architecture - All Articles - CISO Platform2024-03-28T23:34:30Zhttps://www.cisoplatform.com/profiles/blogs/feed/tag/architectureGuide To Building Enterprise Security Architecture Governance Programhttps://www.cisoplatform.com/profiles/blogs/guide-to-building-enterprise-security-architecture-governance2016-11-21T05:45:16.000Z2016-11-21T05:45:16.000ZArnab Chattopadhayayhttps://www.cisoplatform.com/members/ArnabChattopadhayay<div><p>This Guide examined the field of <i>security architecture</i> from the point of view of security governance. It explains how <i>security architecture governance</i> can be created as a sub-field of security governance and how the principles and structure of the same can be applied to security architecture governance to build an overarching security environment that is easy to understand, change, monitor and maintain. It has examined the security architecture governance from the point of view of business sponsors and other stakeholders. It has suggested security governance life cycle phases, sub-stages in each phase. For each sub-stage, it has described the list of activities, proposed required participants, stated expected outcomes and probable artifacts and identified building blocks of the area of concern. While describing the building blocks, the article has touched upon some of the fundamental concepts where required and explained it contextually to make the understanding clear. Its principle of arriving at inferences is primarily based on risk management. It proposes procedure, organisations, artifact, challenges and implementation hints that can be used to create a security architecture governance plan.</p><p> The authors expect this article to be useful for organisations who are in the process of creating or improving their existing security development process. The article is created based on authors’ experience in building such a process for large enterprises in combination with the research of publicly available materials across internet and other forms of publications. It does not directly or indirectly attempts to depict any process of any particular organisation.</p><p><a href="https://goo.gl/i5MBWl" target="_blank"><br /> <span class="font-size-4" style="color:#3366ff;">>> Click Here To Download Guide</span></a></p><p></p><p></p><p></p><p></p><p><span class="font-size-4"><strong><span class="font-size-5">This Guide Focuses On:</span><br /></strong></span></p><ul><li>Developing A Customized Information Security Architecture Governance Framework</li><li>Applying The Framework In Organization Context To Create Implementation Roadmap</li><li>Developing A Measurement Program To Continuously Improve Security Architecture Governance</li></ul><p><span class="font-size-4"><a href="https://goo.gl/i5MBWl" target="_blank"><br /> <span style="color:#3366ff;">>> Click Here To Download Guide</span></a></span></p><p></p><p></p><p></p><p></p><p><span class="font-size-5"><strong>About Authors</strong></span></p><p></p><p><strong>Arnab Chattopadhyay</strong></p><p>Arnab is a passionate technologist and loves to design, build and protect large scale systems. Some of the key areas of his expertise includes telecom networks, large scale distributed software development, big data technologies, artificial intelligence and information security. He had spent significant number of years in security research, consulting and management of security functions that includes identity and access management, cryptography, security architecture, vulnerability management and security program development. He had worked across the globe with large corporations to secure their systems. An entrepreneur at heart, he was instrumental in creating one of the world’s first cloud-based penetration testing SaaS companies. </p><p>Arnab has a Master’s of Science degree in Telecom Engineering with Distinction from the University College London. He held a patent in artificial intelligence.</p><p></p><p><span class="font-size-4" style="color:#3366ff;"><a href="https://goo.gl/i5MBWl" target="_blank"><span style="color:#3366ff;">>> Click Here To Download Guide</span></a></span></p><p></p><p></p><p><strong>Nidhi Agarwal</strong></p><p>Nidhi has been a Software Engineer for over 12 years. After years of working in the variety of areas of software development that includes web application development, database and developing algorithms, Nidhi moved into information security. She had lead development of information security governance program in software product companies. She had worked extensively in the areas of vulnerability management, identity and access management and security governance. She has special interest in security architecture.