When selecting security tools and solutions for your company or organization, it’s important to have a plan to follow. This also goes for the security architecture involved.
This article is covering security architecture in two-parts. The first part is looking into the technical part of a security architecture, with the second part focusing on the business values of a security architecture. I would like to begin with some arguments as to why having a security architecture, will provide you with additional benefits in your cyber security defenses.
Why Security Architecture?
Having an architecture, on which you are basing the defenses for a company, will help you integrate the various defenses into a stronger overall defense. Many of the customers I consult for are having a sprawl of different cyber security tools in their infrastructure. Most of them have been looking at the price point whenever they have chosen a tool to implement. There is nothing inherently wrong with doing that, but it leads to a more complex set of defenses with little or no integration between the tools. Bear in mind that there is no vendor that can do all the security in any infrastructure, so there will always be more than one vendor providing a company, or organization, with cyber security tools. That is just the way of things!
Having an effective security architecture requires you to decide on the level of security you will need for your company or organization. Doing that requires that the business becomes involved in the decision making on an appropriate security architecture. More on that later in this article. How to decide on what is appropriate? My personal favorite for such a process, is looking at any regulations or compliance requirements that a company must live up to, or have chosen to align with, like ISO 2700x. In the absence of that, I look at the strategy of the company. Either of these will offer you a core of requirements that you can use as the basis for the design of a security architecture. A security architecture must provide the basis for the security needs right now, as well as for developing needs as the threat landscape changes. Remember, a security architecture serves as the foundation for all the various cyber security needs that your company, or organization, have!
What do you get?
With a well-designed security architecture, you are getting a foundation on which you can and build your defenses on. In addition to this, you will get a core set of technologies that your IT staff is well versed in administering and maintaining. In cases where there is an extremely heterogenous infrastructure, it is often the case that a specific tool, only have a single individual that is well versed in the administration of this tool. A high-risk situation for any company since the consequences if that individual leaves the company can be extremely high!
With a security architecture that is build on only a few vendors, will provide you with staff that is comfortable with moving between the various vendors and thus give you resiliency in cases where staff leaves for another job. Something that happens often, especially among skilled cyber security staff! Although the skilled staff is important to any cyber security, amongst the most important points I can make here, is the integration between the cyber security tools. When choosing vendors for your security architecture, make sure that these vendors are able to talk to, or integrate with other tools. This absolutely must be a core requirement when choosing vendors, otherwise you will slowly be painting yourself into a corner once again.
Who you should chose as the primary vendors for your security architecture will depend on the concrete needs of the organization, as well as the strategy that your organization has put forward for the coming years. Any security architecture that you put in place will have to be flexible, to accommodate the changes, that will undoubtedly increase in speed and complexity the coming years.
How to get it?
Make no mistake here! The requirements I listed above, for an effective cyber security architecture is a tall order for anybody to implement, let alone get buy-in and budget from the organization to put it in place. I have some advice below. These are listed in no particular order, and there are many, many more that must be considered in a real project, but to keep this article at a reasonable length, I have just listed a few.
- What are the cyber security NEEDS?
- Needs here, is a small word for a big thing, but without insight into the actual needs, we will be unable to design a security architecture. In my previous article I harped at length on security assessments. Such an assessment will be a good starting point here, in order to get a feel for the level of maturity your organization is at, before beginning a security architecture project.
- What do we have already?
- A security architecture project does not mean that we rip everything out, to replace it with something new. Every organization will have something already, that they can build on and enhance.
- Where do we want to be?
- This question should be considered, after having come up with the absolute basic needs for the security of the organization. The basic needs will rarely, if ever, cover the level that an organization sets for itself and their customers. The strategy for the organization comes into play here, as the right place will depend on the strategy the organization has set for the coming years.
If you have experience with these kinds of things, then you are fully aware, that there is an almost incalculable amount of smaller side projects and issues that a security architecture will have to deal with as part of the main project. If you are starting from scratch on an architecture project and do not know where to start, then beginning with the business is not a bad place to begin.
The business decides on the level of cyber security needs it has. Remember that. As security people, we can advice and coach the business in cyber security, but in the end, it is the business that makes the final decision! So, developing a security architecture is not the job of IT alone. When engaging with the business, it is important to speak a language that the business understands, so make sure to communicate in risks and benefits and if you can document that a formal security architecture will provide the business with overall savings, then talking with the businesspeople will be a much more pleasant experience.
The business will provide you with the insight you need on the business strategy as well as the level of risk that the business is willing to live with. Both of those will be core contributions to the design of the security architecture. A very positive side effect of this is that, if cyber security engages with the business, we will be taken much more seriously by the business! And if we are taken more seriously, we will be able to provide our organizations with much better security. A win-win as I see it.
Tom Madsen has been active in the cybersecurity industry for more than 20 years. Tom graduated from the University of Aalborg and covered several technical roles in security during his professional career. He is certified as CISSP, CISA, CISM, CGEIT, CRISK, CCSP, CDSPE and CSSLP, and has published the book "The Art of War for Cybersecurity". He is currently writing a book 'Security Architecture - How & Why'.