised. 


An information governance program shall be constructed so the information generated by or managed for the organization has a reasonable and suitable guarantee of authenticity and reliability. Integrity of information, which is expected by patients, consumers, stakeholders, and other interested parties such as investors and regulatory agencies, is directly related to the organization’s ability to prove that information is authentic, timely, accurate, and complete. For the healthcare industry, these dimensions of integrity are essential to ensuring trust in information.

For safety, quality of care, and compliance with applicable voluntary, regulatory and legal requirements, integrity of information should include at least the following considerations:
  • Adherence to the organization’s policies and procedures
  • Appropriate workforce training on information management and governance
  • Reliability of information
  • Admissibility of records for litigation purposes
  • Acceptable audit trails
  • Reliability of systems that control information
Transformational organizations, which are at the highest maturity level should demonstrate the following abilities:
  • There is a formal, defined process for introducing new record-generating systems, capturing their metadata, and meeting other authenticity requirements, including chain of custody. 
  • Integrity controls of records and information are reliably and systematically audited. 
  • The organization’s initial goals related to integrity have been met, and it has an established process to ensure its goals for integrity are routinely reviewed and revised. 

An information governance program shall be constructed to ensure a reasonable level of protection to records and information that are private, confidential, privileged, secret, classified, essential to business continuity, or that otherwise require protection.

Information protection takes multiple forms. First, each system must enable management of security access controls. Only members of the workforce and other authorized parties with the appropriate levels of access or security clearance may access information relevant to their roles or duties. Reliably protecting electronic and physical assets requires use of tools such as user authentication, key card access restrictions, and other relevant measures. This also requires that as the workforce and other authorized parties transition in status or job function, respective level of access is changed immediately to a level appropriate to the new role and duties.

The highly matured organizations would practice and demonstrate the following:
  • Executives and/or senior management and other governing bodies (e.g., board of directors) place great value in the protection of information. 
  • Audit information is regularly examined, and continuous improvement is undertaken. 
  • Inappropriate or inadvertent information disclosure or loss incidents are rare. 
  • The organization’s initial goals related to protection have been met, and it has an established process to ensure its goals for protection are routinely reviewed and revised. 


An information governance program shall be constructed to comply with applicable laws and other
binding authorities, as well as with the organization’s policies. Every organization should:
Know what information should be entered into its records to demonstrate its activities are being conducted in a lawful manner.
Enter that information into its records in a manner consistent with laws and regulations.
Maintain its information in the manner and for the time prescribed by law or organizational policy.
Develop internal controls to monitor adherence to rules, regulations, and program requirements, thus assessing and ensuring compliance.

The following capabilities when demonstrated will mark the highest maturity level:
  • The importance of compliance and the role of records and information in it are clearly recognized at the senior management and governing body levels.
  • Auditing and continuous improvement processes are well-established and monitored by senior management. 
  • The roles and processes for information management and discovery are integrated, and those processes are well-developed and effective. 
  • The organization suffers few or no adverse consequences based on information governance and compliance failures. 
  • The organization’s initial goals related to compliance have been met, and it has an established process to ensure its goals for compliance are routinely reviewed and revised. 

An organization shall maintain records and information in a manner that ensures timely, efficient, and accurate retrieval of needed information.

A successful and responsible organization must have the ability to identify, locate, and retrieve the information required to support its ongoing activities. This information may be used by:
  • The healthcare team, patients, and other caregivers Authorized members of the workforce and others authorized consistent with regulations 
  • Legal and compliance authorities for discovery and regulatory review purposes
  • Internal and external reviewers for purposes including but not limited to: payer audit, financial audit, case management, and quality assurance.
High maturity organizations practice and demonstrate the following:
  • The senior management and governing body provide support to continually upgrade the processes that affect records and information availability. 
  • There is an organized training and continuous improvement program across the organization. 
  • There is a measurable return on investment to the organization as a result of records and information availability. 
  • The organization’s initial goals related to availability have been met, and it has an established process to ensure its goals for availability are routinely reviewed and revised. 

An organization shall maintain its records and information for an appropriate time, taking into account its legal, regulatory, fiscal, operational, and historical requirements.

As part of its retention program, an organization must develop an information retention schedule, which specifies what information must be retained and for what length of time. Retention decisions are based on the type of information, and the organization’s legal, regulatory, fiscal, operational, clinical, role/mission, and historical requirements. Information retention schedules should be reviewed periodically and revised regularly. Some internal changes in the organization such as mergers and acquisitions or lines of business changes, or types of records generated, as well as external events such as legal, regulatory, or fiscal changes, may require revisions.

High maturity organizations consider practising the following:
  • Retention is an important item at the senior management and governing body level.
  • Retention is looked at holistically and is applied to all information in an organization, not just to official records. 
  • Information is consistently retained for appropriate periods of time. 
  • The organization’s initial goals related to retention have been met, and it has an established process to ensure its goals for retention are routinely reviewed and revised. 

An organization shall provide secure and appropriate disposition for records and information that are no longer required to be maintained by applicable laws and the organization’s policies.

Disposition includes not only destruction, but also any permanent change in custodianship of the information, such as when it is transferred to another party due to a merger or acquisition of another hospital, clinic, or physician practice or when a organization discontinues a practice, service, or other business. In many cases, the appropriate disposition is the destruction of information, in which case the organization should ensure the information is transported and destroyed in a secure and environmentally responsible manner. The organization should document or certify that the information has been destroyed completely and irreversibly when required.

