Zero Trust Cybersecurity (ZTC) is emerging as the preferred security model for business and government and is now a critical national infrastructure mandate for US Government Agencies. ZTC differs significantly from the trust-model of traditional perimeter-focused security, requiring instead real time validation of access based on policy which dynamically adjusts to the cyber environment. The implementation of ZTC is a complex undertaking involving situational awareness of the cybersecurity state relating to identity, device, application, infrastructure, network, and data. This goes beyond the traditional triad of confidentiality, integrity and availability into attributes such as timeliness of authentication, assurance of device health as well as microdomain zoning and dynamic policy.

As organisations begin to implement zero trust in their infrastructure, there is a need to be able to measure the effectiveness of the infrastructure from a zero trust perspective. This requires measurements of both control performance and process maturity in order to effectively manage risk. In this presentation, we describe a model for measuring the performance of a critical infrastructure zero trust implementation using SABSA developed as part of a post-graduate research initiative on Zero Trust maturity.

One of the pillars of a well-functioning information security program is effective governance. Good governance tends to go unnoticed. Bad or ineffective governance however, becomes very apparent when “things go wrong”. What is good governance? How do you know if you have it or not? What is the value of having good governance and the penalty for not having it? These tend not to be the burning questions within the organization until bad things happen, and the inevitable question gets asked—how could this happen? I thought we had a policy for that. More difficult questions could follow from the Board. Governance is one of the main drivers and foundations in many if not most security architectures or frameworks. What is it and how do you get it? How do you know if it is good or not? Having defined security policies are not enough.

We will define what information security governance is and how it applies to all levels, from overall corporate governance and oversight through to the security program that is implemented and operationalized. We will define the “value of effective governance” and the evidence of ineffective or non-existent governance. We will have a look at what the standards such as ISO, NIST, the ISF, CIS CSC and several others have to say about the need for effective risk management and governance.

How do we build an effective information security governance model and get the right people making the right decisions, with the right accountability, at the right time to continually manage risk to the acceptable level, even when “things go wrong”? We will outline the top 10 things to consider and the critical success factors that will show you governance is working. Good governance provides effective management of business risk and is much, much more than just having good technology and policies.

My proposed topic is at this stage loosely looking at the application of the SABSA Architecture for Cryptographic Key Management for Cloud, Cloud-adjacent & On-prem alternatives – supported by some case studies.

It will also discuss ways to align to new Cryptographic protocols coming out of NIST to position companies for the quantum computing algorithms.

The value proposition for this topic will be that it covers 3 scenarios that could apply from large enterprises, to smaller enterprises – whether they are still utilising on-premise compute, or Cloud, or Cloud-adjacent models.

The uniqueness of this presentation is that hopefully the Cloud-adjacent model has not been previously presented at COSAC – so this would be a point of differentiation for the audience.

In terms of timeliness, with ever increasing demands for data protection, and businesses considering alternatives to the big Cloud providers, hopefully this will give the audience timely and relevant information for other cryptographic capabilities.

In terms of approach, the presentation content and style will be tailored to the expectations of the COSAC audience, as per previous presentations in 2017 (in Melbourne) & 2018 (in Sydney).

Do we truly think like an adversary when we build threat models? Are we constrained by our own box of rational thought and outcomes, unable to understand the “irrational actor’s” motives, tactics or outcomes? Is our “rational” understanding one of the key reasons we often fail to model the next obvious vulnerability in our systems? We will explore the blind side of how we approach threat modeling and discuss methods we could use to uncover and explore the method of the Chaos Monkey.

What are the reasons we often discount certain threats, methods, and outcomes as unreasonable, unlikely, or even crazy?

Are we working with blinders, unable to understand systemic risk around us which may contribute to the motivation and outcome in our threat model?

Do our countermeasures create opportunities?

Can we truly understand how the adversaries’ objectives may be different from our perspective?

How do we adapt to rapid changes in our understanding due to observed or experienced events?

The session will start by exploring what was accomplished in the 2022 Threat Modeling session at 2022 COSAC. We then will address what we know and what processes exist to help us unfold this difficult topic. We will then move into a group discussion where we will explore how we can leverage each other’s perspectives and ideas.

