This article briefly introduces the SABSA framework and its importance in the production of Security Architectures using Enterprise Architecture and TOGAF.

Figure 1 – The SABSA Framework

[Source: SABSA – (stylised version below by Steve Nimmons)]

The SABSA (Sherwood Applied Business Security Architecture) framework has evolved as a “best practice” method for delivering cohesive information security solutions to enterprises.

SABSA is a six-layer model covering all four parts of the IT lifecycle: Strategy, Design, Implementation and Management & Operations.

SABSA ensures the security needs of your enterprise are met completely and that security services are designed, delivered, and supported as an integral part of your IT Management infrastructure.

Figure 2 – The SABSA MATRIX

[source: SABSA]

Figure 3 (SABSA and the TOGAF ADM) is a useful way to compare the relationship between the two frameworks at a high level. The SABSA dimensions are principally used to guide creation of the Security Architecture and the production of security aspects of the dependent TOGAF views (Business Architecture, Information Systems Architecture and Technology Architecture).

Figure 3 – TOGAF ADM & SABSA

[Source: Steve Nimmons]

Figure 4 – High-level process for creation of Security Architecture

[Source: Steve Nimmons]

High Level Steps

• Ensure security requirements are considered at inception (including legislation such as Data Protection Act, PCI DSS etc.)
• Create a set of Enterprise Principles (across Business, Data, Application and Technology domains, with a specific focus on security principles and policies)
• Conduct a structured Risk Assessment to determine which assets require protection and the level of controls required
• Create RMADS documentation highlighting the actors, risks and countermeasures required to mitigate the risks
• Develop standard TOGAF views (Business Architecture, Data Architecture, Application Architecture and Technology Architecture), informed by the functional and non-functional requirements and Enterprise Principles. Each of these views will have security aspects
• Implement security architecture view(s) in TOGAF based on SABSA and relevant best practices (e.g. CESG GPG documentation). This set of architectural views focuses on the SABSA dimensions pictured in Figures 2 and 3 (above) and Table 1 (below)
• The Security Architecture should identify the principal Security Enforcing Functions in the architecture and cross-reference them with the countermeasures laid out in the RMADS

Table 1 – SABSA focus areas

Contextual and conceptual security is often rather glossed over, with Security Architecture ‘diving in’ at the Logical View. Application Architectures also need decent security and component architectures, in terms of understanding protocols in use, ports required, deployment options, component interactions, security contexts, resilience etc.

As with TOGAF implementation, the degree of ceremony and tailoring of SABSA should be pragmatic. Security should be proportionate, architectural modelling guided by SABSA should also be proportionate. Structured risk assessment provides the right focus. Cross-referencing between risk assessment, countermeasures in the RMADS (i.e. mitigation of risk) and the actual Security Enforcing Functions in the Security Architecture is important. Laid out well, this really helps with understanding how identified risks are dealt with in the architecture (and at which tier). This is a G-d send for penetration testing and accreditation.

Article first appeared in the July 2008 issue of ITNOW.

From interruption to interaction, online advertising has progressed quickly in the last few years, says Steve Nimmons.

Online advertising has been with us since the earliest days of the internet and where eyeballs meet content, advertisers will be close by. The first web portals were (almost uniformly and tastelessly) bedecked with every imaginable flashing widget that might attract a valuable click-through. I will spare the early designers’ blushes but some sites would today come with health warnings for photosensitive epilepsy. Quality had to, and did, improve.

As the popularity of home computing exploded throughout the 1990s we experienced year-on-year exponential growth in the online community. Statistics for 2007 indicate that some 32.5 million people in the UK are now online, spending 16 hours per week on the internet.

Online advertising in the UK in 2007 hit £2.8bn and is currently running at nine times the level of growth of the entire sector. There has been a £2bn leap since 2003, a trend that can be linked to the strong uptake of broadband technologies (now with 90 per cent of the market penetration) and the richer experience offered by web 2.0.

Spending on internet advertising in the UK now exceeds that of press classifieds and regional newspapers. Video sharing services have also played a large part in this success, as advertisers have been able to use richer media and viral marketing. Search currently accounts for 57.1 per cent of all online advertising, display 21.5 per cent and classifieds 20.8 per cent.

Google’s headline advertising revenues have even surpassed ITV1′s, a landmark in the competition between traditional commercial advertising and internet media. UK ecommerce revenue predictions (Forrester UK ecommerce Forecast 2006-2011) foresee a rise from £30.2bn to £52bn by 2011. It is clear therefore that this is a burgeoning market and year-on-year spending growth exceeds 38 per cent (in the UK alone).

