Organizations are increasingly concerned that historical industry best-practices are being stressed by the acceleration of new malware and Advanced Persistent Threats (APT). Attackers are laser-focused on blended and multi-pronged exploits that steal data or wreak havoc. The insider threat has primarily morphed into phishing attacks which then leverage multiple internal security flaws and vulnerabilities to traverse the network and ex-filtrate data or intellectual property un-detected.
At the same time the attack surface is broad since security is horizontal – it covers all business functions and process across the whole IT and building infrastructure. Chances are that when the infrastructure was originally deployed it was secure, clean and, well organized. But as weeks, months, and even years pass, tactical changes in technology and the IT environment have probably occurred, weakening the security posture and opening it up to attack.
The result is that security infrastructure becomes much more complex and fragmented making it harder to protect. Attackers don’t discriminate and will take advantage of any gap in protection to reach their end goal. The bad guys continually evolve and innovate. All potential threat vectors need to be examined and addressed. Without a proactive but practical security strategy and processes in place – the system will inevitably become vulnerable and fail.
Evolving From Business Barrier to Enabler
How do organizations cut through the hype, filter the noise – of fear, uncertainty and, doubt (FUD) and deal with real and present threats? How do organizations develop an affordable and practical security posture that supports the business based upon available budget and resources and – enables it to grow competitively while managing risk and protecting critical assets? How do organizations develop a continuous cycle to consolidate, integrate and organize mission critical infrastructure into a sustainable core while still allowing some healthy chaos and innovation on the edge?
The secret to success in security is typically simplicity, to have a well-designed and organized infrastructure that provides the appropriate layer of controls while enabling users a consistent ‘policy managed’ experience regardless of location, transport or device. The challenge is in achieving that goal.
Security done right is a business enabler that dramatically reduces total cost of ownership (TCO) providing a tangible Return on Security Investment (ROSI). IT complexity and fragmentation replaced by an adaptive modular and flexible architecture enables agility and improves your competitive edge — so the business can refocus quickly as new opportunities emerge.
Security is a process, not just a product or technology issue.
Back to Basics
The primary purpose of creating a security architecture is to ensure that business strategy and IT security are aligned. As such, the security architecture allows traceability from the business strategy down to the underlying technology. However, many IT organizations have moved away from formal security architecture governance in favor of rapid deployment cycles and tactical changes which over time risk diverging into complexity and fragmentation – with unresolved security exceptions. Complexity not only leads to insecurity and the increasing potential for human error but also increased cost of operations.
A security architecture is a design document describing the security components that will protect the enterprise, and the ways they relate and interact with each other. It represents a strategic planning horizon and guide that defines the desired state of an organization’s infrastructure. The architecture sets the context for planning, design, and implementation. It enables a company to evolve and to become agile, multi-functional, and competitive, allowing the seamless adoption of new capabilities and applications into a common infrastructure. Security architecture also facilitates budgeting for security solutions and personnel.
In summary, the security architecture provides:
- A way to evaluate applicability of new technologies, products, and services
- A framework for technology decision-making
- A macro view of IT systems and components, from the security perspective
- A statement of direction for IT
- A way to reduce and manage risk in the most cost-effective manner
- A way to facilitate compatibility and easier administration of systems
- A blueprint for future network growth
- A way to create and document consensus
- A methodology to force consideration of all design factors
- A guide for the creation of an enabling infrastructure for unforeseen new applications
Adaptive Security Architecture Lifecycle
The security architecture is used as a baseline for consensus and direction but it needs to be active and capable of being updated. This process allows the security architecture to adapt to support the needs of the business. It evolves and sets future objectives. System technology and users, data and information in the systems, risks associated with the system, business drivers, and security requirements are ever-changing. Many types of changes affect security: technological developments (whether adopted by the system owner or available for use by others); connection to external networks; a change in the value or use of information; or the emergence of a new threat. Creating an adaptive modular architecture leads to agility and flexibility as the organization grows.
At the same time, using the architecture to develop an annual plan sets the stage for the projects that need to occur that year, and the improvements begin to converge towards and track with the architecture. Finally, with the proactive asset, risk, and policy management and infrastructure improvements, the security-risk profile is also managed, resulting in risk reduction. In this manner, not only does the security architecture drive the IT and network infrastructure direction, but it also enables the illustration of tangible results, winning continued support for the program.
Infosecurity Europe Tie-in
I am very excited about the Infosecurity Europe 2014 conference sessions given the theme of ‘Security as a Business Enabler’. I think that the theme is incredibly important given the challenges that organizations face today with increasingly sophisticated targeted threats. The resulting fear, uncertainty and, doubt (FUD) can polarize businesses into inaction when it is a call to action. There are many practical steps that a business can leverage and benefit from. I coined the theme of ‘Security as a Business Enabler’ over 10 years ago in my work and this blog is testimony to how security can have a dramatic effect on how security can help our businesses become agile and compete, check it out: http://nigesecurityguy.wordpress.com/.