ESA Pattern Diagram Repository

Introduction

The pattern diagrams are provided by the ESA to represent target architectures for the GC Enterprise, as defined in the GC Enterprise Security Architecture Definition Documents (ESADD) for various Enterprise Security Focus Areas. These target architectures act as a reference point which can be used to assess proposed solutions when performing security assessment activities. The pattern diagrams represent a collection of common security use cases and include references to relevant security controls described in CSE's ITSG-33 - IT Security Risk Management: A Lifecycle Approach.

This page and its sub-pages are intended to be a repository for the ESA Pattern Diagrams and Use Cases.

ESA Patterns and Use Cases Repository

Pattern ID Use Case ID Use Case Title Description
Security Operations
PN-OPS-001 UC-OPS-001 Discover Unauthorized Client Endpoint Security Operator performs hardware asset scan and reports an unknown device is attached to the network. The asset is confirmed as a rogue device and the device is blocked.
PN-OPS-002 UC-OPS-002 Detect Unauthorized Client Endpoint Configuration Change End User performs an out-of-policy configuration change. The condition is detected by OPS and the approved configuration is restored.
UC-OPS-003 Validate Client Endpoint Configuration A CDM scan for software configuration is performed and the software configuration does not match the baseline.
PN-OPS-003 UC-OPS-004 Backup Server Endpoint – Enterprise Initiated The System Administrator commands a requested backup for a client endpoint device. The backup is performed and a confirmation report is sent to System Administrator confirming backup completion success or failure.
UC-OPS-005 Restore Server Endpoint – Enterprise Initiated The System Administrator requests the restore of a server device. The restore is performed and a confirmation report is sent to the System Administrator confirming restore completion success or failure.
PN-OPS-004 UC-OPS-006 Detect Anomaly The system receives an event that it treats as an anomaly. The anomaly is assessed against digital policy rules to determine whether or not the anomaly is a routine, day-to-day event or whether it should be treated as a cyber security event. The course of action is then invoked based on that assessment.
UC-OPS-007 Mitigate Routine Anomaly Routine anomalies are day-to-day events that can be mitigated through orchestration of digital policy rule responses. Most anomalies require no actual response but are recorded for auditing purposes.
UC-OPS-008 Detect Behavioural Anomaly The system builds a baseline of “normal” network traffic volume by time-of-day. It then detects an unexpected increase in network traffic that exceeds a configured threshold. This is one of many anomalies for which digital policy rules exist that are detected and responded to within the Enterprise.
UC-OPS-009 Detect Pattern of Anomalies The system detects a pattern of anomalies within an anomaly history that indicates a GC-wide distributed attack.
PN-OPS-005 UC-OPS-010 Remediate External Known Vulnerability Information about a known vulnerability is received from an external source and is remediated.
UC-OPS-011 Internally Identify Vulnerability from Security Analytics A vulnerability is discovered internally through “big data” analysis of raw data. Vulnerabilities of this nature are always considered cyber security events and managed accordingly.
UC-OPS-012 Remediate Internally Identified Vulnerability The internally identified vulnerability is analyzed for possible remediation solutions. This use case functions in parallel with UC-OPS-013.
PN-OPS-006 UC-OPS-013 Cyber Security Event The system detects an anomaly that is escalated as a cyber security event (incident) for further action. A cyber security event is disclosure of a new vulnerability, intelligence that a threat actor may be planning an attack against a GC information system (e.g. Distributed Denial of Service (DDOS) attack), detection of current attack (suggested by a pattern of multiple individual events), etc.
Endpoint Security
PN-END-001 UC-END-001 Authenticate Device to Network Endpoint authenticates to the GC network
UC-END-013 Re-Key Endpoint Update user's certificate on endpoint using enterprise ICAM services.
PN-END-002 UC-END-002 Install Security Patch Security patch pushed to Endpoint
PN-END-003 UC-END-003 Wipe Endpoint – Local Endpoint Wipe performed locally on endpoint
UC-END-004 Lock Endpoint – Local Endpoint Lock Out performed locally on endpoint
UC-END-005 Wipe Endpoint – Remote Endpoint Wipe controlled remotely from enterprise
UC-END-006 Lock Endpoint – Remote Lock Endpoint – Remote
PN-END-007 UC-END-007 Download Application Software Endpoint pulls application software from an enterprise server
PN-END-008 UC-END-008 Perform Vulnerability Scan – Local Endpoint Security performs a local scan and sends the results to the GC enterprise
PN-END-009 UC-END-009 Detect Network Intrusion Attempt (Firewall) (Endpoint Security) Endpoint Firewall detects an intrusion attempt and notifies the GC enterprise