Web 2.0 has further ‘tipped the scales’. I describe web 2.0 as having rebalanced the content producer to consumer ratio, enabling a very simple entry point to web participation and content creation and distribution. In real terms this has led to massive growth and fragmentation of the delivery network.

This is characterised by the appearance of tens of millions of blogs, disparate, niche content and entrepreneurs vying for a slice of the monetised blogosphere. Improvements in mobile technologies have created new opportunities to reach audiences.

Social networks, blogs, wikis, video and picture sharing, chat services, forums and many others are competing for attention that used to be the preserve of radio and television entertainment and print media. Social networks are serving up captive audiences in huge volumes, which is quintessential catnip to advertisers.

But there is a problem. Advertising quality issues, abuse, the ‘malware of adware’, volume overload, relevance and level of interruption have been areas of traditional frustration and contention. The web is packed with affiliate programmes and advertising networks.

Google (for one) has been trying to provide better quality click through on sponsored links and suffered market turbulence in March when their ‘quality not quantity’ strategy resulted in a significant downturn in click-through growth. Advertising solutions are admittedly sophisticated but are they really delivering utility to consumers and sellers in line with our changing needs and expectations? What are the emerging challenges and opportunities we will face going forward?

There have been some reasonable attempts at contextual advertising and this is being extended with interesting work in behavioural targeting. I worked in data mining research back in 1993 and remember having many discussions about the way in which the web would emerge as the greatest profiling and personalisation experiment of all time.

I foresee increased velocity in the development of behavioural targeting, but this necessitates behavioural profiling and hence collection, storage and processing of personal data. Social networks and advertisers are keen to leverage this, but have had a great deal of difficulty in selling the concept to users. My view is that, while users would be perfectly receptive to the results, they are not at all comfortable with the means.

Considering that online privacy, phishing, identity theft, data protection and data security are high on everyone’s agenda, and with low levels of trust and high profile data security failures (from social networks to government departments) a great deal of work is needed to quell fears. It really does boil down to trust and ISPs, social networks, traditional sites and advertisers must provide adequate security, transparent policies, opt-outs (many would prefer opt-ins), anonymity, data protection and data destruction.

I would also advocate increased regulation of what information can be collected and sold (although we should not forget parallels with loyalty schemes in the offline world). There have been many examples of negative press in the past number of months concerning Facebook/Beacon, Phorm, deep packet inspection, user privacy, social networking security, preservation of anonymity and many others.

Although largely interruptive in nature, advertising sponsored software as a service solutions (SaaS) are interesting. Offerings such as Microsoft AdCentre equip SaaS suppliers to design and operate targeted ad funded services. Advertising fulfils a role therefore in innovations that provide utility to the consumer by reducing (or removing) total cost of ownership. Of course this has been a characteristic of advertising in the online domain for many years.

The semantic web will add another dimension as it begins to free us from the limitations of traditional key word searches. The semantic web will also be a less contentious mechanism for serving (improved) contextual advertising. There are currently some really interesting innovations in corporate marketing (products, services, and jobs), B2B / B2C and others in virtual environments such as Second Life.

A number of large IT companies (Microsoft and IBM in particular) are leading the way with interactive demos, virtual meetings and presentations, virtual sales representatives and self-service ‘kiosks’ linked to assets on corporate websites. As we edge towards web 3.0 a lot of harmonisation and platform aggregation lies ahead with web 2.0 and new search technologies folding in on virtual worlds.

The virtual shopping malls created in Second Life provide a view of future online retailing and the opportunity for advertising and cross-selling as part of a pure play uninterrupted and interactive customer experience. Semantic search and personalisation through profiling will strengthen this.

Advertising is fundamentally content and must follow the rules. This means relevant, attractive, interactive (at least non-invasive), regulated, ethical and innovative. Competition is fierce and advertising volume can be overwhelming.

Attention is getting harder to grab but desire to drive increasing growth in a booming multi-billion pound industry is unabated. Conversion rates and cost effectiveness are key drivers and advertisers need to match their pace of change with consumer confidence in relation to new methods and technologies.

The backlash against Beacon and public meetings over Phorm indicate that the consumer must not be rushed. The internet has an almost unique position in modern culture, for many a last bastion of escapism. We are profiled regularly in real world retailing, resistance to which has largely faded, but internet anonymity will not be easily surrendered.

Trust, data security and privacy must be addressed with users and not in spite of them. The key sell is advertising as content inline with user experience. Enriching and non-interruptive models coupled with semantic web and web 3.0 herald an exciting future for the industry and internet community.