The processes of a high maturity organization should address the following:
  • The disposition process covers all records and information in all media. 
  • Disposition is assisted by technology and is integrated into all applications, data warehouses, and repositories. 
  • Disposition processes are consistently applied and effective. 
  • Processes for disposition are regularly evaluated and improved. 
  • The organization’s initial goals related to disposition have been met, and it has an established process to ensure its goals for disposition are routinely reviewed and revised.


Thursday, August 28, 2014

Architectural Security aspects of BGP/MPLS

The inherent benefits of the MPLS (Multi Protocol Label Switching), is gaining widespread use for providing IP VPN services. With the emerging trend of connected systems, a global enterprise today is well connected with their partners, with MPLS being the preferred choice. Border Gateway Routing Protocol (BGP) is used to interconnect such autonomous systems by exchanging the routing informaiton across such systems. The emergence of Multiprotocol Extension, and other variations of BGP Protocol, has furthered the choice of MPLS VPNs. On the same lines, the security concerns on using such a network is also on the rise. The specific demands of customers in terms of security is also emerging as they experience issues of data breaches and security incidents.

The objective of this blog is not to explain about the BGP / MPLS as such and instead let us examine how the BGP / MPLS addresses the typical security requirements in this blog. The following sections of this blog have been extracted from the RFC 4381 published by Internet Engineering Task Force (IETF) in 2006.

Address Space, Routing, and Traffic Separation

BGP/MPLS allows distinct IP VPNs to use the same address space, which can also be private address space. This is achieved by adding a 64-bit Route Distinguisher (RD) to each IPv4 route, making VPN-unique addresses also unique in the MPLS core. This "extended" address is also called a "VPN-IPv4 address". Thus, customers of a BGP/MPLS IP VPN service do not need to change their current addressing plan. The address space on the CE-PE link (including the peering PE address) is considered part of the VPN address space. Since address space can overlap between VPNs, the CE-PE link addresses can overlap between VPNs. For practical management considerations, SPs typically address CE-PE links from a global pool, maintaining uniqueness across the core.

On the data plane, traffic separation is achieved by the ingress PE pre-pending a VPN-specific label to the packets. The packets with the VPN labels are sent through the core to the egress PE, where the VPN label is used to select the egress VRF. Given the addressing, routing, and traffic separation across an BGP/ MPLS IP VPN core network, it can be assumed that this architecture offers in this respect the same security as a layer-2 VPN. It is not possible to intrude from a VPN or the core into another VPN unless this has been explicitly configured. If and when confidentiality is required, it can be achieved in BGP/ MPLS IP VPNs by overlaying encryption services over the network. However, encryption is not a standard service on BGP/MPLS IP VPNs.

Hiding of the BGP/MPLS IP VPN Core Infrastructure

Service providers and end-customers do not normally want their network topology revealed to the outside. This makes attacks more difficult to execute: If an attacker doesn't know the address of a victim, he can only guess the IP addresses to attack. Since most DoS attacks don't provide direct feedback to the attacker it would be difficult to attack the network. It has to be mentioned specifically that information hiding as such does not provide security. However, in the market this is a perceived requirement. 

With a known IP address, a potential attacker can launch a DoS attack more easily against that device. Therefore, the ideal is to not reveal any information about the internal network to the outside world. This applies to the customer network and the core. A number of additional security measures also have to be taken: most of all, extensive packet filtering. For security reasons, it is recommended for any core network to filter packets from the "outside" (Internet or connected VPNs) destined to the core infrastructure. This makes it very hard to attack the core, although some functionality such as pinging core routers will be lost. Traceroute across the core will still work, since it addresses a destination outside the core.

Being reachable from the Internet automatically exposes a customer network to additional security threats. Appropriate security mechanisms have to be deployed such as firewalls and intrusion detection systems. This is true for any Internet access, over MPLS or direct. A BGP/MPLS IP VPN network with no interconnections to the Internet has security equal to that of FR or ATM VPN networks. With an Internet access from the MPLS cloud, the service provider has to reveal at least one IP address (of the peering PE router) to the next provider, and thus to the outside world.

Resistance to Attacks

To attack an element of a BGP/MPLS IP VPN network, it is first necessary to know the address of the element. The addressing structure of the BGP/MPLS IP VPN core is hidden from the outside world. Thus, an attacker cannot know the IP address of any router in the core to attack. The attacker could guess addresses and send packets to these addresses. However, due to the address separation of MPLS each incoming packet will be treated as belonging to the address space of the customer. Thus, it is impossible to reach an internal router, even by guessing IP addresses.

In the case of a static route that points to an interface, the CE router doesn't need to know any IP addresses of the core network or even of the PE router. This has the disadvantage of needing a more extensive (static) configuration, but is the most secure option. In this case, it is also possible to configure packet filters on the PE interface to deny any packet to the PE interface. This protects the router and the whole core from attack. In all other cases, each CE router needs to know at least the router ID (RID, i.e., peer IP address) of the PE router in the core, and thus has a potential destination for an attack.

A potential attack could be to send an extensive number of routes, or to flood the PE router with routing updates. Both could lead to a DoS, however, not to unauthorised access. To reduce this risk, it is necessary to configure the routing protocol on the PE router to operate as securely as possible. This can be done in various ways: 

  • By accepting only routing protocol packets, and only from the CE router. The inbound ACL on each CE interface of the PE router should allow only routing protocol packets from the CE to the PE. 
  • By configuring MD5 authentication for routing protocols. This is available for BGP (RFC 2385 [6]), OSPF (RFC 2154 [4]), and RIP2 (RFC 2082 [3]), for example. 

This avoids packets being spoofed from other parts of the customer network than the CE router. It requires the service provider and customer to agree on a shared secret between all CE and PE routers. It is necessary to do this for all VPN customers. It is not sufficient to do this only for the customer with the highest security requirements.

