Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
572 views1 page

TCI Reference Architecture v1.1

The reference architecture document provides guidance on developing a trusted cloud computing environment. It outlines principles for defining protections that enable trust, developing cross-platform capabilities, and facilitating secure, efficient and resilient access and administration for customers. The architecture must centralize security functions, support elasticity and flexibility, address network, system and application security needs, and enable proper identification, authentication, authorization, auditing and administration.

Uploaded by

Venugopal Athiur Ramachandran
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
572 views1 page

TCI Reference Architecture v1.1

The reference architecture document provides guidance on developing a trusted cloud computing environment. It outlines principles for defining protections that enable trust, developing cross-platform capabilities, and facilitating secure, efficient and resilient access and administration for customers. The architecture must centralize security functions, support elasticity and flexibility, address network, system and application security needs, and enable proper identification, authentication, authorization, auditing and administration.

Uploaded by

Venugopal Athiur Ramachandran
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 1

Reference Architecture

Guiding Principles
Define protections that enable trust in the cloud. Develop cross-platform capabilities and patterns for proprietary and open-source providers. Will facilitate trusted and efficient access, administration and resiliency to the customer/consumer. Provide direction to secure information that is protected by regulations. The Architecture must facilitate proper and efficient identification, authentication, authorization, administration and auditability. Centralize security policy, maintenance operation and oversight functions. Access to information must be secure yet still easy to obtain. Delegate or Federate access control where appropriate. Must be easy to adopt and consume, supporting the design of security patterns The Architecture must be elastic, flexible and resilient supporting multi-tenant, multi-landlord platforms The architecture must address and support multiple levels of protection, including network, operating system, and application security needs.

Version 1.1

Business Operation Support Services (BOSS)


Compliance
Audit Planning Independent Audits Third-Party Audits Internal Audits Contact/Authority Maintenance

Information Technology Operation & Support (ITOS)


IT Operation
DRP
Plan Management Test Management

Presentation Services
Presentation Modality
Consumer Service Platform
Social Media Search

Presentation Platform End-Points


Mobile Devices
Mobile Device Management

Security and Risk Management


Speech Recognition (IVR)

Enterprise Service Platform


B2E B2M B2C

Desktops
Company owned Third-Party Public Kiosk

Colaboration E-Mail e-Readers

B2B P2P

Portable Devices Fixed Devices

Governance Risk & Compliance


Compliance Management Vendor Management Policy Management
Exceptions
Self Assessment

InfoSec Management
Capability Mapping Risk Portfolio Management Risk Dashboard

Medical Devices

Smart Appliances

Handwriting (ICR)

High Level Use Cases

IT Governance
Architectrure Governance Standards and Guidelines

Audit Management

IT Risk Management

Technical Awareness and Training

Residual Risk Management

Information System Regulatory Mapping

Intellectual Property Protection

Privilege Management Infrastructure

Data Governance
Data Ownership / Stewardship Secure Disposal of Data
SaaS, PaaS, IaaS

Resource Management
Segregation of Duties Contractors

PMO
Program Mgmnt Project Mgmnt Remediation

Portfolio Management
Maturity Model Roadmap Strategy Alignment Input Validation Security Design Patterns

Application Services
Programming Interfaces Security Knowledge Lifecycle
Attack Patterns Code Samples Security Application Framwrok - ACEGI

Identity Management
Domain Unique Identifier Identity Provisioning Federated IDM Attribute Provisioning

Authentication Services
SAML Token OTP Risk Based Multifactor Auth Smart Password Card Management Network Authentication Middleware Authentication OTB AutN

Data Classification Clear Desk Policy

Handling / Labeling / Security Policy Rules for Information Leakage Prevention Rules for Data Retention

Integration Middleware

Biometrics

Authorization Services
Policy Enforcement Policy Mangement Resource Data Management Role Management Policy Definition Principal Data Management XACML Obligation

Single Sign On WS-Security Identity Verification

Operational Risk Management


Operational Risk Committee Business Crisis Management Impact Analysis Key Risk Indicators Business Continuity Planning Testing

Human Resources Security


Employee Termination Background Screening Roles and Responsibilities Employment Agreements Job Descriptions Employee Awareness

Service Delivery
Service Level Management
Objectives OLAs Internal SLAs External SLAs

Information Technology Resiliency


Availability Management Resiliency Analysis

Development Process
Self-Service
Security Code Review Application Vulnerability Scanning Stress and Volume Testing

Connectivity & Delivery

Privilege Usage Management


Keystroke/Session Logging Privilege Usage Gateway Password Vaulting Resource Protection

Software Quality Assurance

Out of the Box (OTB) AutZ

Abstraction

Vendor Management Service Dashboard

Threat and Vulnerability Management


Compliance Testing Vulnerability Management
Application Infrastructure DB Databases Servers Network

Capacity Planning

Risk Management Framework Business Technical Assessment Assessment Independent Risk Management

Employee Code of Conduct

Information Services
Application Performance Monitoring

Asset Management
Service Costing Charge Back Operational Bugdeting Investment Budgeting

Service Delivery
Service Catalog SLAs OLAs Dashboard Recovery Contracts Plans

Reporting Services
Data Mining Reporting Tools Business Intelligence
PMO Strategy Roadmap

