Which of the following are true statements about the benefits of standardizing on a common
security framework?
A.
Security requirements no longer need to be specified for eachindividual application; the
framework will automatically determine what security needs to be applied.
B.
A common set of security services and information can be used across the organization,
promoting Infrastructure reuseand minimizing inconsistencies.
C.
Secure application integrationis made easier via standardization on a preferred subset of
technologies and options.
D.
Administration and auditing are improved due to rationalization and standardization of identities,
attributes, roles, policies, and so on.
E.
Interoperability amid federation are easier to achieve via the adoption of common security and
technology standards.
Explanation:
In order to provide security in a consistent manner, a common set of infrastructure,
e.g. a security framework, must be used. The purpose of this framework is to
rationalize security across the enterprise by:
* Establishing a master set of security data that reflect the policies, IT resources,
participants and their attributes across the entire domain of security
* Mapping organizational structures, computing resources, and users to roles in a
way that clearly depicts access privileges for the organization
* Maintaining fine-grained access rules based on roles that have been established for
the organization
* Propagating the master security data to individual applications and systems that
enforce security (A)
* Detecting changes to security data residing on systems that have not been
propagated from the master source of record, and sending alerts regarding these
inconsistencies
* Providing common security services, such as authentication, authorization,
credential mapping, auditing, etc. that solutions can leverage going forward in
place of custom-developed and proprietary functions (B)
* Facilitating interoperability between systems and trust between security domains
by acting as a trusted authority and brokering credentials as needed(E)
* Centrally managing security policies for SOA Service interactions
The security framework should provide these types of capabilities as a value-add to
the existing infrastructure. The intent is not to discard the capabilities built into
current applications, but rather to provide a common foundation that enhancessecurity across the enterprise. Security enforcement can still be performed locally, but
security data should be modeled and managed holistically.
Incorrect:
C: Not a main goal.
D: Ease of administration and auditing is not a main goal here.
Reference: Oracle Reference Architecture,Security, Release 3.1, 4.1.1 Purpose of a Security
Framework