Article originally published by Evaluation Centre / Conspectus, Summer 2008

Steve Nimmons warns of the hidden threat to corporate privacy and reputation lurking within Web 2.0.

The Historical Problem

I recall (approximately eight years ago) reading an interesting poster on social engineering at a well-known electronics company in California. This wall-chart communicated sensible advice for dealing with unsolicited phone calls, ‘chance’ conversations and the importance of discretion when discussing corporate matters on planes, trains and automobiles.
Topics such as tail gating, the ‘risk of gallantry’, the social and psychological tricks used by experienced practitioners to project ‘belonging’, the need for discretion and vigilance in public spaces and of course ‘clear desk policies’ were explained in concise, relevant and accessible language.

In this way, workforces across this and other enterprises were equipped to deal with the primary aspects of corporate social manipulation. Using in-house and industry standards, they shared the wisdom of primary threats, expected behaviours and above all encouraged staff training and awareness.

I visited many technology start-ups during this time. Their social engineering concerns centred mainly on leakage of financial data and intellectual property. With looming IPOs (initial public offerings) these companies had a lot to lose; the wrong information entering the market at the wrong time could potentially damage earnings.

Intellectual property was naturally their core competitive differentiator and was suitably protected, including legally through patents and non-disclosure agreements. It was clear what they feared, why they feared it and that they were being proactive in terms of minimising their overall exposure to risk. Their perimeter defences, with clear corporate boundaries and technological barriers, tamed Web 1.0.

The Problem Develops

Fast-forward eight years to the introduction and exponential uptake of Web 2.0 and it is fascinating (indeed crucial) to explore the need for similar protection and advice today. The Web 2.0 revolution essentially involves the removal of technological barriers to content publication. Blogs, wikis, forums, social bookmarking and social networks are just some of the means by which individuals can share and debate views (single click, no safety catch).

As we have discovered (or perhaps suffered) in the past few years, the web provides ideal conditions for libel, defamation (perhaps creating internal conflict or damaging partner relationships), careless divulgence of information and the association of the individual and corporations with unflattering and potentially damaging material.

These are arguably Web 2.0 ’s most concerning corporate side-effects. Worryingly, the individual is the power-broker of Web 2.0 and with microblogging (particularly Twitter) tipped for meteoric success, we will see even less control exercised over what are essentially globally distributed sound-bytes.

Pseudonyms provide anonymity, personally or corporately identifiable profiles ‘should’ engender a greater spirit of caution and present an opportunity for positive self and corporate marketing (for example, through blogging and thought leadership initiatives). But what needs to be understood clearly is that the search engines with their omnipresence discover our sins. In print media, yesterday’s news wrapped today’s fish and chips. But in the electronic age, opinion has an almost immortal quality. Search engines have a unique ability to discover and neatly present information that we may prefer remained hidden. Meanwhile, the Web and blogosphere contain a cacophony of voices inside which they are the eavesdroppers and intelligence agents.

There is an adage that Web 2.0 profiles are like tattoos – something you do when you are young and live to regret. But with appropriate controls, education and consideration, companies can seek to accentuate the positives and in sophisticated cases utilise them in personal branding and corporate marketing strategies.

Where once scraper and ‘shill’ sites were padded with ‘pointless’ copies of the Open Directory Project (an old trick to create thousands of pages to bloat a website that was then packed with affiliate programs and click-through advertising), they are now extracting content from RSS feeds, quite a number scraping via Technorati tags that simply mirror their underlying site’s (content) taxonomy. I use Technorati tags to categorise content for improved searching and user experience. I am often amused to see how my articles are ‘aggregated’ onto these sites totally against copyright and any sense of appropriate ownership and control. In some cases the use of such content may be beneficial (eg, offsite advertising), but consider the potential for widespread distribution of commentary.

Keep in mind the traditional political and broadcasting advice to ‘treat every microphone as if it were live’. Something said is difficult to retract in Web 2.0 ’s publishing model. This could affect your personal reputation, privacy, cause corporate embarrassment or perhaps worse. Social engineers are astute, so be careful of being drawn into electronic conversations that should be avoided. Solutions to some of these issues are emerging – including online reputation protection services such as Reputation Defender, ClaimID and Naymz – suggesting both the commercial and personal need to clean up ‘digital litter’.

Digital litter is all those nuggets of information personally linked to you – and be under no illusion that this body of
information is being pored over by fraudsters and marketing companies, and in the corporate realm by researchers and
competitors. Information, of course, is not as volatile as might be imagined. Simply deleting it from the original source is no guarantee of its destruction, with scraper sites, search indexes and historical web caches adding to the complexity. Reputation protection may only dilute some of the problems rather than completely remove them.
We must of course accept freedom of speech and the right of fair criticism. In the Web 2.0 domain, our ‘complaints’ may well be beyond any reasonable bounds of control.

