Introduction into Security
2022-05
GOOGLE�PRESENTATION�LINK
HOUSEKEEPING
Location for optional �(open access) reading
QR Code to the Google Presentation of this slide
WHY
TOPICS
Q&A during the session!
Multiple whitepapers�Thesis with 1500+ reads�40+ Blogs�Quoted in Books and Theses.
Consultancy for �7 Sectors,
30 Clients,
40+ Assignments�Infra to business strategy
@Edzob
(.com, LinkedIn, Twitter)
2021 - now Xebia
2006 - 2020 Sogeti
1992 - 2006 your IT guy
Research
ASc�Computer Science
2003
MSc�Enterprise�Architecture
2020
BSc�Business Information Systems
2006
PhD student�Information Security
2021-2027
Share
Apply
Edzo Botjes �Antifragility Architect
Variety Engineer
Trusted Advisor
https://www.edzob.com
Teaching Enterprise Architecture (MSc) at
Utrecht University
of Applied Sciences
2022 -
Edzo Botjes�Antifragility Architect
Variety Engineer
Trusted Advisor
https://www.edzob.com
Consultant @ Xebia�2021 -
Consultant @ Sogeti�2006 - 2020
Internships�2005 - 2006
My personal journey into security
The map is not the territory
SECURITY
How we define secure
Reality
Feeling
Secure
in-Secure
The story of two continuous forces
Reality
Feeling
Secure
in-Secure
The human factor
Innovation drives change in reality
Reality is unpredictable
1
2
Double Pendulum
The continuous security challenge
Reality
Feeling
Secure
in-Secure
Increasing Variety
Increasing Chaos
Thus we are in the age of VUCA
Volatility
Uncertainty
Ambiguity
ISO 31.000�https://doi.org/10.1016/j.bushor.2014.01.001 �https://hbr.org/2014/01/what-vuca-really-means-for-you �https://link.springer.com/book/10.1007/978-3-319-16889-0 �https://en.wikipedia.org/wiki/Volatility,_uncertainty,_complexity_and_ambiguity
Complexity
Security is all about how to deal with your VUCA world.
Next up a mental model to put VUCA in a corner,
then concrete ways to improve security in your organization(s).
NOT ALL IS CHAOS
Not all is chaos, Cynefin to make sense.
https://doi.org/10.1108/08944310510556955 �https://www.researchgate.net/publication/330500755 �https://ieeexplore.ieee.org/abstract/document/5386804 �https://thecynefin.co/library/cynefin-weaving-sense-making-into-the-fabric-of-our-world/ �https://www.systemswisdom.com/sites/default/files/Snowdon-and-Boone-A-Leader's-Framework-for-Decision-Making_0.pdf
Not all is chaos, Cynefin to make sense.
Reductionistic
approach
Holistic
approach
https://doi.org/10.1108/08944310510556955 �https://www.researchgate.net/publication/330500755 �https://ieeexplore.ieee.org/abstract/document/5386804 �https://thecynefin.co/library/cynefin-weaving-sense-making-into-the-fabric-of-our-world�https://www.systemswisdom.com/sites/default/files/Snowdon-and-Boone-A-Leader's-Framework-for-Decision-Making_0.pdf
Not all is chaos, Cynefin to make sense.
Reductionistic
approach
Holistic
approach
Probe - Sense - Respond
Act - Sense - Respond
Sense - Analyze - Respond
Sense - Categorize - Respond
https://doi.org/10.1108/08944310510556955 �https://www.researchgate.net/publication/330500755 �https://ieeexplore.ieee.org/abstract/document/5386804 �https://thecynefin.co/library/cynefin-weaving-sense-making-into-the-fabric-of-our-world �https://www.systemswisdom.com/sites/default/files/Snowdon-and-Boone-A-Leader's-Framework-for-Decision-Making_0.pdf
BUILD A COMPANY�OR�JOIN A COMPANY
BOOK BINGO
How to build/ change a company
How to build/ change
a company
BOILS DOWN TO …
PEOPLE
PROCESS
TECHNOLOGY
All Enterprise Models�BOILS DOWN TO …
Security
Business
Strategy
Information
Information Systems
Infrastructure
Service Management
SECURITY �IN ALL LAYERS
Security
Business
Strategy
Information
Information Systems
Infrastructure
Service Management
Security is active on all layers
Security
Business
Strategy
Information
Information Systems
Infrastructure
Service Management
Reality
Feeling
Secure
in-Secure
Security is active on all layers, some examples
Security
Business
Strategy
Information
Information Systems
Infrastructure
Service Management
Business Modelling
Enterprise Design�Resilient Organisation
Antifragile Organisation
Business Continuity Management
Risk Management
Compliancy
Information Security
Cyber Security
IT Security
Application Security
Infrastructure Security
Physical Security
Operational Security
Asset Security
Network and Telecom Security
Security is active on all layers, and attracts people that like order
Security
Business
Strategy
Information
Information Systems
Infrastructure
Service Management
People trying to order all the security things:
Security is active on all layers, bla bla bla bla
Security
Business
Strategy
Information
Information Systems
Infrastructure
Service Management
EVERY COMPANY
Strategy
Security
Business
Strategy
Information
Information Systems
Infrastructure
Service Management
In the strategy layer, security is present as Risk Management.