It is theoretically possible to attack the routing protocol port to execute a DoS attack against the PE router. This in turn might have a negative impact on other VPNs on this PE router. For this reason, PE routers must be extremely well secured, especially on their interfaces to CE routers. ACLs must be configured to limit access only to the port(s) of the routing protocol, and only from the CE router.

Label Spoofing

Similar to IP spoofing attacks, where an attacker fakes the source IP address of a packet, it is also theoretically possible to spoof the label of an MPLS packet. For security reasons, a PE router should never accept a packet with a label from a CE router. RFC 3031 [9] specifies: "Therefore, when a labeled packet is received with an invalid incoming label, it MUST be discarded, UNLESS it is determined by some means that forwarding it unlabeled cannot cause any harm."

There remains the possibility to spoof the IP address of a packet being sent to the MPLS core. Since there is strict address separation within the PE router, and each VPN has its own VRF, this can only harm the VPN the spoofed packet originated from; that is, a VPN customer can attack only himself. MPLS doesn't add any security risk here. The Inter-AS and Carrier's Carrier cases are special cases, since on the interfaces between providers typically packets with labels are exchanged. See section 4 for an analysis of these architectures.

There are a number of precautionary measures outlined above that a service provider can use to tighten security of the core, but the security of the BGP/MPLS IP VPN architecture depends on the security of the service provider. If the service provider is not trusted, the only way to fully secure a VPN against attacks from the "inside" of the VPN service is to run IPsec on top, from the CE devices or beyond. This document discussed many aspects of BGP/MPLS IP VPN security. It has to be noted that the overall security of this architecture depends on all components and is determined by the security of the weakest part of the solution.

Sunday, August 24, 2014

Perspectives of Business Reference Model

We are all witnessing the steady progress of the Enterprise Architecture(EA) discipline and it is now well understood that the EA is not just about IT infrastructure and the Business Architecture(BA) forms an integral part of EA. Unlike in the past, when Business Architecture was used for the purpose of eliciting the requirements for the IT systems, BA is used to develop and describe the targe business model and work on a road map that will get the business towards the target. The Open Group, as part of its "World Class EA" series, has published a White Paper on the Buiness Reference with an objective of providing the need help to organizations in developing BA assets and plan for the future.

The Open Group has developed the Business Reference Model to facilitate description of a business model through the five perspectives. The following diagram provides an overview of the structure and content of the BRM:

Image Source: The Open Group's World Class EA: Business Reference Model white paper.

Environment Perspective:

The Environment perspective addresses the context within which an organization must operate. It describes the external factors, such as the competitors and customers for an organization, in addition to the pre-established strategy defined by the organization for market positioning. This perspective is intended to describe why an organization is motivated to undertake particular courses of action.

The goal of understanding the business environment is to provide a good contextual knowledge base that informs the creation of effective architectures in the Value Proposition, Operating Model, and Risk perspectives.

The business challenge is to gain and exploit insights into the market, competition, and customer base that allow the organization to position itself optimally (described through strategy).

Value Proposition Perspective:

The Value Proposition perspective describes the offering produced by the organization in terms of products, services, brand, and shareholder value. It creates a belief from the existing customer, prospective costumer, stakeholder, or other constituent groups within or outside the organization where the value will be experienced – usually in exchange for economic value or some form of compensation.

The goal of understanding the value proposition is that it defines the customer experience and sets shareholder expectations. The value proposition also provides a baseline set of needs that need to be fulfilled by the Operating Model perspective. 

The business challenge is to develop a value proposition that is able to attract a suitable customer base, fulfil the needs of the customer base effectively, and generate sufficient benefit to satisfy shareholder expectations. All this needs to be achieved in a way that is consistent with, and reinforces, brand image and brand values.

The Operating Model Perspective:

The Operating Model perspective describes the resources at the disposal of the organization that will be deployed to generate the value proposition. This perspective is intended to describe how an organization will be able to deliver on its value proposition. Capabilities are the core enablers to operate the business from the perspectives of people, process, technology, and information.

The goal of operating model design is to allow executives and planners to evaluate the business through a wide variety of lenses and viewpoints in order to identify desired and enhanced states of the organization.

The business challenge is to identify the correct alignment of resources that will deliver the necessary customer and shareholder experience. Typical trade-offs to evaluate when structuring capabilities include centralization versus federation, matrix organization structures versus vertical integration, core versus context analysis, and process alignment versus competency alignment. The results of these trade-offs will produce different levels of efficiency versus agility versus stakeholder experience across different areas of the business.

The Risk Perspective

The Risk perspective identifies the uncertainties that may surround an organization in its delivery of the value proposition. This perspective is intended to describe the threats that face an organization from within and without. Typically, organizations model their architecture around the known, repeatable aspects of business operations. However, within a complex and volatile environment, unforeseen circumstances frequently occur in ways that may be extremely damaging to the business.

The goal of risk analysis is to gain a full understanding of potential scenarios that may adversely impact the business and then to prepare appropriately to address those risks in the event that they occur.
The business challenge of risk modelling is to ensure that risks are adequately understood (it is a great challenge to test for completeness in an exercise of identifying unlikely or unforeseeable scenarios), the impact of risk is appropriately quantified (again, challenging to accurately determine when there is limited precedent), and the mitigation steps for risks are appropriate to the risk level (in many organizations, over-compensation for risk can be as damaging as under-compensation, as valuable business activities are curtailed due to risk concerns).