</p><p>Nidhi has Bachelor Degree in Computer Science and Engineering with Honors from National Institute of Technology, Allahabad.</p><p></p><p></p><p></p><p><a href="https://goo.gl/LD3Nxq" target="_blank"><img width="672" src="{{#staticFileLink}}8669811669,original{{/staticFileLink}}" class="align-center" alt="8669811669?profile=original" /></a></p><p></p><p></p></div>CASB: A CISO's Guide To Top Considerations Before Buyinghttps://www.cisoplatform.com/profiles/blogs/casb-a-ciso-s-guide-to-top-considerations-before-buying2016-11-25T04:30:00.000Z2016-11-25T04:30:00.000Zprithahttps://www.cisoplatform.com/members/pritha<div><p>A Cloud Access Security Broker (CASB) is a solution to secure SaaS apps end-to-end, from cloud to device. Today, most CASBs focus only on software as a service (SaaS), although they can enforce best practices and security policies across all cloud services, including infrastructure (IaaS) and platforms (PaaS)</p>
<p></p>
<p>CASBs are generally designed for the following use cases from security perspective:</p>
<p></p>
<ul>
<li><strong>Visibility:</strong> Who is doing what and where are the workloads that are off premise (Office 365, Box, Salesforce etc.)</li>
<li><strong>Data loss prevention (DLP):</strong> What kinds of data are users accessing and from what device?</li>
<li><strong>Risk analysis and mitigation:</strong> From what locations/devices is company data being accessed?</li>
</ul>
<p></p>
<p></p>
<p><br /> <strong><span class="font-size-4">Evolving security features are:</span><br /> <br /></strong></p>
<ul>
<li>Compliance: CASBs impose controls on cloud usage to enforce compliance with industry regulations (for example, HIPAA). They also can detect when cloud service usage is at risk of falling out of compliance.</li>
<li>Threat protection: This includes threat intelligence, anomaly detection and malware protection, as well as controlling unauthorized devices and users from accessing corporate cloud services</li>
</ul>
<p></p>
<p></p>
<p><span class="font-size-4"><strong>Some Pointers To Keep In Mind If You Need A CASB:</strong></span></p>
<ul>
<li>CASB architectures vary from one vendor to the next with agent or agentless.</li>
<li>Most have a primary proxy mechanism upon which their architecture is built - either a forward proxy or a reverse proxy, supported by API integration into the applications for scanning data at rest.</li>
<li>Proxies enable real-time, inline control. Proxy mode is fine, but it provides a single point of failure and can introduce application latency.</li>
<li>APIs, while not real-time, provide control over backend functions like external sharing. Admins can also give CASBs their permission to use their cloud administration credentials so that the CASB can see and control cloud policy, monitor various levels of administrator and end-user access, and define policy. The only downside to API mode is the skill set required and learning curve necessary to understand how to make the API connection and maintain it overtime as new APIs get released. Such skills can be difficult to find and keep on staff.</li>
<li>Most enterprises will require a hybrid CASB that provides both proxy-based and API-based protections for comprehensive cloud data protection.</li>
<li>CASB tools are available from a variety of vendors, including Adallom (recently purchased by Microsoft),Elastica, Firelayers, Imperva Skyfence, Netskope and Skyhigh, to name a few.</li>
</ul>
<p></p>
<p></p>
<p></p>
<p><span class="font-size-4"><strong>Selection Considerations</strong></span></p>
<p><br /> When it comes to choosing the right CASB for your organization, there are a number of considerations, including:</p>
<ul>
<li>Range of coverage - Salesforce, Office 365, AWS, Box, etc.</li>
<li>Ease of use</li>
<li>Market Leader</li>
<li>Cost: The majority of CASB providers use subscription models based around these methods of licensing:<br /> <br /><ul>
<li>Number of users</li>
<li>Number of cloud applications protected</li>
<li>Features specifically used </li>
</ul>
</li>
<li>Integration: Proxy, DLP, SIEM or any security tools</li>
</ul>
<p></p>
<p></p>
