Everything you always wanted to know about security architectures (but were afraid to ask)
“Ransomware has become a big business for cyber criminals, who are refining their tactics, lowering the barriers to entry for as little as a $40 subscription and little technological knowledge. The commercialization of cybercrime makes it easier to exploit vulnerabilities on a massive scale. We will see more attacks against technology supply chains and critical infrastructure,” explained Scott Sayce, global Head of Cyber at AGCS, earlier this year.
His comment came as Allianz Group released its 2022 Allianz Risk Barometer, an annual survey that outlines the most worrying business risks for the upcoming year and beyond, based on the views of some 2,600 risk management experts from all corners of the globe. For the second time in the survey’s 11-year history, cyber incidents dominated the list at 44%, with business interruption clocking in at second and natural catastrophes at third place.
These findings do nothing but underline the growing need for robust cybersecurity architectures to protect organizations’ data assets against corruption and loss. In this article, we’ll explore how a well-designed security architecture can help highlight potential vulnerabilities and security blind spots as well as what security controls to add or tweak for maximum protection in the face of insider and outside threats.
What is a security architecture?
According to NIST, short for the National Institute of Standards and Technology at the US Department of Commerce, a security architecture is “a set of physical and logical security-relevant representations (i.e., views) of system architecture that conveys information about how the system is partitioned into security domains and makes use of security-relevant elements to enforce security policies within and between security domains based on how data and information must be protected.”
Cybersecurity architectures, including network security architectures and cloud security architectures, cover security domains and the placement of security-relevant elements within the security domains as well as the interconnections and trust relationships between the security-relevant elements, and the behavior and interaction between the security-relevant elements.
To put it in simpler terms, the security architecture is a pillar of the enterprise IT architecture that describes the structure and behavior of an organization’s security processes, information security systems and staff in accordance with its mission and strategic plans. An effective security architecture translates business needs and priorities into actionable security controls.
Who’s in charge of cybersecurity architecture?
Is cybersecurity something your IT department should be worried about? Yes and no.
Granted, it’s usually a cybersecurity architect’s job to assess their organization’s attack surface and keep it as small as possible. They do so by running penetration tests, vulnerability scans, risk analyses, ethical hacks, and security awareness programs. They also oversee the security and efficiency of local area networks, wide area networks, and virtual private networks as well as monitor the installation of servers, routers, and firewalls.
But the buck doesn’t stop there.
According to Cisco’s Kevin Parra, the speed of innovation is providing more and more venues for information access that create unintended vulnerabilities for the human element of the network, emanating from people’s negligence, carelessness, and curiosity. This is why it’s key to foster a company culture where employees understand that everyone, rather than a single person or function, is responsible for the privacy integrity of corporate data assets.
Security architecture and design: the key steps explained
Building a security architecture typically involves four phases.
Step one is risk assessment, where you systematically identify potential cyber threats and security gaps across your IT operations and resources as well as gauge the damage they could cause to your critical infrastructure, business operations, reputation, and stakeholders.
During the security architecture design phase, a set of security measures is developed to minimize the risk exposure uncovered and documented in the previous step. The architecture should be flexible enough to provide security coverage against ever-changing cybercrime tactics.
The implementation phase is next, in which the outcomes of the first two steps are translated into action. Meaning that security services, including policies and procedures, are set up, run and monitored, along with appropriate assurance workflows.
The last step, operations and monitoring, is more of an ongoing task, covering the day-to-day activities related to threat and vulnerabilities management as well as the continuous assessment of the performance and efficiency of the deployed security architecture.
Security architecture frameworks: a brief introduction
As we’ve previously established, your security architecture should lay down how security processes, systems and personnel should work together in meeting your organization’s cybersecurity goals. Whatever your objectives, there are several information security governance frameworks to accommodate them, on their own or combined, with the most widely used being SABSA, COBIT and TOGAF.
