Difference between revisions of "ESA Pattern Diagram Repository"
Line 19: | Line 19: | ||
{| style="border-bottom: #000000 2px solid; border-left: #000000 2px solid; border-right: #000000 2px solid" width="1000px" | {| style="border-bottom: #000000 2px solid; border-left: #000000 2px solid; border-right: #000000 2px solid" width="1000px" | ||
|- | |- | ||
− | ! style="background: #d7d7d7; color: black" width="14%" scope="col" | [[ | + | ! style="background: #d7d7d7; color: black" width="14%" scope="col" | [[Endpoint Security|END]] |
! style="background: #d7d7d7; color: black" width="14%" scope="col" | [[Data Security|DAT]] | ! style="background: #d7d7d7; color: black" width="14%" scope="col" | [[Data Security|DAT]] | ||
! style="background: #d7d7d7; color: black" width="14%" scope="col" | [[Network and Communications Security|NCS]] | ! style="background: #d7d7d7; color: black" width="14%" scope="col" | [[Network and Communications Security|NCS]] |
Revision as of 08:45, 7 April 2021
Introduction
The pattern diagrams are provided by the ESA to represent target architectures for the GC Enterprise, as defined in the GC Enterprise Security Architecture Definition Documents (ESADD) for various Enterprise Security Focus Areas. These target architectures act as a reference point which can be used to assess proposed solutions when performing security assessment activities. The pattern diagrams represent a collection of common security use cases and include references to relevant security controls described in CSE's ITSG-33 - IT Security Risk Management: A Lifecycle Approach.
This page and its sub-pages are intended to be a repository for the ESA Pattern Diagrams and Use Cases.
ESA Patterns and Use Cases Repository
Pattern ID | Use Case ID | Use Case Title | Description |
---|---|---|---|
Security Operations | |||
PN-OPS-001 | UC-OPS-001 | Discover Unauthorized Client Endpoint | Security Operator performs hardware asset scan and reports an unknown device is attached to the network. The asset is confirmed as a rogue device and the device is blocked. |
PN-OPS-002 | UC-OPS-002 | Detect Unauthorized Client Endpoint Configuration Change | End User performs an out-of-policy configuration change. The condition is detected by OPS and the approved configuration is restored. |
UC-OPS-003 | Validate Client Endpoint Configuration | A CDM scan for software configuration is performed and the software configuration does not match the baseline. | |
PN-OPS-003 | UC-OPS-004 | Backup Server Endpoint – Enterprise Initiated | The System Administrator commands a requested backup for a client endpoint device. The backup is performed and a confirmation report is sent to System Administrator confirming backup completion success or failure. |
UC-OPS-005 | Restore Server Endpoint – Enterprise Initiated | The System Administrator requests the restore of a server device. The restore is performed and a confirmation report is sent to the System Administrator confirming restore completion success or failure. | |
PN-OPS-004 | UC-OPS-006 | Detect Anomaly | The system receives an event that it treats as an anomaly. The anomaly is assessed against digital policy rules to determine whether or not the anomaly is a routine, day-to-day event or whether it should be treated as a cyber security event. The course of action is then invoked based on that assessment. |
UC-OPS-007 | Mitigate Routine Anomaly | Routine anomalies are day-to-day events that can be mitigated through orchestration of digital policy rule responses. Most anomalies require no actual response but are recorded for auditing purposes. | |
UC-OPS-008 | Detect Behavioural Anomaly | The system builds a baseline of “normal” network traffic volume by time-of-day. It then detects an unexpected increase in network traffic that exceeds a configured threshold. This is one of many anomalies for which digital policy rules exist that are detected and responded to within the Enterprise. | |
UC-OPS-009 | Detect Pattern of Anomalies | The system detects a pattern of anomalies within an anomaly history that indicates a GC-wide distributed attack. | |
PN-OPS-005 | UC-OPS-010 | Remediate External Known Vulnerability | Information about a known vulnerability is received from an external source and is remediated. |