Key Questions are:
RESILIENCE
“The risk assessment and treatment process in ISO 27001 aligns with the principles and generic guidelines provided �in ISO 31000.”
27000: "risk is chance or probability of loss"
31000: "risk is the effect of uncertainty on objectives"
31000: “Risk management is the identification, assessment, and prioritization of risks (effect of uncertainty on objectives, whether positive or negative) followed by effective and economic application of resources to minimize, monitor, control, and assure the probability and/or consequence of negative events or to maximize opportunities.“
https://en.m.wikipedia.org/wiki/ISO_31000
https://theriskacademy.org/is0-31000-iso-27005�https://ictinstitute.nl/iso-31000-explained
https://pecb.com/whitepaper/iso-31000-risk-management--principles-and-guidelines
https://www.researchgate.net/figure/ISO-27005-Risk-Management-Framework-7_fig1_263023688
Business that delivers via processes products and services
Security
Business
Strategy
Information
Information Systems
Infrastructure
Service Management
Business is responsible for the product life cycle
Security
Business
Strategy
Information
Information Systems
Infrastructure
Service Management
https://cio-wiki.org/wiki/Product_Lifecycle_Management �https://en.wikipedia.org/wiki/Product_lifecycle
Plan
Create
Test
Deploy
Operate
Business that organizes itself via Enterprise Governance
Security
Business
Strategy
Information
Information Systems
Infrastructure
Service Management
https://en.wikipedia.org/wiki/Business_Model_Canvas �http://www.hec.unil.ch/aosterwa/PhD/Osterwalder_PhD_BM_Ontology.pdf �https://www.researchgate.net/publication/335610249_Enterprise_Governance_of_IT �https://cardboardit.com/2018/10/understanding-your-business-through-the-business-model-canvas
Enterprise Governance
Structures
Processes
Relational Mechanisms
Three levels of defence for quality assurance in your business
Security
Business
Strategy
Information
Information Systems
Infrastructure
Service Management
Information needed in process to deliver products and services
Security
Business
Strategy
Information
Information Systems
Infrastructure
Service Management
Information quality can lead to for example: identity mix-ups
Security
Business
Strategy
Information
Information Systems
Infrastructure
Service Management
Best way to improve (information) quality is the Deming Circle
https://en.wikipedia.org/wiki/PDCA �https://en.wikipedia.org/wiki/Product_lifecycle �http://www.hec.unil.ch/aosterwa/PhD/Osterwalder_PhD_BM_Ontology.pdf
Security
Business
Strategy
Information
Information Systems
Infrastructure
Service Management
Information Systems needed to store, sort and deliver information
Security
Business
Strategy
Information
Information Systems
Infrastructure
Service Management
Improve IT systems (security) by Deming + Product LifeCycle
Plan
Create
Test
Deploy
Operate
https://en.wikipedia.org/wiki/PDCA �https://en.wikipedia.org/wiki/Product_lifecycle �http://www.hec.unil.ch/aosterwa/PhD/Osterwalder_PhD_BM_Ontology.pdf
Security
Business
Strategy
Information
Information Systems
Infrastructure
Service Management
Deming and Product LifeCycle combined as Software LifeCycle
�1 https://www.linkedin.com/pulse/governance-cloud-world-david-das-neves �2 https://www.linkedin.com/pulse/devsecops-paradoxon-david-das-neves �3 https://xebia.com/the-shift-left-fallacy
Security
Business
Strategy
Information
Information Systems
Infrastructure
Service Management
Infrastructure where informations systems can run and live
Security
Business
Strategy
Information
Information Systems
Infrastructure
Service Management
Service Management is active on all layers
Security
Business
Strategy
Information
Information Systems
Infrastructure
Service Management
Service Management is active on all layers - Facilitate Buildings
Security
Business
Strategy
Information
Information Systems
Infrastructure
Service Management
Service Management is active on all layers - Facilitate Learning
Security
Business
Strategy
Information
Information Systems
Infrastructure
Service Management
SECURITY TOOLS
CIA(S) is old-school but still used in information security
CIA(S) is old-school but still used in information security
https://www.securecontrolsframework.com�https://en.wikipedia.org/wiki/Information_security#Key_concepts
Confidentiality is improved by:
CIA(S) is old-school but still used in information security
https://www.securecontrolsframework.com�https://en.wikipedia.org/wiki/Information_security#Key_concepts
Confidentiality is improved by:
Start with using an Authenticator App and unique passwords �via a password manager.
