Patrick Chambet, IT security architect and security expert at Bouygues Telecom
The concept of enterprise architecture, very fashionable these days, has a more general framework than traditional technical architecture. It models the business of the company and its processes. He is urbanizing his information system and helping to extend the process to the technical architecture. In summary, it brings a more global vision and builds on the functional areas of the business, in addition to the resources of the IT department. It takes into account in particular the organization, business processes, governance, global architecture, IT production and security enterprise security architect.
The safety architect alongside the chief architect
The security architecture is fully integrated into the overall architecture of the IS. At Bouygues Telecom, the RSSI also works within the ISD itself, in the governance, tools and architecture department, alongside the chief architect. This promotes close relationships between IS security and the central architecture. It also helps to design the target architecture of the IS by integrating the security elements contributing to the common objective of quality of service. Security is therefore an integral part of the overall architecture of the IS. It also provides traditional perimeter security services (network filtering architecture, firewalls, DMZ, VPN, etc.) and defense in depth (trusted spaces, access controls at the resource level, detection of intrusion, etc.), several building blocks of infrastructure in the form of shared services. For example, identity and authorization management, authentication directories (Active Directory, LDAP), enterprise PKI, IS access platforms for external partners, secure file transfer service with the outside, etc. More concretely, security spans the entire architecture of the IS. Security requirements are therefore an integral part of the design of the various systems and the applications constituting it. In this context, the technical architects who design the applications must respect the good practices formalized in the security standards of the company's IT developments.
Assess the risk on each IS brick
The relations between the technical architects and the security architect come up against differences in vocabulary, which must be clarified first, by offering them initial training in the concepts of security, in particular in application. Once the common language is assimilated and the first reflexes acquired, the dialogue is much more constructive, because the various stakeholders better understand the risks which weigh on the various systems composing the IS (and therefore on the business processes based on those -this). They also measure the security needs necessary to limit these risks to an acceptable level (without even having to address the ISO 27001 standard). The company's IS is increasingly extended to its partners, including publishers who very often request contractual access to external maintenance for their products installed at the heart of the IS, including in production. This constitutes a non-negligible risk that the adapted and particularly secure access architectures must cover: network filtering, encryption of flows, individual authentication, protocol breaks, enhanced traceability. For all these reasons, taking security into account in the design of the enterprise architecture is already completely essential. individual authentication, protocol breaks, enhanced traceability. For all these reasons, taking security into account in the design of the enterprise architecture is already completely essential. individual authentication, protocol breaks, enhanced traceability. For all these reasons, taking security into account in the design of the enterprise architecture is already completely essential.
The concept of enterprise architecture, very fashionable these days, has a more general framework than traditional technical architecture. It models the business of the company and its processes. He is urbanizing his information system and helping to extend the process to the technical architecture. In summary, it brings a more global vision and builds on the functional areas of the business, in addition to the resources of the IT department. It takes into account in particular the organization, business processes, governance, global architecture, IT production and security enterprise security architect.
The safety architect alongside the chief architect
The security architecture is fully integrated into the overall architecture of the IS. At Bouygues Telecom, the RSSI also works within the ISD itself, in the governance, tools and architecture department, alongside the chief architect. This promotes close relationships between IS security and the central architecture. It also helps to design the target architecture of the IS by integrating the security elements contributing to the common objective of quality of service. Security is therefore an integral part of the overall architecture of the IS. It also provides traditional perimeter security services (network filtering architecture, firewalls, DMZ, VPN, etc.) and defense in depth (trusted spaces, access controls at the resource level, detection of intrusion, etc.), several building blocks of infrastructure in the form of shared services. For example, identity and authorization management, authentication directories (Active Directory, LDAP), enterprise PKI, IS access platforms for external partners, secure file transfer service with the outside, etc. More concretely, security spans the entire architecture of the IS. Security requirements are therefore an integral part of the design of the various systems and the applications constituting it. In this context, the technical architects who design the applications must respect the good practices formalized in the security standards of the company's IT developments.
Assess the risk on each IS brick
The relations between the technical architects and the security architect come up against differences in vocabulary, which must be clarified first, by offering them initial training in the concepts of security, in particular in application. Once the common language is assimilated and the first reflexes acquired, the dialogue is much more constructive, because the various stakeholders better understand the risks which weigh on the various systems composing the IS (and therefore on the business processes based on those -this). They also measure the security needs necessary to limit these risks to an acceptable level (without even having to address the ISO 27001 standard). The company's IS is increasingly extended to its partners, including publishers who very often request contractual access to external maintenance for their products installed at the heart of the IS, including in production. This constitutes a non-negligible risk that the adapted and particularly secure access architectures must cover: network filtering, encryption of flows, individual authentication, protocol breaks, enhanced traceability. For all these reasons, taking security into account in the design of the enterprise architecture is already completely essential. individual authentication, protocol breaks, enhanced traceability. For all these reasons, taking security into account in the design of the enterprise architecture is already completely essential. individual authentication, protocol breaks, enhanced traceability. For all these reasons, taking security into account in the design of the enterprise architecture is already completely essential.
No comments:
Post a Comment