The Compliance Perspective

The Compliance perspective represents activities that the organization must carry out in order to assure that the value proposition is delivered using an acceptable standard of business practice. This perspective is intended to describe the constraints that prevent an organization from acting in negative, destructive, or inappropriate ways. In many cases, compliance can offer opportunities for organizations to differentiate, by being first to access new markets by being compliant with new legislation.

The Compliance perspective acts in a similar manner to the Environment perspective in that it influences across value proposition, operating model, and risk, constraining all activities of the business to be in compliance with standards of acceptability.

The goal of the compliance architecture is to adequately understand the compliance requirements that exist and to ensure that appropriate mechanisms are in place to ensure they are met.

The business challenge of compliance is to appropriately translate commercial, quality, ethical, legal, and regulatory constraints (which tend to be complex and open to interpretation) into a set of clear, unambiguous operational policies that can be followed consistently and at scale within a large organization. Interpretations that are too risk-seeking in nature will tend to generate compliance breaches, with associated financial and reputational penalties. Interpretations that are too risk-averse will tend to stifle business activities and reduce the ability of the business to change quickly to meet new environmental circumstances.

This blogs contains excerpts from the white paper "World Class EA: Business Reference Model" published by The Open Group and this white paper is available for download.

Sunday, July 20, 2014

A Checklist for Architecture & Design Review

Mostly the security requirements remain undocumented and is left to the choice or experience of the architects and developers thus leaving vulnerabilities in the application, which hackers exploit to launch an attack on the enterprise's digital assets. Security threats are on the rise and is now being considered as a Board Item as the impact of security breach is very high and could cause monetary and non monetary losses.

One of the key aspects of the IT Governance is to ensure that the investments made in software assets are optimal and there is a quantifiable return on such investments. This also means that such investment does not lead to risks that could lead to damages. Most of us are well aware that reviews play a key role in ensuring the quality of the software assets. As such, in this blog post, I have tried to come up with a checklist for reviewing the architecture and design of a software application.

While the choice of specific design best practice is interdependent on another, a careful tradeoff is necessary. For a detailed discussion on Trade off Analysis of Software Quality Attributes. Each of the checklist item listed here needs further elaboration and identification of specific practices, which will depend on the enterprise architecture and design principles of the organization.

Deployment Considerations

  • The design references the security policy of the organization and is in compliance of the same.
  • The application components are designed to comply with the various networking and other infrastructure related security restrictions like firewall rules, using appropriate secure protocols, etc.
  • The trust level with which the application accesses various resources are known and are in line with the acceptable practices.
  • The design supports the scalability requirements such as clustering, web farms, shared session management.
  • The design identifies the configuration / maintenance points, and the access to the same is manageable.
  • Communication with various local or remote components of the application is using secure protocols.
  • The design addresses performance requirements by adhering to relevant design best practices.

Application Architecture Considerations

Input Validation

  • Whether the design identifies all entry points and trust boundaries of the application.
  • Appropriate validations are in place for all inputs that comes from ourside the trust boundary.
  • The input validation strategy that the application adopted is modular and consistent.
  • The validation approach is to constrain, reject, and then sanitize input.
  • The design addresses potential canonicalization issues.
  • The design addresses SQL Injection, Cross Site Scripting and other vunerabilities
  • The design applies defense in depth to the input validation strategy by providing input validation across tiers.
  • The design identifies the identities or roles that are used to access resources across the trust boundaries.
  • Service account or such other predefined identity requirements to, if so needed to access variuos system resources are identified and documented.
  • User credentials or authentication tokens are stored in secure manner and access to the same is appropriately controlled and managed.
  • Where the credentials are shared over the network, appropriate security protocol and encryption techniques are used.
  • Appropriate account management policies are considered.
  • In case of authentication failures, the error information displayed is minimal so that it does not reveal any clues that could make the credential guessing easier.
  • The design adopts a policy of using least-privileged accounts.
  • Password digests with salt are stored in the user store for verification.
  • Password rules are defined so that the stronger passwords are enforced.
  • The user role design offers sufficient separation of privileges and considers authorization
  • granularity.
  • Multiple gatekeepers are envisaged for defense in depth.
  • The application’s identity is restricted in the database to access-specific stored procedures and does not have permissions to access tables directly.
  • Access to system level resources are restricted unless there is an absolute necessity.
  • Code Access Security requirements are established and considered.
Configuration Management
  • Stronger authentication and authorization is considered for access to administrration modules.
  • Secure protocols are used for remote administration of the application.
  • Configuration data is stored in a secured store and access to the same is appropriately controlled and managed
  • Least-privileged process accounts and service accounts are used.
Sensitive Data
  • Design recognizes sensitive data and considers appropriate checks and controls on the same.
  • Database connections, passwords, keys, or other secrets are not stored in plain text.
  • The design identifies the methodology to store sensitive data securely. Appropriate algorithms and
  • key sizes are used for encryption. 
  • Error logs, audit logs or such other application logs does not store sensitive data in plain text.
  • The design identifies protection mechanisms for sensitive data that is sent over the network.
Session Management
  • The contents of authentication cookies are encrypted.
  • Session lifetime is limited and times out upon expiration.
  • Session state is protected from unauthorized access.
  • Session identifiers are not passed in query strings.
  • Platform-level cryptography is used and it has no custom implementations.
  • The design identifies the correct cryptographic algorithm and key size for the application’s data encryption requirements.
  • The methodology to secure the encryption keys is identified and the same is in line with the acceptable best practices.
  • The design identifies and establishes the key recycle policy for the application.
Parameter Manipulation
  • All input parameters are validated including form fields, query strings, cookies, and HTTP headers.
  • Sensitive data is not passed in query strings or form fields.
  • HTTP header information is not relied on to make security decisions.
  • View state is protected using MACs.
Exception Management
  • The design outlines a standardized approach to structured exception handling across the application.
  • Application exception handling minimizes the information disclosure in case of an exception.
  • Application errors are logged to the error log, and the design provides for periodic review of such logs.
  • Sensitive data is not logged as part of the error logs, but where necessary, the same is logged with appropriate de-identification technique
Auditing and Logging
  • The design identifies the level of auditing and logging necessary for the application and identifies the key parameters to be logged and audited.
  • The design considers how to flow caller identity across multiple tiers at the operating system or application level for auditing.
  • The design identifies the storage, security, and analysis of the application log files

