As organizations claw their way back from the global pandemic, every penny has to be justified. But the threat of a cyberattack is too important to ignore. Implementing an integrated security architecture can help your infosec team consolidate functions and support its budget.
Security architecture can be seen as a black art. It is often poorly understood – even by security practitioners. But, if used properly, it can help to create consistency, standardization and strong return on investment.
After a transformational year, the need for an overarching security architecture or “cybersecurity mesh” is being felt across industries. Organizations are struggling to ensure regulatory compliance and maintain strong security postures across distributed workforces. On top of this comes a renewed drive for digital transformation and an appetite for new technologies and innovations that can build future success.
Security architecture can offer many benefits to a business if it’s planned and deployed correctly. It can help you consolidate your security strategy to ensure regulatory compliance and harden your posture to reduce your potential attack surface. Bringing structure to a complex mix of information and systems is a major challenge, but the potential rewards make it a worthwhile endeavor.
Building a Security Architecture on Uneven Ground
Security architecture can appear nebulous, but it should always result in an outcome that is pragmatic, effective and secure. The core components of a security architecture define a consistent set of building blocks that can be applied across an organization’s systems, whatever they may be. It does this by providing shared and common security services like identity and access mechanisms; standard controls, such as network segmentation; and reusable templates, such as standard desktop builds. Consistently applying such an architecture ensures a consistent level of security.
As industrial digitization, driven by the internet of things, takes hold, concepts such as zero trust, cybersecurity mesh and microsegmentation will compete and vie for supremacy against the security architecture. (Zero trust just received a nod in the Biden administration’s most recent cybersecurity executive order.) Yet the ultimate goal of an appropriate level of security remains consistent, and the tried and tested components of the architecture will merge with the newcomers in a natural evolution.
Creating a Cybersecurity Mesh
With so many moving parts in play and many hardware and software assets beyond the traditional security perimeter, a modern distributed architectural approach or cybersecurity mesh provides an elegant strategy. Deploy security where it’s needed. Extend protection around a person or asset, whether it’s a remote worker, a new cloud service or a third-party team.
when I was an academic, the way I thought privacy should be solved is through some novel privacy/security architecture.
in industry, I thought it was better access control and visibility.
10 years in, I've decided what's really missing is giving data choice back to consumers.
— shh (@worldwise001) May 31, 2021
A modular system that’s highly responsive allows you to move faster and at scale without bending policies or losing protections. Define and model the security approaches you want to see throughout your organization and work to reduce friction so they can be extended immediately when required. With a core set of principles embodied in a library of security services and controls, you can reuse designs and configurations and draw from an approved list of hardware and software.
A consistent security architecture can also be helpful in meeting regulatory compliance and fulfilling diverse obligations from multiple sources, minimizing point solutions and reducing costs and overhead. While some obligations are control specific, such as PCI DSS, many others are deliberately conceptual and principle-based (such as GDPR). As such, they are highly compatible with a principle-led architecture.
The market for security products is fragmented and peppered with point solutions that might do one thing very well but still leave holes in security defenses. By asking where that product fits into the security architecture, it is possible to provide a more holistic solution and avoid wasting money. By taking an architectural lens to the security system portfolio, it is also possible to identify duplications and overlaps within product sets and to develop a simplified and more cost-effective alternative.
Making a Start
Some security architectures evolve naturally over time, but commercial frameworks, such as TOGAF, SABSA or Zachman can offer a shortcut and help with the tricky task of aligning the security architecture with a wider enterprise system. Even a small step toward a security architecture can offer benefits and serve as a foundation for applying stronger security principles. Strive to make things secure by design and by default. Look at ways of restricting access and privilege, adding depth with multiple layers of protection and safeguarding data when systems fail.
Organizations are dynamic, complex things, merging, acquiring and changing direction. Regulatory requirements ebb and flow, often competing with each other. Malicious attacks become business as usual. A good security architecture helps to make sense of uncertainty and to navigate through complexity. If it succeeds in that aspect, then it will become a self-sustaining strategy. If it fails, then it will become shelf-ware.
Coordination of Efforts
Finding ways to reduce costs and enable business growth is crucial, so security architecture must be closely aligned with business priorities. Every element should have a clear, well-defined business objective attached. Enabling greater coordination across teams and projects with open and transparent discussion is crucial and highly beneficial to strengthen the overall security architecture.
While security architecture can look very different from organization to organization, centralization and effective coordination is the key to its success. It’s an elegant way to get the most from your resources and to securely support your business going forward.