UC-OPS-011 | Internally Identify Vulnerability from Security Analytics | A vulnerability is discovered internally through “big data” analysis of raw data. Vulnerabilities of this nature are always considered cyber security events and managed accordingly. | |
UC-OPS-012 | Remediate Internally Identified Vulnerability | The internally identified vulnerability is analyzed for possible remediation solutions. This use case functions in parallel with UC-OPS-013. | |
PN-OPS-006 | UC-OPS-013 | Cyber Security Event | The system detects an anomaly that is escalated as a cyber security event (incident) for further action. A cyber security event is disclosure of a new vulnerability, intelligence that a threat actor may be planning an attack against a GC information system (e.g. Distributed Denial of Service (DDOS) attack), detection of current attack (suggested by a pattern of multiple individual events), etc. |
Endpoint Security | |||
PN-END-001 | UC-END-001 | Authenticate Device to Network | Endpoint authenticates to the GC network |
UC-END-013 | Re-Key Endpoint | Update user's certificate on endpoint using enterprise ICAM services. | |
PN-END-002 | UC-END-002 | Install Security Patch | Security patch pushed to Endpoint |
PN-END-003 | UC-END-003 | Wipe Endpoint – Local | Endpoint Wipe performed locally on endpoint |
UC-END-004 | Lock Endpoint – Local | Endpoint Lock Out performed locally on endpoint | |
UC-END-005 | Wipe Endpoint – Remote | Endpoint Wipe controlled remotely from enterprise | |
UC-END-006 | Lock Endpoint – Remote | Lock Endpoint – Remote | |
PN-END-007 | UC-END-007 | Download Application Software | Endpoint pulls application software from an enterprise server |
PN-END-008 | UC-END-008 | Perform Vulnerability Scan – Local | Endpoint Security performs a local scan and sends the results to the GC enterprise |
PN-END-009 | UC-END-009 | Detect Network Intrusion Attempt (Firewall) (Endpoint Security) | Endpoint Firewall detects an intrusion attempt and notifies the GC enterprise |
PN-END-010 | UC-END-010 | Authenticate User to Device | User authenticates locally to the endpoint |
UC-END-039 | Power on Endpoint | Power on sequence for an endpoint | |
UC-END-040 | Change Local Password | End user changes the local password or PIN on the endpoint | |
PN-END-011 | UC-END-011 | Authenticate User to Enterprise | User authenticates to the GC enterprise prior to accessing GC resources |
UC-END-012 | Reset User Enterprise Password | The user's enterprise password has expired (triggered by time) or been reset by OPS and must be reset the next time the user accesses the enterprise network | |
UC-END-014 | Control Enterprise Access | User access to GC enterprise resources is based on attributes of the Environment, Platform, User, and Requested Resource | |
PN-END-015 | UC-END-015 | Provision Endpoint for Initial Use | Provisioning Part 3: Prepare endpoint for delivery to the user by creating a local account and issuing temporary tokens. Register endpoint and user with asset management and validate the configuration. |
PN-END-018A | UC-END-018A | Establish VPN – Endpoint User Initiated | End user initiates a secure communications channel over a VPN with the GC enterprise |
PN-END-018B | UC-END-018B | Establish VPN – Endpoint Application Initiated | End user requests an application service that establishes a secure communications channel over a VPN with the GC enterprise |
TBD | UC-END-021 | Audit Configuration Policy | Endpoint application, system and security generated events |
UC-END-022 | Sign and Encrypt File | Endpoint signs and encrypts a file | |
UC-END-023 | Violate Endpoint Security Policy – Download | End user attempts a download in violation of security policy. | |
UC-END-024 | Violate Endpoint Security Policy – Web Access | End user attempts to access a web site in violation of security policy | |
UC-END-025 | Initiate Multi-Domain Environment | Augments the power on sequence to launch an environment capable of supporting multiple security domains on a single device (e.g., BYOD) | |
UC-END-026 | Download File | End user initiates a file download to the endpoint | |
UC-END-027 | Switch Domains – Multi-Domain Endpoint | End user navigates between security domains on a multi-domain device | |
