TCI Reference Architecture v2.0

Reference Architecture

Version 2.0

Guiding Principles q Define protections that enable trust in the cloud. q Develop cross-platform capabilities and patterns for proprietary and open-source providers. q Will facilitate trusted and efficient access, administration and resiliency to the customer/consumer. q Provide direction to secure information that is protected by regulations. q The Architecture must facilitate proper and efficient identification, authentication, authorization, administration and auditability. q Centralize security policy, maintenance operation and oversight functions. q Access to information must be secure yet still easy to obtain.

Business Operation Support Services (BOSS)

Information Technology Operation & Support (ITOS)

Presentation Services Presentation Platform Presentation Modality Consumer Service Platform

q Delegate or Federate access control where appropriate. q Must be easy to adopt and consume, supporting the design of security patterns

Compliance

q The Architecture must be elastic, flexible and resilient supporting multi-tenant, multi-landlord platforms q The architecture must address and support multiple levels of protection, including network, operating system, and application security needs.

Audit Planning Independent Audits

High Level Use Cases

Third-Party Audits

Internal Audits

Information System Regulatory Mapping

Intellectual Property Protection

Data Classification

Handling / Labeling / Security Policy Rules for Information Leakage Prevention

Clear Desk Policy

DRP Plan Management

Test Management

Architectrure Governance

PMO

Operational Risk Management

Program Mgmnt Project Mgmnt

Segregation of Duties Contractors

Employee Termination Background Screening Roles and Responsibilities

Planning

Testing

Risk Management Framework Business Technical Assessment Assessment

Employment Agreements Job Descriptions Employee Awareness

Event Correlation

Database Monitoring

Cloud Monitoring

Application Monitoring

E-Mail Journaling

Honey Pot

Market Threat Intelligence

SOC Portal Managed Security Services

Knowledge Base

Branding Protection

Real-time internetwork defense (SCAP)

Contracts

E-Discovery

Incident Response Legal Preparation

Objectives

Internal SLAs

OLAs

External SLAs

Vendor Management

End-Point Monitoring

Service Costing Charge Back

Application Performance Monitoring

Programming Interfaces

Forensic Analysis

e-Mail Journaling

Capacity Planning

Software Management

Self-Service

Automated Asset Discovery

Configuration Management

Best practices

Event Classifiation

Root Cause Analysis

Ticketing

Trend Analysis

Problem Resolution

TOGAF

Attack Patterns

Code Samples

Benchmarking

Approval Workflow

Planned Changes Project Changes

Operational Chages

IT Risk Management

Security Job Aids

Security FAQ

Change Review Board Emergency Changes

Release Management

Connectivity & Delivery

Stress and Volume Testing

Risk Dashboard

Authentication Services

Abstraction

Reporting Services Dashboard

OLAs

SLAs

Configuration Management Database (CMDB)

SAML Token

Risk Based Multifactor Auth Smart Password OTP Card Management Biometrics Network Authentication Single Sign On Middleware WS-Security Authentication

Federated IDM Attribute Provisioning

Data Mining

Reporting Tools

Business Intelligence

Data Governance

PMO

Strategy

Roadmap

Problem

Incident

Management

Management

GRC

Change Logs

DR & BC Plans

RA

Authorization Events

Authentication Events

Application Events

Network Events

VRA

TVM

Audit Findings

HR Data (Employees & Contractors)

ACLs

CRLs

NIPS Events

DLP EVents

Management

Privilege Usage Events

Active Directory Services

LDAP Repositories

eDiscovery Events

Registry Services

Location Services

Business Strategy

DBMS X.500 Repositories Repositories

Federated Services

Vulnerability Management

Network

Application

Source Code Scanning

External

Virtual Directory Services

DB

Threat Management Risk Taxonomy

End-Point

Behavioral Malware Prevention White Sensitive File Listing Protection AntiHIPS / Host Virus HIDS Firewall

Anti-Virus, Anti-Spam, Anti-Malware Media Lockdown

Content Filtering

Inventory Control

DPI

Host Firewall

HIPS /HIDS

Behavioral Malware Prevention

Hardware Based Trusted Assets

Network Behavioral Malware Prevention

Meta Directory Services

Infrastructure

Infrastructure Protection Services

Firewall

Transformation Services

Compliance Monitoring

Change

Password Vaulting Resource Protection

Hypervisor Governance and Compliance

Server

User Directory Services

NIPS Events

Database Events

Process Ownership

Computer Events

Data Segregation

BIA

Data Classification

Servers

Internal

Management

Management

Session Events

Risk Management

Risk Assessments

Security Monitoring

HIPS

Knowledge Repository

Keystroke/Session Logging Privilege Usage Gateway

Penetration Testing

BOSS

Knowledge

Service

NonProduction Data Information Leakage Metadata

Service Events

Privilege Usage Management

Threat and Vulnerability Management Databases

ITOS

OTB AutN

Identity Verification

Out of the Box (OTB) AutZ

Forensic Tools

Content Filtering

White Listing

Application

NIPS / Wireless NIDS Protection Link Layer Network Security Black Listing Filtering

XML Applicance

Application Firewall

Secure Messaging Secure Collaboration

Real Time Filtering

Data Protection Data lifecycle management

Internal Infrastructure

Facility Security Controlled Physical Access Barriers

Electronic Surveillance Physical Authentication

Asset Handling Data Software

Physical Security

Patch Management

Storage Services

Power Redundancy

eSignature

Virtual Infrastructure

Desktop “Client” Virtualization Remote

Secure Build Image Management

Storage Virtualization