Short for Sherwood Applied Business Security Architecture, SABSA is a business-driven security framework that consists of six layers, five horizontals and one vertical, offering a holistic approach to enterprise security. It’s been around since the 1990s and has become the “approach of choice” for entities in the banking, homeless management, nuclear power, information services, communications technology, manufacturing, and public sectors.
Developed by ISACA, a global professional association for IT governance, COBIT focuses on the process-side of security. It can be deployed in any industry to align business and IT goals and plays well with other IT management frameworks such as ITIL, CMMI, and TOGAF, which makes it a great umbrella framework to streamline processes across the entire organization, points out CIO’s Sarah K. White. In the US, it’s often used to ensure compliance with the Sarbanes-Oxley Act.
Used by 80% of Global 50 companies and 60% of Fortune 500 companies, The Open Group Architecture Framework, or TOGAF, helps companies design and evaluate the right architecture for their business while cutting the unnecessary cost, time, errors, and risk involved. Most importantly, it helps organizations deploy software technology in an organized way, facilitating collaboration between stakeholders in and outside of the IT department.
Three reasons why your company needs a robust security architecture in 2023
1. Make security breaches a thing of the past
One of the biggest and most obvious benefits of having a well-thought-out security architecture is that it can drastically cut the risk of a successful cyberattack. This is no small feat considering that, according to IBM’s recently released Cost of a Data Breach Report, the global average cost of a data breach has surged to an all-time high of $4.35 million. Not to mention that cybersecurity breaches often go hand in hand with loss of business and consumer trust, making the recovery process substantially slower and more expensive.
2. Tick data protection boxes with ease
Another cost a robust security architecture can save you is that of a hefty fine for non-compliance with privacy laws and regulations. Of which there are quite a few, depending on the region and industry your organization operates in.
In the US, for example, the Health Insurance Portability and Accountability Act (HIPAA) mandates healthcare providers and their associates to safeguard the privacy and integrity of patient health information. Notoriously strict and complex, the European Union’s General Data Protection Regulation (GDPR) sets firm boundaries for collecting and processing the personal information of EU citizens.
To throw a global security standard in the mix, the Payment Card Industry Data Security Standard (PCI DSS) is a set of rules all entities that store, process, or transmit cardholder data must abide by, even if that means a single transaction per year. To boost cardholder data security and the global adoption of consistent data security measures, PCI DSS sets forth 12 security controls, both technical and operational, to shield card data from theft, loss, and misuse.
A key purpose of a cyber security architecture is to provide you with a comprehensive view of your organization's compliance status and make it easier to identify potential gaps as well as accommodate new requirements.
3. Cut through the complexity
“Very often, departments — each with different functions and priorities within an organization — adopt the ‘flavor of the month’ technology, making it difficult for security teams to support them,” writes ThreatModeler CEO Archie Agarwa on Forbes. This is a problem because individual product updates alone can turn product supportability into a resource- and money pit – not to mention a major liability. A framework that allows for streamlined and efficient tooling selection, however, can greatly increase an organization's security posture and resilience, plus foster collaboration between development teams.
Zero trust security model: one architecture to rule them all?
Zero trust is a cybersecurity paradigm that can be summed up in four words: “never trust, always verify.” What does this mean?
As a framework, zero trust assumes that network security is under constant threat both from external and internal actors and focuses on how organizations can fend them off. More specifically, it eliminates implicit trust and requires strict user and device authentication at every step of digital interactions instead of just the perimeter.
It consciously goes against old-school strategies like VPNs and firewalls that automatically trust users, devices, or applications just because they are within a network perimeter. With good reason: as the number of people working remotely and the assets stored in cloud environments keeps ballooning, the perimeter approach is not only becoming less efficient but also much, much riskier.
With a zero-trust architecture, organizations can shield their business-critical and sensitive data assets against identity and credential-based attacks, two of today’s most prevalent types of cybercrime. Besides, as per TechTarget, it can also boost the efficiency of compliance auditing efforts, cut breach risk and incident detection times as well as increase network traffic visibility and control over cloud assets.