Corporate reputation is also tightly coupled with customer satisfaction, shareholder value, innovation and similar attributes. A key addition to the advice from 2000 is therefore to minimise personal and corporate risk from a system of worldwide electronic publishing where everyone can act as content producers.

Corporate boundaries

As well as shifting the content producer-to-consumer ratio, Web 2.0 has removed some traditional corporate boundaries. In Unified Communications we talk about edgeless enterprises. Web 2.0 warrants a special mention as it has ‘eroded the edge’ through its technological simplicity, whilst also prompting a radical reappraisal of the psychology of home and work.LinkedIn, Facebook, Plaxo, MySpace and associated groups today provide a rich hunting ground for the social engineer. Companies can be significantly profiled. Their names, departments, reporting structures, nature of business, personal links and networks can be mined and prioritised for further attack.

It is relatively easy to comb sites for information to use in ‘impersonation attacks’, extracting additional detail through email, telephony and other channels. With no identity management (ie, no established trust) it is simple to create fake pages, groups and details and use these to link the unwitting.

I am opposed to companies blanket banning access to social networks. Bans of this nature have one glaring weakness – they end when employees go ‘off the clock’. They also restrict the business benefit that could be derived from appropriate use. It’s vital to understand your risk exposure and develop appropriate security policies, best practices and employee education.

Parental education is a recurring theme in the recent Byron Review (established in 2007 to study the online safety of children) and I draw parallels with employee and employer education. Threats are ‘evolutionary’ and social engineering is enjoying an upsurge in the volume and quality of unsolicited, freely and legally attainable information. Reputation protection faces new challenges due to the speed of content production and distribution, a mechanism of such
simplicity and attractiveness that bewildering numbers have embraced it across previously untouched demographics.
There is a strong case for placing the onus on site providers to better protect privacy, but personal accountability must be advocated above all.

Key Points

So the key points that go on my updated wall-chart for 2008 are:

• Explain risk exposure in terms of information leakage, and libellous, defamatory or brand-damaging activities through the employee base. Public comments from identified staff are potentially detrimental to business reputation and relationships.
• Understand and (in many cases) limit the volume of available corporate data on personnel, roles, responsibilities and professional activities – the social engineering goldmine.
• Marketing and IT security play an expanding role in meeting new threats and opportunities.
• Introduce Web 2.0 savvy security policies and training plans. It is no understatement that the proliferation of Web 2.0 opens a sizeable number of holes in the sieve of corporate intelligence (take the recent Facebook security leaks and social worms like Secret Crush as examples). Educated staff can make informed decisions and can better manage their own digital footprint as well as that of their employer. It vital is therefore for modern security training to cover the fundamental dangers of Web 2.0.
• Companies should understand the mechanics of auditing, measuring and defending their online reputation. Web intelligence solutions are particularly useful but the ability to manage remedial action is still fairly undeveloped.
• With appropriate selection, guidance, motivation and controls, there is an opportunity to use the publishing power of Web 2.0 for extremely positive personal and corporate gain.

It is important not to be overtaken or overrun by technological advances. I recently advised a company following its discovery of some unofficial social networking groups (bedecked with company name and logo). These groups were innovative and well intentioned (if naïvely established) and such discoveries indicated corporate IT were losing touch with talented, motivated and active networkers.

Simple editorial control and content audits were set up. It is however important to reflect on the potential for damage as well as the potential for gain if the same enthusiasm were harnessed through focused and ‘moderated’ corporate initiatives.

Summary

Information leakage has reached the point where in April 2008 the Israeli Defence Force (IDF) was compelled to issue a
statement warning that “Facebook was a threat to national security”. At the heart of this was the ‘free and easy’ manner in which members of the IDF were posting personal information, identifying themselves as members of the security services, pictured at sensitive installations and discussing sensitive subjects.

In other words, the problems we face are so potentially damaging that they are now ‘on the radar’ of government security services. Online advertising models deserve an article in their own right, but I would briefly mention privacy concerns over Phorm and the highly publicised ‘Beacon disaster’ championed by an ‘unwisely zealous’ Facebook. These add an additional twist to the complex world of Web 2.0 security.

The best way to respond to these threats is to shape, cultivate, educate and empower your employees. Develop an
understanding of your risk exposure and Web 2.0 ’s threats. The blinkers of a ‘9 to 5’ blackout may be unworthy – but be warned, you lose control of your employees, your personal or corporate reputation in Web 2.0 at your peril.