PN-END-010 UC-END-010 Authenticate User to Device User authenticates locally to the endpoint
UC-END-039 Power on Endpoint Power on sequence for an endpoint
UC-END-040 Change Local Password End user changes the local password or PIN on the endpoint
PN-END-011 UC-END-011 Authenticate User to Enterprise User authenticates to the GC enterprise prior to accessing GC resources
UC-END-012 Reset User Enterprise Password The user's enterprise password has expired (triggered by time) or been reset by OPS and must be reset the next time the user accesses the enterprise network
UC-END-014 Control Enterprise Access User access to GC enterprise resources is based on attributes of the Environment, Platform, User, and Requested Resource
PN-END-015 UC-END-015 Provision Endpoint for Initial Use Provisioning Part 3: Prepare endpoint for delivery to the user by creating a local account and issuing temporary tokens. Register endpoint and user with asset management and validate the configuration.
PN-END-018A UC-END-018A Establish VPN – Endpoint User Initiated End user initiates a secure communications channel over a VPN with the GC enterprise
PN-END-018B UC-END-018B Establish VPN – Endpoint Application Initiated End user requests an application service that establishes a secure communications channel over a VPN with the GC enterprise
TBD UC-END-021 Audit Configuration Policy Endpoint application, system and security generated events
UC-END-022 Sign and Encrypt File Endpoint signs and encrypts a file
UC-END-023 Violate Endpoint Security Policy – Download End user attempts a download in violation of security policy.
UC-END-024 Violate Endpoint Security Policy – Web Access End user attempts to access a web site in violation of security policy
UC-END-025 Initiate Multi-Domain Environment Augments the power on sequence to launch an environment capable of supporting multiple security domains on a single device (e.g., BYOD)
UC-END-026 Download File End user initiates a file download to the endpoint
UC-END-027 Switch Domains – Multi-Domain Endpoint End user navigates between security domains on a multi-domain device
UC-END-028 Move Data Between Domains - Multi-Domain Endpoint End user moves data between security domains on a multi-domain device
UC-END-029 Scan for Malware - Endpoint Initiated Endpoint performs a local malware scan and sends the results to the GC enterprise
UC-END-030 Check for Config/Software Updates - Endpoint Initiated Endpoint initiates a check for current configuration and software
UC-END-031 Sanitize and Re-Provision Endpoint Endpoint is sanitized and provisioned to a different end user
UC-END-032 Repair Endpoint Endpoint repair process including recovering data on the device prior to repair and restoring device configuration after repair
UC-END-033 Sanitize and Retire Endpoint Sanitize and retire an endpoint - non-destructive
UC-END-034 Destroy Endpoint Retire and dispose of an endpoint - Physical Destruction
UC-END-035 Perform Self-Check Endpoint performs a health check
UC-END-036 Change Endpoint Configuration within Policy End user performs an endpoint configuration change within security policy
UC-END-037 Update Endpoint Antivirus Software - Enterprise Initiated GC enterprise pushes an update to antivirus software to an endpoint.
PN-END-038 UC-END-038 First Use of Endpoint Provisioning Part 4: Initial use of the endpoint by the end user that results in replacement of one-time passwords, installation of user keys and certificates, and other personalization of the device.
Network and Communications Security
PN-NCS-001 UC-NCS-001 Interoperation of Network-Centric Client Endpoint with Network-Centric Private Cloud Service A network-centric client endpoint accesses a service in network-centric cloud network.
UC-NCS-002 Interoperation of Information-Centric Client Endpoint with Network-Centric Private Cloud Service An information-centric client endpoint accesses a service in a network-centric cloud network.
UC-NCS-003 Interoperation of Network-Centric Client Endpoint with Information-Centric Private Cloud Service A network-centric client endpoint accesses a service in an information-centric cloud network.
UC-NCS-004 Interoperation of Information-centric Client Endpoint with Information-Centric Cloud Private Service An information-centric client endpoint accesses a service in an information-centric cloud service.
UC-NCS-005 Interoperation of Network-Centric Client Endpoint with Public Cloud Service A network-centric client endpoint accesses a service in a public cloud.
UC-NCS-006 Interoperation of Information-Centric Client Endpoint with Public Cloud Service An information-centric client endpoint accesses a service in a public cloud.
UC-NCS-007 Interoperation of Public User with GC Service Citizen access to public services.
PN-NCS-002 UC-NCS-008 Endpoint Authentication and Assessment Connection of a GC endpoint to a switch or access point. Device performs IEEE 802.1X authentication and assesses the compliance status of the client endpoint. The infrastructure side of UC-END-001.
UC-NCS-009 Client Endpoint Remediation The NAC redirects a non-compliant GC endpoint to an isolated remediation network where it may be brought into compliance using OPS services.
