From Security Architecture to a Secure Architecture
May 1, 2015
Sharing knowledge and good practices is one of our core values at BiZZdesign. We regularly organize and contribute to online and offline seminars, conferences and round table sessions. After one such presentation entitled “Security is not an IT problem”, we organized a World Café to discuss the related topics like security architecture, security controls, and security systems. Please share your good and worst practices by reacting to this blog.
In many organizations, security seems to be an entirely separate field of knowledge. It is often a huge challenge to integrate all aspects of security into the business design work, which is done by policy makers, architects, and designers. In contradiction to predictions made by leaders in the EA field, the security architect is still a separate yet important role in designing and controlling cybersecurity, privacy, and continuity. But if we would strive to make this separate role superfluous, what would be the right thing to do?
In many organizations present at the session, the CISO and the architecture team are struggling to work together. They seem to defend their territory and spend time and energy proving the other side is wrong. Security architects spent a vast amount of their time keeping the peace and managing the relations between these two groups. Some attendees suggested being more explicit about the roles of both teams, which is indeed a good practice.
I’m not suggesting that this is an easy feat, but manipulating the DNA of your organization by adding security awareness to the DNA is an important practice in realizing a secure architecture. Many attendees claimed that information security is often not part of the organization’s DNA.
Set up a continuous security awareness program
A lack of information security awareness is one reason why security architects exists. It is not going to be securely designed by itself. Having a structured and intensive awareness program is considered to be helpful in promoting awareness of risks (change x impact) that are present within organizations.
Some attendees advised others to “think like a criminal”. This is great fun, but also very useful. Maybe some security architects actually are good-hearted criminals. If all managers and designers would think about their data-assets from the perspective of those that threaten the organization, it would help them to gain understanding and awareness, and to consider relevant measures.
Security is often an aspect in EA methods. For example, in TOGAF, security is considered an aspect of all phases in the ADM. However, security still has its own distinctive methods like SABSA or OpenSecurityArchitecture. Despite all available methods, the real challenge for your organization lies in truly integrating the power of these dedicated frameworks into your EA approach. Preferably, this would be done in combination with selecting the right standards (ISO or NIST). This is something that can really help to create an integrated secure architecture, rather than developing a separate security architecture.
To enable the understanding of risks and necessary measures, people consider the task of visualizing security aspects across architectural layers essential. This concerns not just the technical implications arising from pentests, but also, for instance, the business impact from authentication risks. ArchiMate® can play a crucial role in doing all of this.
Finally, the concept of principle based design, rather than rule-based design, is helpful in moving towards an integration of security aspects in all design disciplines within the business. Risk managers and architects should work together to determine a set of principles that guide the organization’s design, instead of detailing all requirements.
Using these best practices can help you to move from security architecture into a truly secure architecture! Where do you start? Feel free to check out the next post in this series: Information Security: A Necessity of Life.