CIA(S) is old-school but still used in information security
https://www.securecontrolsframework.com�https://en.wikipedia.org/wiki/Information_security#Key_concepts
Integrity is improved by:
CIA(S) is old-school but still used in information security
https://www.securecontrolsframework.com�https://en.wikipedia.org/wiki/Information_security#Key_concepts
Integrity is improved by:
Start with using by using a login before all information
CIA(S) is old-school but still used in information security
https://www.securecontrolsframework.com�https://en.wikipedia.org/wiki/Information_security#Key_concepts
Availability is improved by:
CIA(S) is old-school but still used in information security
https://www.securecontrolsframework.com�https://en.wikipedia.org/wiki/Information_security#Key_concepts
Availability is improved by:
One source is no source.�Two sources is a start.�Always have options.
CIA(S) is old-school but still used in information security
https://www.securecontrolsframework.com�https://en.wikipedia.org/wiki/Information_security#Key_concepts
Safety is about reducing risks of assets being in wrong hands.
CIA(S) is old-school but still used in information security
https://www.securecontrolsframework.com�https://en.wikipedia.org/wiki/Information_security#Key_concepts
Safety is about reducing risks of assets being in wrong hands.
Assume you are already breached. This is known as zero-trust.
CIA(S) is old-school but still used in information security
https://www.securecontrolsframework.com�https://en.wikipedia.org/wiki/Information_security#Key_concepts
Summary:
It is about trust!�
Who do you trust?
How to improve your personal security fitting to you own CIA(S)
ROSI = RETURN ON SECURITY INVESTMENT
https://essay.utwente.nl/79757/1/Casano_MA_EEMCS.pdf �https://www.enisa.europa.eu/publications/introduction-to-return-on-security-investment/at_download/fullRepor �https://d2k0ddhflgrk1i.cloudfront.net/TBM/Over%20faculteit/Afdelingen/Engineering%20Systems%20and%20Services/People/Professors%20emeriti/Jan%20van%20den%20Berg/MasterPhdThesis/PANCHIT-MASTER-THESIS.pdf
BONUS CONTENT MSc
ROSI = RETURN ON SECURITY INVESTMENT
https://essay.utwente.nl/79757/1/Casano_MA_EEMCS.pdf �https://www.enisa.europa.eu/publications/introduction-to-return-on-security-investment/at_download/fullReport
BONUS CONTENT MSc
EU LAW vs US LAW�KILLED THE (US) CLOUD
→ �BE CAREFUL WITH YOUR INVESTMENT
Public DPIA (NL) on Teams, Sharepoint, Azure AD, Zoom, etc
US Laws and EU Laws
Wikileaks
Patriot Act 1
Patriot Act 2
Cloud Act
Safe Harbor agr.
Privacy Shield agr.