Sunday, June 29, 2014

Governance of Agile Delivery


The Agile methodology brings in alternate approach to traditional project management, where success was hard to get. Typically used in software development, Agile methodology help businesses respond to unpredictability. By focusing on the repetition of smaller work cycles as well as the deliverables, agile methodology is described as “iterative” and “incremental”. In waterfall, development teams only have one chance to get each aspect of a project right. In an agile paradigm, every aspect of development viz. requirements, design, etc. is continually revisited. When a team stops and re-evaluates the direction of a project every two weeks, there’s time to change course. Because teams can develop software at the same time they’re gathering requirements, “analysis paralysis” is less likely to impede a team from making progress. Agile development preserves a product’s critical market relevance and ensures a team’s work doesn’t wind up on a shelf, never released. Considering the value delivery that the Agile methodology promises, its adoption has been on the rise and today most organizations, including Government are embracing Agile approaches.

Governance of Agile Delivery

Critics say that Agile methodology is all about working in an unstructured way and for that reason, they believe that governing agile practices is always a challenge. While some of the Agile principles appear to support such criticism, there are many cases where organizations have successfully implemented processes and frameworks towards governance of Agile practices. Agile practitioners believe that because the agile methods are designed to be self-assuring, when practiced right, there exists built-in governance and accountability.

More so, the agile practices are more collaborative and operates continuously, requiring the stakeholders to review and test the deliverables on a continuous basis and helps the team to take alternate course of action as may be needed. Collaborative culture helps resolution of problems quicker and makes decisions are made on time. This helps to have a continuous focus on the value forecast with respect to the business case and manage the risks that may potentially impact on the expected value.

Principles of Governance

The following are the key governance principles for a successful governance of Agile Delivery:

Focus on the value delivery - only do a task if it brings value to the business. This principle also recognizes the timely delivery of a task as the value derived is more likely to deteriorate with the delayed delivery. In case of Agile deliveries, the governance is continuous and at a work unit level. It should also focus on what activity is taking place and the value such task delivers.

Embrace Change - This another principle of Agile and the Governance framework should take this into consideration. This would mean that the decisions or work flows should be flexible enough to change course based on the feedback received. Given that all stakeholders collaborate, decisions should be taken across the table, without putting things on hold and for the purpose, all needed specialists should take part in the reviews.

Decide on the performance metrics - Another key principle of Agile methodology is to 'fail fast and learn quiuckly'. Given that the overall objective is to improve the certainty that the team will deliver a usable product or service of good quality, the teams should be able to identify and implement the right metrics that will accurately indicate the quality of the deliverables and the performance of the team. For example they measure tasks completed; rework they had to perform; the backlog list and the value of the product or service to the business at the end of each iteration. Teams display this information visually, updating it frequently. This makes progress transparent to business users and management. If senior managers require performance information to oversee projects, they define what the ‘must have’ data are. Performance reports for senior management become a task in each iteration and an output of the delivery team.

Collaboration - All stakeholders, including senior management, external assessors, business users and the development team should be partners in quality, and this collaborative approach is an essential change in mindset. The business owner and delivery team defines what ‘quality’ tests they will use and what results are acceptable at the outset of each iteration – the definition of ‘done’. Regular user feedback identifies whether the product or service is providing the expected business value at each stage. External assessors are not gatekeepers; rather they are an integral part of the team. The iterative approach ensures continual reviews and feedback on progress, so external assessors are not just involved at critical points as defined in a traditional project life cycle.

Focus on behaviours and not just processes and documentation - More specifically, the external reviews or assessments will be more effective in providing critical challenge if the assessors have high-end skills, including technical and Agile delivery experience. In addition, they provide better value if they continually review how the team is performing, using observation as their main method of evidence collection. The focus of such external review or assessment shall be on the following:
  • the skills and experience of the team;
  • the team dynamics – frequency and nature of communication inside and outside of the delivery team, and the level of input to the delivery team from the business;
  • the organisational culture – the level of commitment and openness;
  • the timing and nature of quality control by the delivery team – the testing and release framework;
  • the order in which the team tackled the tasks – prioritisation of actions and deliverables, the amount of actions in the backlog list;
  • the way the team changes its activity in response to the results achieved in each iteration; and
  • the value of outputs to the business.

IBM's Disciplined Agile Delivery Methodology

IBM believes Agile delivery allows it to continually issue new capabilities that meet user needs. It usually introduces software as part of a wider business change project so, to keep both in step, it has developed several Agile project methodologies. Disciplined Agile Delivery is a hybrid method that can be applied by a large number of teams working on the same project at the same time. The image below shows the Disciplined Agile Delivery life cycle. It starts with a few short iterations that allow the team and its stakeholders to identify the initial requirements, develop the architecture and agree a release plan. IBM also uses this to determine the system level properties and characteristics – the non-functional requirements. There are iterations after the business owner has decided that the system has sufficient functionality. These additional iterations are necessary for IBM to support the operation and maintenance of the solution once it is in service.

