Ravila White is currently a Deputy Director of Enterprise Security Architecture at a global healthcare company. She has over 15 years of experience in Information Technology and Information Security with a career spanning non-profit, healthcare, e-commerce and educations sectors. She has experience as a whitehat, strategist, architect, auditor, incident handler and various leadership roles. She applies reverse engineering and logic-based information modeling to her work. Ravila carries CISSP, CISM, CISA, CIPP, GCIH and ITIL v3 certifications along with a MSc Information Security from the University of Royal Holloway. She regularly presents at local and national events on information assurance topics and is published on a national and global level. She is also a member of the PacCISO and Agora.
Currently, there exist “key privacy and data protection laws and regulations across nearly 100 different jurisdictions” globally.1 Compliance with these various statutes may be achieved using any of the many security standards and frameworks that prescribe effective security mechanisms. Yet, security breaches continue, despite multi-million dollar investments in people, processes, and technology. According to Identity Theft Resource Center’s 2016 Data Breach Report, at least 1,093 breaches occurred across various industries in the United States.2
Gaining and maintaining effective compliance is challenging for various reasons, among them, ad-hoc enterprise security programs; lack of highly skilled security professionals; “disruptive technology” that has significantly increased the number of end points; and competing—sometimes conflicting—regulations, standards, and compliance requirements. For instance, FedRAMP and MARS-E 2.0 are both based on NIST 800-53, however, FedRAMP drives implementing cloud security mechanisms but excludes 9 of the control families and their controls from NIST 800-53 Rev4. In contrast, MARS-E 2.0 includes all of the NIST 800-53 Rev4 control families because 8 of the families enable compliance to HIPAA’s data security directive. Furthermore, the HITRUST risk framework is inclusive of NIST 800-53 Rev4 and has additional prescribed implementation of security mechanisms for healthcare organizations. These are situational issues that challenge organizations to design and implement effective, interoperable, and continuously compliant controls.
Currently, control, design, and the effectiveness of controls is derived from a single dimension: Is it there, turned on, and configured? Examining additional dimensions such as type, use case, and priority yields a true defense in depth posture:
Effective controls are those that are architected and engineered to address these additional dimensions. Meant to thwart compromise, preventative controls are preferred and are therefore usually considered a primary defense. Even better is when controls are blended—for example, preventative and detective—because the former will prevent exploitation, the latter will provide notification of attempted events. Firewalls, explicit firewall rules, anti-virus solutions, closed routes, and segregation and isolation techniques based on fine-grained access mechanisms are all examples of preventative information security controls. These controls prevent access to infrastructure, technology, and data.
Given that unauthorized access is the critical path of security compromise, one way to approach compliance assurance is to drive security from the perspective of “opportunities for access.”
Opportunities for access are conduits that give malicious attackers and unwitting insiders opportunities for compromise. Examples include zero-day exploits of software vulnerabilities, downstream partner breaches, configuration errors, and poor process management. You can identify these conduits by modeling the business using a pace-layering approach; that is, thorough analysis and modeling of your organization’s business model by conducting a series of information modeling activities. The figure below is a representation of a fictitious organization’s business model represented in the Business Model Canvas, an information modeling methodology introduced in the book Business Model Generation.3
The constructs of a business model canvas are rooted in scientific modeling, business modeling, and system information modeling—all driven by logic. The business model canvased is modeled using the following:
Scientific modeling is the rendering of an object’s interoperable components. In this context, an object can be a concept, process, product, or structure. First, modeling conceptualizes the object, enabling qualification of interoperable components and conduits. Next, contextual models quantify the components as an operational system.
Business modeling is the conceptual rendering of an organization’s operations; it is a framework that quantifies value proposition, customers, partners, high-level critical path organizational structure, activities, channels, relationships, cost structure, and revenue streams.
Why is this important to information security professionals? An organization’s business model provides you with the blueprint of the organization’s priorities so you can appropriately align your information security program. It’s the first glimpse of the product you must protect, the partners who may traverse your infrastructure, the customers whose data you must protect, along with the various internal stakeholders you must influence to be successful. Overall, however, it also provides a perspective of what type of access your infrastructure must support and how information may be extracted. The business model provides the foundation for rationalized information modeling as one models based on organizational directives.
Modeling from this perspective allows one to influence by introducing information security through organizationally driven models. Well-developed business models are built on a blend of logic that addresses who, what, why, where, when, and how much. Information Security strategies modeled from such a foundation possess the same inherent logic, thereby reducing logic errors or misalignment of information security strategies to organizational objective, goals, and outcomes. Information modeling at its core is a technique for rationalizing and contextualizing a foundational model into a master model for Information Security. The master model provides the impetus for the contextualizing of models that are introduced based on the organization’s situations and circumstances.
An aggregate of models gives birth to systems within systems, all of which quantify interoperable components based on characteristics, conduits, and influences of the business. The foundational business model serves as your check and, with your resulting information, models the resulting balance to maintain continuous alignment through systemic consciousness.
This series is about modeling the business to identify access threats, thereby enabling the application of rationalized multidimensional control to reduce compliance gaps and opportunistic compromise.
If you’re an Information Security leader, consider asking your business leaders (based on the organization’s business model) what they think security professionals should be securing?
If you’re part of the technical staff, based on the business model above, what would you recommend as protections to keep your company’s security and data private? What can you infer regarding regulatory mandates?
In part 2 we’ll look at creating a master model based on business model. The master model is our basis for realizing defense in depth through a multi-dimensional protection strategy.
MODIFIED: Jul 18, 2017