As SABSA architects we often focus on how to successfully engage with enterprise/organisation leadership about security programs to address enterprise/organisational challenges and the successfully delivery of security solutions/programs to meet those challenges.

These situations are focused more on the internal operation of the enterprise; but, what about the situation where security solution need to be proposed and delivered into another organisation as part of a larger business activity or capability delivery program?

Requesting Manager to You: “You are the security proposal lead for this major tender. The security part of the proposal is big factor in us winning (or losing) this business!”

You, the Security Architect Lead (thinking): “OK, so what do I need to do now?!”

The production of an effective security proposal that is an integrated part of a larger business proposal / tender response is a difficult activity that involves more than just formulating a proposed technical solution. It must meet many conflict needs (effective, bounded, compelling, minimum cost, etc). At the same time, the proposal will be the starting point for defining the potential future security program, if the tender is successful. Good choices made early make all the difference.

This session will discuss the challenges, experiences and lessons learnt from supporting security contribution to major business proposal or tender response activities.

Accident and fault management has been topic of high importance for many years. Understanding when even so small parts of a system are malfunctioning and what major or even catastrophic faults or accidents they might cause is of enormous importance in safety-relevant systems. Modelling techniques like STPA/STAMP or Bow-ties allow to explode a system into its smaller parts and construct hierarchies of controls, which can then be tested for their operating effectiveness that inform the causation or non-causation of a main event. This then allows for either improvement of controls (moving towards risk avoidance) or at least understanding of the implications and the risk (or residual risk).

This talk explores on how these modelling techniques should be applied to cyber risk, allowing to create more meaningful Key Risk Indicators and Cyber Risk Reports than are generally used in the industry and how to allow dynamic adjustment and re-calculation of the Risk position based on exposures found throughout daily security analysis work. It also explores how to codify such exposure hierarchies and speed up the provisioning of meaningful risk reports.

Since a means of expressing the security concepts in standard Enterprise Architecture modelling notation was first proposed at COSAC 2018, a great deal of progress has been made: a Working Group has developed, enriched and extended the original White Paper with the collective wisdom and experience of SABSA practitioners, the Security Overlay has been defined as a schema and the approach has been made accessible through webinars, presentations and this year, as a SABSA Training course with basic tool support.

While COSAC 2018-21 has traced the emergence of security modelling as an technique, its early-stage technical readiness meant that conference sessions were limited to discussion of concepts, ideas, possibilities and envisioned benefits based on small scale, proof of concept ‘laboratory models’.

This year for the first time, we expect to be able to present feedback from the application of this technique at scale in real-world case studies with an honest appraisal of where modelling delivered technical & business benefit, scenarios that were challenging or thought-provoking and where the technique might be headed in light of this experience.

At the time of CfP, the contracts for this work are just being signed with projects set for completion in the summer – so fresh content to be unveiled for the first time at COSAC. In addition to presenting the projects from the security architect’s perspective, we hope to be joined via video-link by a client representative who can present, and answer questions, from the customer viewpoint.

The value to the conference will not only be an awareness of an emerging technology but to stimulate a better understanding of what is increasingly possible, based on what is already being achieved.

It is a fundamental dilemma faced by all strategists: how to run strategy into reality?

Enterprise Architecture takes a long time to define and rarely starts from a green field site. Ordering I.T. to postpone all initiatives until the strategy is fully developed is a seriously career-limiting, if not life-threatening, move. Business innovation cannot stop, developments and improvements cannot be shelved or hang around waiting on Architects in their perceived ivory tower to complete their idealist thinking.

The Architecture may be brilliant work but what if we have an incident tomorrow, are we any safer while the Architect is doing their ‘thing’, can we demonstrate any value from a strategic initiative that isn’t yet deployed?

In practice, the Architect’s scope is rarely all of Enterprise in a single bite, but if we can’t start at the all-of-Enterprise end, where is the beginning? We must deliver something before we deliver everything. How do we scope an Architectural project or an RFP in practical reality?

