Lead Enterprise Architect Program (LEAP) - Master Class 4 - Security
Vandaag was het weer zo ver :-) : Workshop 4 over Security, gegeven daar Martin Vliem. Security is een complex en breed onderwerp en dit kwam in zijn presentatie duidelijk naar voren. Wat hebben we toch een mooi vak.
Ook voor deze Master Class was er een uitgebreid pakket aan huiswerk. Je vindt hieronder een (kort) stukje uit het pakket.
-------------------------------------------------------
The first session was focused on the (de)coupling of information. Your work resulted in ViCeSSS.
Figure 1: Global Bank ViCeSSS
(showing just part of the core applications)
The second session was about provisioning enterprise information and services to the end user, be they Global Bank employees or customers. Amongst others your advice led to the implementation of G-BOLP using Microsoft Office Sharepoint Server as an enterprise Portal that hosts services like Save & Win, First Financial Mortgage and others.
The third session covered infrastructure design focused on flexibility, manageability and availability; however to build a complete infrastructure supporting the business applications, the aspects of Identity and Access and Security are fundamental as well. Session four therefore builds on the previous session by furthermore exploring the Infrastructure Optimization model into the realms of Identity and Access and Security and Networking. The amount of the material can be overwhelming, so please focus at first instance on the referrals with “must read” tags. If you have additional time please explore some of the other topics as well.
Security is a broad topic and resides under the umbrella of Microsoft’s strategic initiative of Trustworthy Computing (TWC) which started with an executive email of Bill Gates in July 2002. TWC now has arrived at this point (must read), where it is interesting to see that Microsoft is now more working towards a new vision, that will also be shortly covered in the session. Instead of covering the lot on TWC this session helps you architect & design secure enterprise solutions like G-BOLP. We direct our attention at the following topics: Threat Modeling, Identity & Access Management and Network and Platform Security; and how these security principles are implemented in a Windows and Web Services environment.
Note: for this prep document we rely heavily on the work done by our patterns & practices group. They provide guidance on architecture and design of enterprise solutions using Microsoft technologies, although most concepts are not restricted to Microsoft technologies. Be sure to check them out whenever implementing enterprise solutions. All material – mainly books and white papers – are freely available.
Threat Modeling
Figure 1 in the introduction (must read) in the guide “Improving Web Application Security” provides the scope for securing web facing applications. Threat modeling allows you to systematically identify and rate the threats that are most likely to affect your system. By identifying and rating threats based on a solid understanding of the architecture and implementation of your application, you can address threats with appropriate countermeasures in a logical order, starting with the threats that present the greatest risk. We have two documents for you: threat modeling (chapter 3 of the aforementioned Web Application Security guide) and a more recent update called "Threat Modeling Web Applications" (must read: “at a glance”).
----------------------------------------------
En nog veel meer info !!!!
Natuurlijk leverde dit weer veel discussie op in de werkgroepen.
Gevolgd door een presentatie van het resultaat.
En ja, het was weer een lange en vooral nuttige dag ....
Ruud