UC-END-028 | Move Data Between Domains - Multi-Domain Endpoint | End user moves data between security domains on a multi-domain device | |
UC-END-029 | Scan for Malware - Endpoint Initiated | Endpoint performs a local malware scan and sends the results to the GC enterprise | |
UC-END-030 | Check for Config/Software Updates - Endpoint Initiated | Endpoint initiates a check for current configuration and software | |
UC-END-031 | Sanitize and Re-Provision Endpoint | Endpoint is sanitized and provisioned to a different end user | |
UC-END-032 | Repair Endpoint | Endpoint repair process including recovering data on the device prior to repair and restoring device configuration after repair | |
UC-END-033 | Sanitize and Retire Endpoint | Sanitize and retire an endpoint - non-destructive | |
UC-END-034 | Destroy Endpoint | Retire and dispose of an endpoint - Physical Destruction | |
UC-END-035 | Perform Self-Check | Endpoint performs a health check | |
UC-END-036 | Change Endpoint Configuration within Policy | End user performs an endpoint configuration change within security policy | |
UC-END-037 | Update Endpoint Antivirus Software - Enterprise Initiated | GC enterprise pushes an update to antivirus software to an endpoint. | |
PN-END-038 | UC-END-038 | First Use of Endpoint | Provisioning Part 4: Initial use of the endpoint by the end user that results in replacement of one-time passwords, installation of user keys and certificates, and other personalization of the device. |
Network and Communications Security | |||
PN-NCS-001 | UC-NCS-001 | Interoperation of Network-Centric Client Endpoint with Network-Centric Private Cloud Service | A network-centric client endpoint accesses a service in network-centric cloud network. |
UC-NCS-002 | Interoperation of Information-Centric Client Endpoint with Network-Centric Private Cloud Service | An information-centric client endpoint accesses a service in a network-centric cloud network. | |
UC-NCS-003 | Interoperation of Network-Centric Client Endpoint with Information-Centric Private Cloud Service | A network-centric client endpoint accesses a service in an information-centric cloud network. | |
UC-NCS-004 | Interoperation of Information-centric Client Endpoint with Information-Centric Cloud Private Service | An information-centric client endpoint accesses a service in an information-centric cloud service. | |
UC-NCS-005 | Interoperation of Network-Centric Client Endpoint with Public Cloud Service | A network-centric client endpoint accesses a service in a public cloud. | |
UC-NCS-006 | Interoperation of Information-Centric Client Endpoint with Public Cloud Service | An information-centric client endpoint accesses a service in a public cloud. | |
UC-NCS-007 | Interoperation of Public User with GC Service | Citizen access to public services. | |
PN-NCS-002 | UC-NCS-008 | Endpoint Authentication and Assessment | Connection of a GC endpoint to a switch or access point. Device performs IEEE 802.1X authentication and assesses the compliance status of the client endpoint. The infrastructure side of UC-END-001. |
UC-NCS-009 | Client Endpoint Remediation | The NAC redirects a non-compliant GC endpoint to an isolated remediation network where it may be brought into compliance using OPS services. | |
PN-NCS-003 | UC-NCS-010 | Cross-Domain Transfer (Network-Centric) | Transfer of information between different domains via a Cross-Domain Solution (CDS). |
PN-NCS-004 | UC-NCS-XXX | End-to-End Call Setup | Setup of an end-to-end voice or video call. Correspondents belong to different SIP domains. Call to a UC conference server can be an alternate flow. |
UC-NCS-XXX | Presence / IM | Presence and Instant Messaging. Availability to participate in other types of UC can be an alternate flow. | |
UC-NCS-XXX | External Call Setup | Setup of a voice call to a non-GC recipient via an external SIP trunking provider. | |
PN-NCS-005 | UC-NCS-XXX | Software Defined Network (SDN) Configuration | Use of SDN and OpenFlow in conjunction with virtualized (NFV) and non-virtualized network devices. |
UC-NCS-XXX | Consolidated Network Management | Unified cross-domain network management in a CSfC architecture. | |
PN-NCS-006 | UC-NCS-XXX | Device Mobility | Mobile IP / MOBIKE |
UC-NCS-XXX | Network Mobility | NEMO | |
Applications Security | |||