By definition any starting point below all of Enterprise is not Enterprise, it is only one particular viewpoint or aspect of Enterprise: being Business-driven and looking downward we see multiple dependencies and relationships, many contributing “means to an end”, but looking upward from any non-Enterprise viewpoint as see an exclusive relationship – a single “means to an end”. This creates a tunnel vision that risks the creation of the very isolated silos we set out to remove. So, even if we can identify a starting point, how do we ensure that it is Architecturally consistent, holistic, and integrated with all the other aspects and viewpoints of our complex Enterprise that are currently out of scope?

Join us in this session to explore SABSA Architecture realisation techniques to help us overcome our eternal dilemmas.

Cyber security risk is one of the top non-financial risks for organisations. It can be present in almost any part of digital operations. The nature of the risk is both complex and broad due to the complexity of the attacks and evolving capabilities of the attackers. More often than not, risk assessments rely on static artefacts, unilaterally focus on controls and rely heavily on the biases of the person who is conducting the assessment.

This presentation will focus on how to instil a degree of pragmatism in the identification and evaluation of cyber security risk. Using real-life case studies, we will highlight how the development of plausible threat scenarios for the critical products and services, based on a threat modelling methodology, may be operationalised to embed an accurate reflection of the threat landscape in the risk evaluation and thus validate the relevance of the relationship between risk events and key controls. Utilising threat scenarios as the conduit between risks and controls helps to identify actionable insights, simplify remediations actions and improve the risk position of the organisation.

This unique discussion will address the structural limits of artificial intelligence such as machine learning in comparison to human intelligence. We will also consider the dangers posed by overestimating these systems and the responsibilities of professionals and organizations to manage expectations for their performance and monitor their function.

This session is timely because of the accelerating use of AI systems to determine everything from who to employ to how to treat diseases. While these systems’ decisions have increasingly impactful consequences, scrutiny of their structure and inputs has lagged behind. AI processes are unintelligible to the average IT practitioner or citizen, so it is increasingly important that those with the background and experience to understand its hazards prevent misconceptions, correct misinformation, and ensure responsible use.

The approach will be to outline the current state and direction of artificial intelligence systems in comparison to their fleshy counterparts, suggest actions that individuals and groups can take to mitigate the risks that their operation and perceptions of their operation can pose, and open the floor for discussion of these topics.

The value of this session is in presenting a scientific comparison of the differences between artificial and human intelligence and using that comparison to determine risk and suggest next steps.

In 2020, my then CISO tasked me with charting “the” Identity and Access Management Risk for the organisation.

That triggered me to not only list the standard risks, such as credential theft, but also the risks when dealing with 3rd parties: Sales agents downstream, and suppliers upstream, regulators, authorities…

Result: Sales Agent and Vendor Risk Management Assessments with (less) obvious risk. For example: if you have shared account (SABSA Trust Relation) with a printing company for your posters, how easy is it to get a picture of the CISO in a vampire suit onto a billboard in the street?

You can use SABSA to map that trust relations with the outside world, and then use threat modelling to list scenarios once the authentication has taken place, and classify risks as reputational, financial, availability risks. We present an easy to use table.

Further attention for IAM related issues such as key management on non-owned IAM systems, managing non-federated IAM with associated organisations.

This matters to Security Architecture, because these Trust Relations with vendors and agents are the foundation of the organisation’s business.

Despite huge investments cyber security continues to hit the headlines for all the wrong reasons. Each year brings new technologies that will, apparently, save us all. Away from the bright lights you’ll hear it is all about people: you need to increase awareness and adopt the right culture. If that doesn’t work there’s always AI, that’ll save us.

We sit in our ivory towers developing our architectures and programmes, assuming that ours is the one true way. But big data and the scientific method are failing us. Beyond the biases we’ve all heard about our data sets are often collected and applied across widely differing cultures. Those we look towards to steer us through the storm stick to the familiar, fearing or discounting the foreign.

We need to step back from the bird’s-eye view that encompasses so much, but at the cost of local context. What does the worm’s-eye view from the ground show us? Those strange people that don’t align to our expectations, that don’t behave correctly; they’re not irrational or uneducated, they just have different perspectives, different drivers, and maybe goals we’ve overlooked. We know what they’re doing, or not, but do we really understand why? We also need to look critically at ourselves: does our normal and familiar look weird and alien from the outside in?