In contrast to the traditional approach of looking at outputs, plans, resourcing and how a project is organised, external assessors should focus on outcomes, prioritisation of work and team dynamics. The most useful indicators of success are how the teams are organising the delivery of an operational service or capability and what Agile behaviours and practices are used. Areas for assessment include whether:
system level issues (security, availability) are addressed within the iterations;
  • short- and longer-term planning exists;
  • the stakeholders have a shared vision;
  • there is continuous integration; and
  • the team has the right people


National Audit Office's Review on Governance of Agile Delivery

Sunday, June 22, 2014

Sustaining Successful IT Governance Environment

A tremendous amount of importance is being given to governance, risk, and compliance (GRC), ans thus IT governance is becoming a necessity in today's business context. There is strong pressure on senior management and the Board members to have a good understanding of their IT systems and the controls that are in place to avoid things such as fraud and security breaches. As the global corporate and economic climate continues to shift, businesses need to be prepared to anticipate, respond to, and mitigate risk with flexible processes that can be adapted to any methodology. This calls for assessing and continuously monitoring of the IT Governance as it operates in an organization.

IT governance represents a continuous journey (not an end state in itself), which focuses on sustaining value and confidence across the business functions. Many companies start on a short term approach and focus on the compliance component of IT governance, without developing a balanced longer term approach consisting of both a top down framework and roadmap together with bottom up implementation to address the broad range of IT governance issues and opportunities in a planned, coordinated, prioritized and cost effective manner. 

Getting it Right First

Different IT governance stake holders need different features so the solution needs to be structured, taylored and feature risk management. Because process is at the heart of IT Governance the solutions has to be process centric but also support all other perspectives, organisations, technology, application, infrastructure, etc. Being process centric, IT Governance aspects should be integrated into the existing process framework of an organization, so that it becomes real, operational and sustainable.

It is important to get the IT Governance pieces well integrated and have the same operational first. To have an effective and operational IT Governance program, at the minimum, the following should be taken care of.

  • Executive Commitment - The Board and the Executive Leadership Team are committed to implementing and sustaining a robust Governance environment.
  • Do Homework - Educate yourself on past, current and emerging best practices.
  • Gather knowledge - Develop, adopt, integrate, leverage and tailor current and emerging best practices models, frameworks and standards to make them work for the enterprise - create an integrated IT governance framework and roadmap for your organization.
  • Sell it - Market the IT governance value propositions to the organization and communicate its goals and objectives.
  • Assess Current State - Assess the “current state” of the level of IT governance maturity and identify gaps. 
  • Define Future State - Based on the knowledge gathered, develop a “future state” IT governance blueprint.
  • Implementation plan - Come up with an implementation plan by breaking down the components into well defined work packages and assign an ownership and responsibility.
  • Roll out - Implement a scalable and flexible governance policy and process.

Continuous Improvement

There could not be a second thought in that the IT Governance needs to be sustainable by putting in place a lifecycle for continuous improvement.  IT Governance like any other process framework need continuous improvement in line with the changing business and technology environment and to ensure that the desired benefits are realized for ever. While the improvement cycle can be as simple as that of Demings PDCA, ISACA has suggested a seven step cycle as below:

  • What are the Drivers?
  • Where are we now?
  • Where do we want to be?
  • What needs to be done?
  • How do we get there?
  • Did we get there?
  • How do we keep the momentum going?

At the minimum, organizations should address the following questions to have the IT Governance continuously improved and thus sustained:

Image Source: The Advisory Council

With an integrated IT Governance framework in place, these improvement steps cannot be performed in isolation for the IT Governance function alone. Such improvement life cycle shall be applied to each of the functions, like Service Management, Asset Management, People & Project Management, and IT Portfolio Investment Management. The improvement life cycle shall thus at such levels and when such functions improve and deliver the desired results and value, IT Governance in turn will also be delivering. 

How much is enough?

As a process, operational governance must be carried out by one or more people. Even though it is useful to treat governance as outside the day-to-day operations of an organization, those carrying out the governance process may or may not belong to the governed organization. Even so, those who are carrying out the governance process must be concerned with certain external forces on the organizations as well. These external forces could be External Policies, External Standards, Government Regulations, etc. 

It is needless to mention that continuous improvement of IT Governance requires investment and it is equally important to justify the investment in continuous improvement pays back. Thus, the organization should know how much improvement is enough for them and accordingly focus its resources for this activity. However, knowing how much of IT Governance is enough is a key challenge, which will depend on the following factors:

  • Investment in IT (capital and expense), strategic value
  • Management philosophy and policy (e.g. mandatory and discretionary)
  • Program/Project and/or Operational visibility
  • Complexity, scope, size and duration of initiatives
  • Number of interfaces an integration requirements
  • Degree of risk
  • Speed of required implementation
  • Number of organizations, departments, locations and resources involved
  • Customer or sponsor requirements
  • Type and location of outsourcing (e.g. domestic, international)
  • Regulatory compliance 
  • Level of security required
  • Degree of accountability desired and audit-ability required (per external auditors)
  • Management Control Policies and Guidelines

Key Principles

To sustain and continue to make progress on the journey to achieving higher levels of IT maturity, an organization should adopt select principles from managing and accelerating change and transformation, which include the following key elements:

  • Proactively Design and Manage the IT Governance Program. Requires executive management sponsorship, an executive champion and creating a shared vision that is pragmatic, achievable, marketable, beneficial and measurable. Link goals, objectives and strategies to the vision and performance metrics and evaluations.
  • Mobilize Commitment and Provide the Right Incentives. There is a strong commitment to the change from key senior managers, professionals and other relevant constituents. They are committed to make it happen, make it work and invest their attention and energy for the benefit of the enterprise as a whole. Create a multi-disciplinary empowered Tiger Team representing all key constituents to collaborate, develop, market and coordinate execution in their respective areas of influence and responsibility. 
  • Make Tradeoffs and Choices and Clarify Escalation and Exception Decisions. IT governance is complex, continuous and requires tradeoffs and choices, which impact resources, costs, priorities, level of detail required, who approves choices, to whom are issues escalated, etc. At the end of the day, a key question that must be answered is, “When is enough, enough?” 
  • Making Change Last, Assign Ownership and Accountability. Change is reinforced, supported, rewarded, communicated ( through the Web and Intranet), recognized and championed by owners who are accountable to facilitate the change so that it endures and flourishes throughout the organization.
  • Monitoring Progress, Consistent Processes, Technology and Learning. Develop/ adapt common policies, practices, processes and technologies which are repeatable across the IT Governance landscape and enable (not hinder) progress, learning and best practice benchmarking. Make IT governance an objective in the periodic performance evaluation system of key employees and reward significant and sustainable progress and achievements. 

People often think they have a choice between "governance" and "no governance," but in reality the choice is between "good governance" and "bad governance." Every organization has a framework of decision-making and some set of often unstated measures. The needs of the business and the role of IT evolve; these unintentional governance solutions do not. Good governance is intentional, and it takes effort and attention. The operational perspective described in this article provides an approach for doing governance well.

Sunday, April 27, 2014

WAF - Typical Detection & Protection Techniques

WAF - Web Application Firewalls is a new breed of information security technology that offers protection to web sites and web applications from malicious attacks. As the name suggests, WAF solution is intended scanning the HTTP and HTTPS traffic alone. The WAF solutions have evolved over the last few years and are capable of preventing attacks that network firewalls and intrusion detection systems can't. The WAF offering typically comes in the form of a packaged appliance, i.e. with a purpose built hardware and a software running on it and is plugged in to the network. Different appliances offer different level of deployment capabilities, like, active / passive modes, support for High Availability,etc.

Different vendors have come up with various techniques to detect and protect web applications of the enterprise and thus the capabilities of the solution differ. However, at a minimum these devices offer the following detection and protection capabilities:

Detection Techniques

Normalization techniques

Web applications of those days were simple and mostly was comprising of the HTML content. Various tools and solutions have emerged to leverage the HTTP protocol for use by various applications to receive and send complex data including encoded binary data of higher volumes and also extend the use of the HTTP methods. Hackers also leverage these techniques to attack a web application. This calls for the WAF device should have the ability to use a technique to transform the input data into a normalized form, so that the same can be inspected for potential malicious content that could be leverage to perform an attack.

Signature Based Detection

This technique involves use of a string or regular expression based match against the incoming traffic for a specific signature and thus detecting a potential attack. For this purpose, the need to maintain a database of such attack signature is essential. Most popular WAF solution vendors maintain their own databases, whereas others subscribe to such databases.These databases need frequent updates to take into account the signatures used in recent attacks elsewhere.

Rule Based Detection 

Rule based Detection technique is similar to Signature Based Detection, but it allows use of a more complex logic. For instance, even if a signature match is detected, it can be further subjected to certain other conditions, like if the data is from a trusted source, the traffic may still be allowed to pass through with or without appropriate alerts and triggers for manual inspection. While the WAF solution is shipped with the standard rules, the same would be configurable to meet the security needs of the customer. The standard rules may also be part of the signature / rule database as may be maintained or subscribed to by the vendor

APIs for Extensibility

Despite the standard signature and rule based detection techniques, the actual deployment scenario at the customer site may require customization of the techniques used in detection. WAF solutions vendors usually support this need by offering extensible APIs, plug-ins, or scripting. These extensiblity options if not appropriately secured, can be exploited by hackers too.

Protection Techniques

Brute Force Attacks Mitigation

These attacks use automated scripts that attempt to login to the web application with common user name and passwords. The attacks usually originate from a large number of sources consisting of both legitimate web servers and private home computers. Once a username and password is successfully guessed, the hackers or their scripts / tools use the gained admin credentials for the next stage of attacks. Given that the user name passwords follow stricter rules and thus these attack is most likely to fail in guessing the valid credentials, but these attacks generate unduly high traffic, which will result in resource drain and in turn affect the availability of the web application.

Protection from Cookie Poisoning

Cookie Poisoning attacks involve the modification of the contents of a cookie (personal information stored in a Web user's computer) in order to bypass security mechanisms. Using cookie poisoning attacks, attackers can gain unauthorized information about another user and steal their identity. Cookie poisoning is in fact a Parameter Tampering attack, where the parameters are stored in a cookie. In many cases cookie poisoning is more useful than other Parameter Tampering attacks because programmers store sensitive information in the allegedly invisible cookie. Most WAF solutions offer protection from Cookie poisoning by facilitating the signing and / or encryption of cookies, virtualizing the cookies or a custom protection mechanism as the specific web application may demand.

Session Attacks Mitigation

Session store is an important component of a web application and this store is used to share some of the common parameters pertaining to the user and the specific session across various actions within the application. Thus the session data is a key component that is used to secure the web applications. The hackers on the other hand try various techniques to hijack the session or tamper the session parameters. While tampering the parameter values is similar to Cookie Poisoning, Session Hijacking is stealing the session identifier and simulating requests from different sources with the stolen session identity. WAF solutions provide protection to session hijacking by signing and / or encrypting the session data and also linking the session identifier with the originating client.