PN-NCS-003 UC-NCS-010 Cross-Domain Transfer (Network-Centric) Transfer of information between different domains via a Cross-Domain Solution (CDS).
PN-NCS-004 UC-NCS-XXX End-to-End Call Setup Setup of an end-to-end voice or video call. Correspondents belong to different SIP domains. Call to a UC conference server can be an alternate flow.
UC-NCS-XXX Presence / IM Presence and Instant Messaging. Availability to participate in other types of UC can be an alternate flow.
UC-NCS-XXX External Call Setup Setup of a voice call to a non-GC recipient via an external SIP trunking provider.
PN-NCS-005 UC-NCS-XXX Software Defined Network (SDN) Configuration Use of SDN and OpenFlow in conjunction with virtualized (NFV) and non-virtualized network devices.
UC-NCS-XXX Consolidated Network Management Unified cross-domain network management in a CSfC architecture.
PN-NCS-006 UC-NCS-XXX Device Mobility Mobile IP / MOBIKE
UC-NCS-XXX Network Mobility NEMO
Applications Security
PN-APP-001 UC-APP-001 Information Access Application Login A user logged into a desktop computer seamlessly logs in to an enterprise information access application.
UC-APP-002 Application Authorization Decision An enterprise application consults a centralized authorization service to determine whether a requested action is permitted.
PN-APP-002 UC-APP-003 Discovery of a service with specified characteristics A service discovers another service with specified characteristics prior to making a synchronous request to that service.
PN-APP-003 UC-APP-004 Orchestrated business process A centralized orchestrator coordinates synchronous requests to services to implement automated business processes.
UC-APP-005 Choreographed business process Services use an asynchronous event-driven model to implement automated business processes without the need for a centralized orchestrator.
PN-APP-004 UC-APP-006 Call setup with out-of-band strong authentication A voice and/or video call is established between two entities authenticated using an out-of-band technique.
UC-APP-007 Call setup with in-band strong authentication A voice and/or video call is established between two entities authenticated using an in-band technique.
Data Security
PN-DAT-003 UC-DAT-003 Create Protected Data Object Shows the creation of a protected data object.
UC-DAT-004 Access Protected Data Object Shows the interaction between the END and DAT::IRM to allow access to a protected data object and the provenance update after access.
UC-DAT-005 Modify Protected Data Object Shows the interaction between the END and DAT::IRM to allow access and modification of a protected data object.
PN-DAT-YYY UC-DAT-XXX Access and use protected 3rd party digital content Two options: 1) User launches a software package with via shared license server; or 2) User streams protected content via video
PN-DAT-YYY UC-DAT-XXX Create semantic rule set Shows the steps required to create and test a semantic rule set prior to deployment. The semantics are used by devices in the enterprise to interpret the security policy bound to each data object.
PN-DAT-YYY UC-DAT-XXX Create data usage policy Shows creation if a data usage policy.
PN-DAT-YYY UC-DAT-XXX Update usage policy After a data object has been in use and may have left the GC Enterprise, the usage policy is updated. Examples include revoked access, changes in content classification, and changes in the allowed operations.
PN-DAT-001 UC-DAT-001 Monitor file activity Shows the interactions with ICA, and OPS to support file activity monitoring (FAM).
UC-DAT-XXX Monitor database activity Shows the interactions with ICA and OPS to support database activity monitoring (DAM).
UC-DAT-XXX Monitor cloud activity Shows the interactions with ICA and OPS to support cloud activity monitoring (CAM).
PN-DAT-YYY UC-DAT-XXX Prevent Data Loss - Database DLP Shows the interactions with CSS required to discover and protect sensitive content
PN-DAT-YYY UC-DAT-XXX Prevent Data Loss - Storage DLP Shows the interactions with CSS required to discover and protect sensitive content
PN-END-YYY UC-END-XXX Prevent Data Loss - Endpoint DLP Highlight operation of DLP functions on client and server endpoints.
PN-OPS-YYY UC-OPS-XXX Manage DLP Describe the collection of data for an enterprise DLP solution
PN-ICA-YYY UC-ICA-XXX Manage IRM Keys Shows the interactions between ICA, Encryption Services, and IRM to manage keys for encrypting data objects
Computer and Storage Services Security
PN-CSS-001 PN-CSS
PN-CSS-002
PN-CSS-003
PN-CSS-004
PN-CSS-005
Identity, Credential, and Access Management

References

ITSG-33 - IT Security Risk Management: A Lifecycle Approach

GC ESA Description Document Main Body

GC ESA Description Document Annex A - End User Device Security

GC ESA Description Document Annex B - Data Security

GC ESA Description Document Annex C - Network and Communications Security

GC ESA Description Document Annex D - Security Operations (OPS)

GC ESA Description Document Annex E - Application Security (APP)

GC ESA Description Document Annex F - Compute and Storage Services Security (CSS)