GDPR
Data Act
Data Governance Act
http://arno.uvt.nl/show.cgi?fid=155021
https://privacyplan.net/privacy-datasets/privacy-legislation-grid
https://www.ionos.co.uk/digitalguide/server/know-how/what-is-gaia-x
https://thelawreviews.co.uk/title/the-privacy-data-protection-and-cybersecurity-law-review/usa
https://www.stiftung-nv.de/sites/default/files/snv_solving_the_transatlantic_data_dilemma.pdf
Wikileaks & der Spiegel showed that the US act (2013/2014)
https://www.youtube.com/watch?v=QNsePZj_Yks �https://en.wikipedia.org/wiki/Jacob_Appelbaum �https://www.cursor.tue.nl/en/news/2014/april/appelbaum-snowden-proved-us-right �https://media.ccc.de/v/31c3_-_6258_-_en_-_saal_1_-_201412282030_-_reconstructing_narratives_-_jacob_-_laura_poitras#t=38 �https://media.ccc.de/v/30C3_-_5713_-_en_-_saal_2_-_201312301130_-_to_protect_and_infect_part_2_-_jacob#t=779 �https://eu.lubbockonline.com/story/news/nation-world/2013/12/31/privacy-advocate-exposes-nsa-spy-gear-gathering/15060892007
Schrems court case proved that US Law and EU law are no friends
https://en.wikipedia.org/wiki/Max_Schrems
https://www.gdprsummary.com/schrems-ii�https://en.wikipedia.org/wiki/EU%E2%80%93US_Privacy_Shield �https://en.wikipedia.org/wiki/General_Data_Protection_Regulation
https://projectmoore.com/schrems-ii-implications-for-your-organisation
“Maximilian Schrems (born 1987) is an Austrian activist, lawyer, and author who became known for campaigns [starting as a student] against Facebook for its privacy violations, including violations of European privacy laws and the alleged transfer of personal data to the US National Security Agency (NSA) as part of the NSA's PRISM program.” - Wikipedia
EU LAW VS US LAW�KILLED THE (US) CLOUD
→ BE CAREFUL WITH YOUR INVESTMENT
Witch, Please
https://www.ohwitchplease.ca �https://play.acast.com/s/oh-witch-please/book-6-ep-6-security-theatre �https://open.spotify.com/episode/7GTb7PHP8NXlw7eg067Y2F?si=r9iHIapyQT6JCJ9v71TBWw&nd=1
Book 6, Ep. 5 | Security Theatre
To become more secure, make sense of your context and respond
Reality
Feeling
Secure
in-Secure
1
2
Double Pendulum
Probe - Sense - Respond
Act - Sense - Respond
Sense - Analyze - Respond
Sense - Categorize - Respond
https://zenodo.org/record/3719389 �https://www.researchgate.net/publication/327700356
https://en.wikipedia.org/wiki/Double_pendulum
https://doi.org/10.1108/08944310510556955 �https://www.researchgate.net/publication/330500755 �https://ieeexplore.ieee.org/abstract/document/5386804 �https://thecynefin.co/library/cynefin-weaving-sense-making-into-the-fabric-of-our-world �https://www.systemswisdom.com/sites/default/files/Snowdon-and-Boone-A-Leader's-Framework-for-Decision-Making_0.pdf
emBRACE CHAOS
BONUS SLIDES
Stafford Beer - �Viable Systems Model
https://www.wikiwand.com/en/Viable_system_model
https://en.wikipedia.org/wiki/Stafford_Beer
BONUS CONTENT MSc
BONUS CONTENT MSc
Legal Entity
Legal Entity
Contract
Identity
Email/ Username
Personal Account
Attributes of the Identity
Non-Personal Account
Process
Information
Application
Infrastructure
Context via Attributes
Agreement between
Is defined by …
Is owned by …
Is identified by …
Is owned by …
Is used to identify …
Is used to identify …
Needs …
Stored in …
Stored on …
Is owner of …
Role/ Function in the process …
Role/ Groups
Part of …
Defines the …
Access to �information �(CRUD)
Access to �functionality
Access to �service �(CRUD)
IAM REFERENCE MODEL
Organization
Person
Organization
Person
Is owner of …
Is owner of …
Is identified by …
TRANSACTION AS FABRIC OF OUR REALITY
https://www.pronto-lectures.org/docs/glossary/
https://www.researchgate.net/publication/351461134_The_Evolution_of_DEMO
BONUS CONTENT MSc
View on reality determines your scientific approach
https://www.pronto-lectures.org/docs/glossary/
https://www.researchgate.net/publication/351461134_The_Evolution_of_DEMO
BONUS CONTENT MSc
Tips, for who is going to do their master, �regarding viewpoint on reality:
Affordance is the new way to look at Business & IT
http://www.janrecker.com/this-is-research-podcast/affordances-is-the-new-tam/�https://podcasts.apple.com/ie/podcast/affordances-is-the-new-tam/id1553028563?i=1000538416337
Jan Recker wrote a great book on MSc research
& is responsible for a great overview on research methodologies: https://aisnet.org/page/ISResearch
BONUS CONTENT MSc