<p><strong>Article Contributor:</strong> Venkatasubramanian Ramakrishnan, Head Information Risk Management, Cognizant</p>
<p></p></div>3 Free "Security Architecture" Related Resources !!https://www.cisoplatform.com/profiles/blogs/3-free-security-architecture-related-resources2017-04-30T06:30:00.000Z2017-04-30T06:30:00.000Zprithahttps://www.cisoplatform.com/members/pritha<div><table border="0" cellspacing="0" width="100%" class="mcnTextBlock">
<tbody class="mcnTextBlockOuter"><tr><td valign="top" class="mcnTextBlockInner"><table align="left" border="0" cellspacing="0" width="100%" class="mcnTextContentContainer">
<tbody><tr><td valign="top" class="mcnTextContent">Here's some exciting content on security architecture. It includes tools for Data Protection, Incident Response Tool Qualification & more. There's a great conference for security builders too - SACON (Security Architecture Conference), Pune.<br /> </td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
<table border="0" cellspacing="0" width="100%" class="mcnImageBlock">
<tbody class="mcnImageBlockOuter"><tr><td valign="top" class="mcnImageBlockInner"><p></p>
<p><a href="http://www.cisoplatform.com/profiles/blogs/3-free-security-architecture-related-resources" target="_blank"><img width="750" src="{{#staticFileLink}}8669807483,original{{/staticFileLink}}" class="align-full" alt="8669807483?profile=original" /></a></p>
<p></p>
<p></p>
<p></p>
</td>
</tr>
</tbody>
</table>
<table border="0" cellspacing="0" width="100%" class="mcnTextBlock">
<tbody class="mcnTextBlockOuter"><tr><td valign="top" class="mcnTextBlockInner"><table align="left" border="0" cellspacing="0" width="100%" class="mcnTextContentContainer">
<tbody><tr><td valign="top" class="mcnTextContent"><p><span class="font-size-4"><strong>Guide To Building Enterprise Security Architecture Governance Program</strong></span><br /> <br /> Here's an in-depth guide to building an enterprise security architecture governance program. This is a community contribution from 2 members who have researched the topic in detail......<a href="https://www.dropbox.com/s/9ucutcggd4xr975/1.Building%20Enterprise%20Security%20Architecture%20Governance%20Plan.pdf?dl=0" target="_blank">Download Guide</a></p>
<p></p>
<p><a href="http://www.cisoplatform.com/profiles/blogs/3-free-security-architecture-related-resources" target="_blank"><img width="750" src="{{#staticFileLink}}8669802465,original{{/staticFileLink}}" class="align-full" alt="8669802465?profile=original" /></a></p>
<p><br /> <br /> </p>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
<table border="0" cellspacing="0" width="100%" class="mcnImageBlock">
<tbody class="mcnImageBlockOuter"><tr><td valign="top" class="mcnImageBlockInner"></td>
</tr>
</tbody>
</table>
<table border="0" cellspacing="0" width="100%" class="mcnTextBlock">
<tbody class="mcnTextBlockOuter"><tr><td valign="top" class="mcnTextBlockInner"><table align="left" border="0" cellspacing="0" width="100%" class="mcnTextContentContainer">
<tbody><tr><td valign="top" class="mcnTextContent"><p><span class="font-size-4"><strong>10 Things You Should Ask of Your Cyber Incident Response Tool</strong></span><br /> <br /> Here's a guest post with 10 things to qualify your Incident Response Tool. Incident responders must move faster, be more agile, have longer stamina than the attacker......<a href="http://www.cisoplatform.com/profiles/blogs/10-things-you-should-ask-of-your-cyber-incident-response-tool" target="_blank">Read More</a></p>
<p></p>
<p><br /> <a href="http://www.cisoplatform.com/profiles/blogs/3-free-security-architecture-related-resources" target="_blank"><img width="750" src="{{#staticFileLink}}8669810084,original{{/staticFileLink}}" class="align-full" alt="8669810084?profile=original" /></a><br /> </p>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
<table border="0" cellspacing="0" width="100%" class="mcnImageBlock">
<tbody class="mcnImageBlockOuter"><tr><td valign="top" class="mcnImageBlockInner"></td>
</tr>
</tbody>
</table>
<table border="0" cellspacing="0" width="100%" class="mcnTextBlock">
<tbody class="mcnTextBlockOuter"><tr><td valign="top" class="mcnTextBlockInner"><table align="left" border="0" cellspacing="0" width="100%" class="mcnTextContentContainer">