As global recessions and pandemics hit, business leaders and politicians are looking to anthropologists to help them understand why people are behaving the way they are in the present and prepare for the future. Together we’ll discuss some examples, some parallels, and invite insights into cyber folklore and customs. By understanding behaviours better, we may be better able to influence them.

I had a brilliant 2019 having embarked on a spiritual pilgrimage walking the Camino in Spain and my intellectual pilgrimage to Ireland but like many of us my follow up experience in 2020 was less than ideal and I came out of that year needing to take stock of my general health and wellbeing.

It is a shared observation of my colleagues, that as we approach retirement, we look back at the last years of our careers to realise too late that we have worked harder, worked longer hours, taken less time for ourselves, managed very stressful jobs and feel like we are about to collapse, exhausted, over the finish line at the end of a marathon.

We have, to a certain extent, let ourselves go and we are no longer the fit young 30 somethings we used to be as we enter the next phase of our lives. Not the greatest when we now have the time to engage and enjoy the good things in life.

In this vein, and following 2020, I sort of undertook a personal health and wellbeing journey in 2021 with the aim of being “Retirement Fit”. I took a haphazard approach and by the end of the year I realised three things:

Firstly, this is not a one-year project – it is going to be an ongoing iterative process.

Secondly, a structured approach to this project (health and wellbeing) should deliver better and more consistent results; and

Thirdly, many of my younger colleagues (those thirty and forty somethings) who are falling into the ‘Working Harder, Working Longer, and Not Looking after themselves’ category might be able to benefit from this structured approach.

So, heading into 2022 I have applied SABSA to my health and wellbeing project to see if that will deliver long term sustainable outcomes and

This presentation uses SABSA as framework for health and well-being and presents the fundamentals of SABSA in a non-security and non-IT context.

What is an organization to do? You’re expected to master managing your cybersecurity risks, but the threats are constantly changing, and there are differing ideas of exactly what mastery means and requires. However, mastery isn’t enough. You need to be able to demonstrate your mastery to anyone who needs to know and in a way everyone, including business partners and regulators, can understand and accept. All within budget and available resources. How can you adapt your approach to satisfy all the demands and expectations?

The good news is that there many frameworks and standards to help you master your domain. This is also bad news, because there are many common (or not so common) standards and frameworks that influence how you organize your cybersecurity program. You already may have defined cybersecurity requirements and perhaps an organizing framework that is specific to your industry, required by regulation or aligned to your technical choices. However, all frameworks are not equivalent, nor are they intended to solve identical problems. You may be important gaps to fill in or conflicts to deal with. How do you navigate through this multiverse of choices for the framework that aligns to your cybersecurity requirements?

After establishing a common taxonomy, we will examine and categorize various approaches to cybersecurity frameworks using examples to illustrate the considerations. We will outline some the issues and challenges involved in defining or using cybersecurity frameworks to organize and manage your cybersecurity risk. We will discuss essential principles for establishing an effective framework foundation and outline a risk-based approach for effective management of your cybersecurity risk. We will review and discuss critical success factors for an effective cybersecurity framework. Have you leveraged a framework in your own organization and have some insight to share? Maybe together we can put frameworks to better use.

The COSAC "rump" has for many years been a hugely popular closing session to COSAC. Now, returning to APAC, is an informal rapid-fire session in which participants give very short presentations on recent results, work in progress, and any other topic of interest to the COSAC community.

Presentations may be purely technical, entirely management oriented in nature, or of any combination of approaches or perspectives. Those wishing to give a talk at the rump session must submit a short abstract, no more than one page long, according to one of the following procedures:

-Electronic submission: Send email to the rump session chair David Lynas at [email protected]

-Hardcopy submission at conference: Hand the submission to David Lynas at the conference before noon on Wednesday 1st March.

Submissions should include a requested amount of time for the presentation. An anticipated absolute maximum of four minutes will be allocated for each presentation.