Injection Attack Protection

An SQL injection attack is insertion of a SQL query via the input data from the client to the application. A successful SQL injection attack can read sensitive data from the database, modify database data, or shutdown the server. Similarly operating system and platform commands can often be used to give attackers access to data and escalate privileges on back-end servers Remote File Inclusion attacks allow malicious users to run their own PHP code on a vulnerable website to access anything that the PHP program could: databases, password files, etc. Most WAF solutions using the normalization technique and the signature and rule database would be able to deny requests carrying such data, command or instruction that could lead to any of the injection attacks.

DDoS Protection

Distributed Denial of Attack is a common technique used by hackers to impair the availability of a website or application by directing unusually huge traffic against the site or application. This will result in all the computing resources used up and eventually leading to the site not being available at all. The WAF solutions making use of the normalization techniques and the signature and rule databases would be able to block such requests. Some common techniques used by the WAF solutions are to have a check on the content length and by evaluating the number of requests or sessions from the same originating client within a given time period.

Obviously, what is listed above are most common detection and protection techniques that any WAF solution would offer. But vendors are constantly improving these techniques and thus adding more detection and protection features. This has to be a constant endeavor as the hackers on the other hand are also coming up with newer techniques to exploit various vulnerabilities.

Sunday, April 13, 2014

IT Governance For Small Businesses - Constraints

There is a perception that IT Governance best suits for large organizations and small organizations tend to ignore it considering the efforts and resources that is required in practicing the IT Governance within. But IT Governance is equally important for smaller organizations as well, so that the IT function however small it is deliver maximum value for the business and at the same time to keep the risk exposure to the minimum. Existing frameworks like COBIT are too extensive for small businesses to use in implementing IT governance. These frameworks however are too complex and costly to implement and small businesses may consider it a bigger battle to implement and manage such framework.

ISACA however recommends to take an evolutive approach and thus take smaller steps first and let it evolve. Small businesses should convert the high-level concept of governance into practical and easy to implement best practices. The resource pools available with the small businesses will be a lot smaller and even outsourcing might prove expensive, considering the business volume and thus establishing an RoI on implementing IT Governance could be a bigger challenge.

It is not just the resources and cost, there are certain other characteristics of small businesses, which come in way of implementing an IT Governance. Here are some such characteristics, which an IT Governance framework designed for a small business should take into consideration.

Smaller or no Board of Directors

Many small businesses are closely held and thus could be a family business or private limited company with a small number of Directors on the Board. Having an Independent Director or a Director with IT background on the board is a big ask. This will leave the concentration of IT decision making with few or even single individual, which could be the CEO or the owner himself. IT savvy business owners or CEOs tend to use or leverage IT more for their business and thus have some degree of adoption of standards, practices and frameworks. In such cases, the choice of technology, standards, practices, etc are most likely limited to the knowledge levels of the owner or CEO and they don't take a leap forward into unfamiliar areas, which will call for more resources in evaluating and establishing the RoI for the same.

Organization Structure

One of the first step in implementing the IT Governance in an organization is to get an IT Strategy Committee and an IT Steering Committee with representation from different functions and from the Board. Small businesses do not have the extensive management structures to have such committee(s). The organization structure with small business are not as extensive as that of large organizations and as such enforcing separation of duties may not be feasible at all. For instance, the Finance Manager of a small business will also perform the function of IT procurement with minimal support from IT Administrators. Similarly, having a separate CIO could be a bigger ask for a small businesses as the costs for having such resources does not warrant the return.

Smaller IT departments

Having a fully functional IT department is a big investment for a small business. Thanks to the cloud trend and software as a service, this is a challenge even the IT departments in large organizations are facing. Cloud based services like Google Apps for business and Microsoft's Office 365, coupled with various specific purpose software as a service, it is becoming a lot easier for the businesses to get its IT up and running with least help from IT experts. This characteristic of a small business leads to a situation where a non-IT staff might have to take up the IT Governance initiative, which obviously has a challenge within as such staff might not comprehend the nuances of the Governance practices and jargon.

Lack of complementing frameworks

IT Governance  framework generally relies on various other practices or frameworks practiced in an organization. For instance ITIL, Enterprise Risk Management, ISO, CMMI, etc are some such standards or frameworks, the existence of which makes adoption of an IT Governance framework a bit seamless. In a small business existence of such standards is highly unlikely. Small businesses need an IT governance framework that is simpler, self containing and easier to implement, and only contain controls that are not dependent on a control practice of a different standard or practice.

Information security

While small business are not the target of hackers or attackers, the risk of information security always remained. For obvious reasons that arise out of the characteristics listed here, small businesses could not see the return on investment in information security. For that matter, small business do not have a formal risk management practice. They, typically, do not possess some of the basic elements of security management like information security policies, backup and disaster recovery, security awareness and up-to-date anti-virus protection. An IT governance framework aimed at small businesses will have to include a strong emphasis on information security and address the common security risks affecting small businesses.

Resources & Tools

Use of sophisticated software applications make implementation and practicing IT Governance easier, but it calls for heavy investment, which is beyond the reach for small businesses. For instance, Performance Evaluation of various IT resources call for collection of data and come up with various metrics that can be used to benchmark and as well measure the performance of IT resources and functions. This is made easier by using automated tools and depending on manual methods could prove cumbersome and data inaccuracy.
Because of the lack of financial and technical resources, small businesses cannot make use of such automated tools or software systems for the purpose.

Though the above list is not exhaustive, what are listed above are the ones that can be considered as key constraints for an IT Governance framework for the small business to address. There is no one solution fits all even for large organizations. The IT Governance framework has to be designed, created and managed as relevant for each organization. That includes even a small business. While one may pick and choose controls from various frameworks and tailor them to suit the specific small or medium business. The framework should however provide for evolution, so that the same can improve based on feedback from the practice.