The national security architecture workshop we ran in conjunction with the 2013 AusCERT Information Security Conference on the Gold Coast was better than we had expected. Participants came from Australia, New Zealand, Canada, and South Korea, to discuss their IT security architecture challenges and solutions. To get the party started, a number of participants provided security solution architecture diagrams describing current or proposed solutions, and they received valuable feedback from the group. When these sessions were finished, a (quite clever) participant suggested that we vote on other topics to discuss. As you can imagine, a room full of passionate security architects don’t have trouble generating topics for lively discussion and debate.
One participant presented his organisation’s approach at securing SOA infrastructure. After addressing deployment of security policy decision points (PDP) and policy enforcement points (PEP), the participants discussed the use of the OASIS WS-Security standards. Some participants described their experiences trying to deploy, and derive actual business value, from “entitlement servers”.
Another participant presented a BYOD solution that did not require the deployment of mobile device management (MDM) software on the end-user device. The approach had supported a wide range of devices and operating systems, and was considered to be low risk to the organisation. However, new business requirements, such as storage of sensitive data on the device, had now forced the organisation to assess MDM solutions. Security incident and event management (SIEM) solutions invoked passionate discussion (rants!) by two participants. There was consensus that commercial SIEM products would not generate business value if they were simply acquired and switched on. Organisations wanting to performed effective security monitoring need to know exactly what they want to monitor. Also, SIEM products assist, but do not replace, competent security operations staff who have deep knowledge of the organisation’s ICT infrastructure.
Hybrid cloud infrastructure issues were discussed. Participants were interested in data sovereignty issues, and key management when encryption is used to protect data at rest in the cloud. The advantages of using security brokers that encrypt an organisation’s data before storage in SaaS applications, e.g.,Survey Monkey, was covered. A topic we wanted to cover was REST API security but we ran out of time.
A good time was had by all – a sincerely thank you to everyone who participated. Thanks to AusCERT for providing a venue (and some free tickets!). I look forward to seeing you at the next Security Architecture Workshop. Watch this space for details!