<tbody><tr><td valign="top" class="mcnTextContent"><span class="font-size-4"><strong>Confusion and Deception: New Tools for Data Protection</strong></span><br /> <br /> This talk was presented in RSAC USA 2017. Cyberthreats are assymetric risks: corporate defenders must secure and detect everything, but the attacker needs to exploit only once.....<a href="http://www.cisoplatform.com/profiles/blogs/confusion-and-deception-new-tools-for-data-protection" target="_blank">View Slide</a><br /> <br /> <br /> <br /> </td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
<table border="0" cellspacing="0" width="100%" class="mcnImageBlock">
<tbody class="mcnImageBlockOuter"><tr><td valign="top" class="mcnImageBlockInner"><table align="left" width="100%" border="0" cellspacing="0" class="mcnImageContentContainer">
<tbody><tr><td class="mcnImageContent" valign="top"><a href="https://www.sacon.io/" target="_blank"><img src="{{#staticFileLink}}8669815876,original{{/staticFileLink}}" class="align-full" alt="8669815876?profile=original" /></a></td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
<table border="0" cellspacing="0" width="100%" class="mcnTextBlock">
<tbody class="mcnTextBlockOuter"><tr><td valign="top" class="mcnTextBlockInner"><table align="left" border="0" cellspacing="0" width="100%" class="mcnTextContentContainer">
<tbody><tr><td valign="top" class="mcnTextContent"><strong>Learn Secure DevOps, Threat Hunting, Threat Modeling and more @SACON Pune</strong><br /> <br /> India has a lot of hackers but very few security architects. The industry as well as the country needs competence in "Security Architecture". That's the reason why we started SACON - India's only Security Architecture Conference. <strong>No Sponsored Talks</strong>.....<a href="https://www.sacon.io/" target="_blank">Know More</a></td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table></div>Technical Architecture of RASP Technologyhttps://www.cisoplatform.com/profiles/blogs/technical-architecture-of-rasp-technology2017-05-23T06:30:00.000Z2017-05-23T06:30:00.000ZAmit, CISO Platformhttps://www.cisoplatform.com/members/AmitCISOPlatform<div><p></p><p>Speaker: Ajin Abhraham [ Security Engineer @Immunio ]</p><p></p><p></p><p><strong><span class="font-size-6">What Will You Learn ?</span></strong></p><ul><li>Appsec Challenges</li><li>State Of Web Framework Security</li><li>How WAF Works</li><li>WAF Problems</li><li>Evolution : WAF -> SAST -> DAST -> IAST -> RASP</li><li>Types Of RASP</li><li>Monkey Patching</li><li>Lexical Analysis & Token Generation</li><li>Context Determination</li><li>Preventing Code Injection Vulnerabilities</li><li>SQL Injection</li><li>Demo</li><li>Cross Site Scripting</li></ul><p></p><p></p><p></p><p></p><p></p><p><iframe width="595" height="485" src="//www.slideshare.net/slideshow/embed_code/key/5KsBm7RlCESxkl" frameborder="0" allowfullscreen=""></iframe></p><div style="margin-bottom:5px;"></div><div style="margin-bottom:5px;"></div><p><b><br class="Apple-interchange-newline" />Please Note - Speaker presentations represent the views of the individual speakers and not of CISO Platform or their employers</b></p></div>(Round Table) Zeroing-in on Zero Trust Architecture @ CISO PLATFORM Annual Summit 2020https://www.cisoplatform.com/profiles/blogs/round-table-zeroing-in-on-zero-trust-architecture-ciso-platform2020-03-23T13:00:00.000Z2020-03-23T13:00:00.000ZCISO Platformhttps://www.cisoplatform.com/members/CISOPlatform323<div><p><span>The Playbook Round Table on Topic " </span><strong><span>Zeroing-in on Zero Trust Architecture</span></strong><span> " happened on 21st February 2020 during the 12th CISO Platform Annual Summit 2020. Security Professionals came forward to have a discussion on zero trust, frameworks and how to create a playbook on implementation of Zero Trust Architecture. </span></p>
<br />
Playbook Speaker : <strong>Hitesh Pathak,</strong> CheckPoint Technologies<br />
<p><span style="font-size:18pt;"><strong>Key Points of Discussion : </strong></span></p>
<ul>
<li>Idea of Zero Trust</li>
<li>Frameworks e.g. NIST framework</li>
<li>Building a Zero Trust Architecture</li>
<li>Building Tech stack for transition to Zero Trust Architecture</li>
<li>Building Tech stack for directly implementing Zero Trust Architecture</li>
</ul>
<p></p>
<p>Here is the presentation of what was discussed during the Round Table Discussion </p>
<p></p>
<p><iframe src="//www.slideshare.net/slideshow/embed_code/key/v7zeWIYtU2uIqH" width="595" height="485" frameborder="0" allowfullscreen=""></iframe>
</p>
<div style="margin-bottom:5px;"></div></div>