PN-APP-001 | UC-APP-001 | Information Access Application Login | A user logged into a desktop computer seamlessly logs in to an enterprise information access application. |
UC-APP-002 | Application Authorization Decision | An enterprise application consults a centralized authorization service to determine whether a requested action is permitted. | |
PN-APP-002 | UC-APP-003 | Discovery of a service with specified characteristics | A service discovers another service with specified characteristics prior to making a synchronous request to that service. |
PN-APP-003 | UC-APP-004 | Orchestrated business process | A centralized orchestrator coordinates synchronous requests to services to implement automated business processes. |
UC-APP-005 | Choreographed business process | Services use an asynchronous event-driven model to implement automated business processes without the need for a centralized orchestrator. | |
PN-APP-004 | UC-APP-006 | Call setup with out-of-band strong authentication | A voice and/or video call is established between two entities authenticated using an out-of-band technique. |
UC-APP-007 | Call setup with in-band strong authentication | A voice and/or video call is established between two entities authenticated using an in-band technique. | |
Data Security | |||
PN-DAT-003 | UC-DAT-003 | Create Protected Data Object | Shows the creation of a protected data object. |
UC-DAT-004 | Access Protected Data Object | Shows the interaction between the END and DAT::IRM to allow access to a protected data object and the provenance update after access. | |
UC-DAT-005 | Modify Protected Data Object | Shows the interaction between the END and DAT::IRM to allow access and modification of a protected data object. | |
PN-DAT-YYY | UC-DAT-XXX | Access and use protected 3rd party digital content | Two options: 1) User launches a software package with via shared license server; or 2) User streams protected content via video |
PN-DAT-YYY | UC-DAT-XXX | Create semantic rule set | Shows the steps required to create and test a semantic rule set prior to deployment. The semantics are used by devices in the enterprise to interpret the security policy bound to each data object. |
PN-DAT-YYY | UC-DAT-XXX | Create data usage policy | Shows creation if a data usage policy. |
PN-DAT-YYY | UC-DAT-XXX | Update usage policy | After a data object has been in use and may have left the GC Enterprise, the usage policy is updated. Examples include revoked access, changes in content classification, and changes in the allowed operations. |
PN-DAT-001 | UC-DAT-001 | Monitor file activity | Shows the interactions with ICA, and OPS to support file activity monitoring (FAM). |
UC-DAT-XXX | Monitor database activity | Shows the interactions with ICA and OPS to support database activity monitoring (DAM). | |
UC-DAT-XXX | Monitor cloud activity | Shows the interactions with ICA and OPS to support cloud activity monitoring (CAM). | |
PN-DAT-YYY | UC-DAT-XXX | Prevent Data Loss - Database DLP | Shows the interactions with CSS required to discover and protect sensitive content |
PN-DAT-YYY | UC-DAT-XXX | Prevent Data Loss - Storage DLP | Shows the interactions with CSS required to discover and protect sensitive content |
PN-END-YYY | UC-END-XXX | Prevent Data Loss - Endpoint DLP | Highlight operation of DLP functions on client and server endpoints. |
PN-OPS-YYY | UC-OPS-XXX | Manage DLP | Describe the collection of data for an enterprise DLP solution |
PN-ICA-YYY | UC-ICA-XXX | Manage IRM Keys | Shows the interactions between ICA, Encryption Services, and IRM to manage keys for encrypting data objects |
Computer and Storage Services Security | |||
PN-CSS-001 | PN-CSS | ||
PN-CSS-002 | |||
PN-CSS-003 | |||
PN-CSS-004 | |||
PN-CSS-005 | |||
Identity, Credential, and Access Management |
References
ITSG-33 - IT Security Risk Management: A Lifecycle Approach
GC ESA Description Document Main Body
GC ESA Description Document Annex A - End User Device Security
GC ESA Description Document Annex B - Data Security
GC ESA Description Document Annex C - Network and Communications Security
GC ESA Description Document Annex D - Security Operations (OPS)
GC ESA Description Document Annex E - Application Security (APP)
GC ESA Description Document Annex F - Compute and Storage Services Security (CSS)