ITOS

Problem
Management

Incident
Management

BOSS
Risk Assessments Data Classification Process Ownership

Penetration Testing
Internal External

Threat Management
Source Code Scanning Risk Taxonomy

Security Monitoring Services


SIEM Platform Event Correlation Event Mining Database Monitoring Application Monitoring Honey Pot End-Point Monitoring Counter Threat Management Anti-Phishing User Behavior & Profile Patterns Cloud Monitoring E-Mail Journaling Market Threat Intelligence

CMDB

Knowledge
Management

Data Governance
Risk Assessments NonProduction Data Information Leakage Metadata Session Events

Security Monitoring
Service
Management

Change
Management

Audit Findings

SOC Portal Managed Security Services Knowledge Base Branding Protection

Service Support Service Support


Configuration Management
Configuration Rules (Metadata) Configuration Management Database (CMDB) Service Events

Authorization Events

Authentication Events

HR Data (Employees & Contractors)

Business Strategy

Application Events

Network Events

Computer Events

White Server Listing Anti- HIPS / Host Virus HIDS Firewall

Infrastructure Protection Services


Anti-Virus, AntiHost HIPS /HIDS Spam, Anti-Malware Firewall Media Hardware Based Forensic Tools Lockdown Trusted Assets Content Inventory Control Filtering White Listing

End-Point

Data Segregation HIPS NIPS Events

User Directory Services


Active Directory Services LDAP Repositories DBMS X.500 Repositories Repositories

Network
Firewall NIPS / NIDS Meta Directory Services

Real-time internetwork defense (SCAP)

Legal Services
Contracts E-Discovery Incident Response Legal Preparation

Internal Investigations
Forensic Analysis e-Mail Journaling

Capacity Planning Automated Asset Discovery

Software Management Configuration Management

Physical Inventory

Knowledge Repository

Risk Management
GRC RA BIA

Transformation Services
Database Events Privilege Usage Events

Content DPI Filtering Wireless Protection

Application
XML Applicance Secure Messaging Application Firewall Secure Collaboration
Real Time Filtering

Link Layer Network Security Black Listing Filtering

Change Logs

DR & BC Plans

VRA

TVM

ACLs

CRLs

Compliance Monitoring

NIPS Events

DLP EVents

eDiscovery Events

Registry Services

Location Services

Federated Services

Virtual Directory Services

Data Protection
Data lifecycle management
Meta Data Control eSignature
(Unstructured data)

Incident Management
Security Incident Response

Problem Management
Event Classifiation Trend Analysis Root Cause Analysis Problem Resolution

Automated Ticketing Ticketing

Self-Service

Internal Infrastructure

Infrastructure Services
Asset Handling
Data Software Hardware

Cross Cloud Security Incident Response

Virtual Infrastructure
Remote

Data De-Identification Life cycle management

Data Masking Data Obscuring

Data Tagging Data Seeding

Orphan Incident Management

Facility Security
Controlled Physical Access
Barriers Security Patrols Electronic Surveillance Physical Authentication

Knowledge Management
Best practices Trend Analysis Benchmarking Security Job Aids Security FAQ

Patch Management
Compliance Monitoring Service Discovery

Servers
Secure Build Image Management

Desktop Client Virtualization


Local
SessionBased VM-Based (VDI)

Storage Virtualization <<insert Jairos content> Block-Based Virtualization


Host-Based

Data Leakage Prevention


Data Discovery Network
(Data in Transit)

Intellectual Property Prevention


Intellectual Property Digital Rights Management

LDM LUN

LVM

Storage DeviceBased

Network-Based

Appliance Switched

End-Point
(Data in Use)

Server
(Data at Rest)

Change Management

Domain
Container
Process or Solution Data

SABSA ITIL v3 TOGAF JERICHO

Service Provisioning

Approval Workflow

Change Review Board Emergency Changes

Release Management
Scheduling Testing Version Control Build Source Code Management

Environmental Risk Management


Physical Security Equipment Location Power Redundancy

Equipment Maintenance Availability Services

Application Virtualization
Client Application Streaming Server Application Streaming

Virtual Workspaces

File-Based Virtualization

Synchronous Keys

Cryptographic Services Signature PKI Key Management Services


Asynchronous Keys
Data-in-Transit Encryption
(Transitory, Fixed)

Data-in-use
Encryption (Memory)

Data-at-Rest Encryption
(DB, File, SAN, Desktop, Mobile)

Server Virtualization
Virtual Machines (Hosted Based)
Full Paravirtualization Hardware-Assisted

Network Virtualizaton Network Address


Space Virtualization IPv4 IPv6
External (VLAN) Internal (VNIC)

Database Virtualization

Planned Changes Project Changes Operational Chages

Storage Services

Network Services
Network Segementation Authoritative Time Source

Mobile Device Virtualization

Policies and Standards


Operational Security Baselines Job Aid Guidelines Role Based Awareness Best Practices & Regulatory correlation Information Security Policies Technical Security Standards Data/Asset Classification

OS VIrtualization

TPM Virtualization

Virtual Memory

Smartcard Virtualization

Chief Architect: Jairo Orea Lead Architects: Marlin Pholman, Yaron Levi, Dan Logan. Team: David Sherr, Richard Austin , Vern Williams, Anish Mohammed, Harel Hadass, Phil Cox, Yale Li, Price Oden, Tuhin Kumar, Rajiv Mishra, Ravila White, Scott Matsumoto, Rob Wilson, Charlton Barreto, Ryan Bagnulo, Subra Kumaraswamy. Date: 07/20/2011 Revision: 12th Review

You might also like