HOW SECURITY ARCHITECTURE SUPPORTS BUSINESS DRIVERS
The Enterprise Information Security Architect is a crucial position within IT security and is often challenging and stressful. The job forms the “glue” that bridges the technological aspects of security and business drivers. The architect must have a solid understanding of the business architecture to design the best security systems possible that not only do not impede the business but enable business opportunities. Also, the position must exhibit a management presence to articulate to senior executives the conceptual architecture and how it will impact business operations.
Through the many years as a security practitioner, I find organizations who are using existing security controls that are not effective. When engaged in these projects, part of the risk assessment conducted is determining if there is sufficient protection for information that should be shared with employees, customers, business partners, and the general public. The risk assessment is a crucial step when designing security cloud architectures, on-premises, or hybrid models. The seasoned enterprise security architect must demonstrate a solid understanding of the organization’s business architecture. Security and business architectures go hand-in-hand with the overall design solution an essential criterion on determining the business impact should any incident occur. Security architecture begins with a comprehension of the business, stipulated by the business drivers, operations, and attributes.
Effective security programs demonstrate core values to the business without becoming an obstruction to operations. All too often, in practice, architects are challenged to meld security within the business environment, which is how to secure a business opportunity where the owners (who usually, have a high-risk appetite seeking greater business rewards with inherent security risks) want to implement immediately. Risk is viewed differently, serving as a dual purpose and as often is the case an area where the security and business architectures clash. For example, security controls are bypassed by business operations because they view them as obstacles. These actions introduce dangerous internal vulnerabilities where threats are not monitored and managed by security.
In any organization risk avoidance is standard practice that involves security expenditures, the Chief Information Security Officer (CISO) is responsible for, in addition to the overall program, policies, procedures that directly impact architecture. The architect must understand that Information Assurance is a crucial element necessary for striking a balance between the security control design and allowing for employee productivity in the business. Equally important is the architectural methodology that the architect will utilize to govern their design, such as the Sherwood Applied Business Security Architecture (SABSA).
Information assurance is a subset of information security and broadly defined as the management of risk and security to the use, processing, transmission, and storage of data. While information security focuses on security controls and processes, information assurance adds risk. For instance, information security deals with the confidentiality, integrity, and availability of information and provides mechanisms. When data is compromised, the result is a change in the state of one of these aspects.
The Confidentiality, Integrity, and Availability (CIA) Triad
- Confidentiality: ensures that privileged or sensitive information is accessible only to those individuals with a valid requirement to view and access the information. When compromised, privacy is lost, disclosing confidential information to unauthorized parties.
- Integrity: refers to a lack of corruption in data or overall consistency. When the integrity of information is compromised, a lack of trust develops where data may have been manipulated, changed, or deleted.
- Availability: relates to having access to authorized information when it is required. When accessibility is compromised, data cannot be accessed when needed.
Information risk arises when the confidentiality, availability, or integrity of data can be compromised. Mitigating risk involves the development and implementation of controls to provide increased assurance of information. A control is a countermeasure designed to avoid, minimize, or defend against risk. Information assurance depends on the identification of risk and the implementation of appropriate controls. However, this practice has become stigmatized as "risk averse" in organizations and viewed as an obstruction to business operations. Information security professionals are labeled as impediments to successful implementation and delivery of solutions. For example, security programs have failed because of the reluctance in organizations to involve security teams from the beginning stages of projects. The planning, and throughout its lifecycle.
As security professionals can attest, a reluctant business culture to involve and solicit input from security teams creates business risk for a project and delays or halts implementation. It is relatively common for organizations to practice a risk-avoidance approach to information security, based primarily on technological threats, identification of risk, and use of as many controls as possible to mitigate risk.
As often the case in many organizations where security is found to be an obstacle, deliberate shortcuts circumventing controls is built. The result of these dangerous acts allows attackers with vectors that compromise the confidentiality, integrity, and availability of data. Security architects can leverage the Sherwood Applied Business Security Architecture (SABSA) methodology to address these challenges. This architecture methodology combines the business and security architectures in a structure, layered approach where the security program upholds business objectives. Its primary focus aligns security programs with the business objectives and drivers.
Most Architectural Review Boards (ARB) within IT departments have adopted the Open Group Architecture Framework (TOGAF) and the Zachman Framework, yet both do not address security requirements. SABSA, however, integrates with existing frameworks providing the tools to align and support them. The SABSA framework offers a layered approach to an architecture where layer corresponds to a different player's view within the organization as it relates to specifying, designing, constructing, and operating a security architecture.
With the above diagram, the architect should be prepared to answer these questions to begin the design, the Who, What, Why, and When:
- What assets are you trying to protect?
- Why are you protecting the assets?
- What process will you achieve?
- Who will be involved in applying security?
- What location(s) will security be applied?
- When will security be applied?
Security architecture begins with understanding the business and its drivers that focus on the organization’s strategies and operational plans. It’s essential that the architect liaises with senior executive management who set the business mission, vision, strategy, and direction who are best equipped to provide knowledge behind the business drivers.
Risk Identification and Threat Modeling
Many organizations generally rely on a risk-based assessment that creates an inventory of known threats, mapped to vulnerabilities, that potentially have a negative business impact. Mitigating these risks calls for constructing security controls and a threat-based analysis that identifies the threats, which, in turn, provides recommendations on control improvements. For example, a web-based application firewall can be deployed in front of applications to protect them from intrusion and reduce vulnerabilities such as SQL injection, many current and emerging threats.
What is crucial for the architect is to understand the balance between risk avoidance and risk acceptance fundamental to the business at the enterprise level. Inherent risk is a measure of the risk to the company before any controls implemented, and without question, there are inherent unavoidable business risks. All organizations operate at some level of inherent risk, and it is not prudent to protect assets to the degree of shutting down the ability to conduct operations by practicing risk avoidance. Seeking out what the risk tolerance an organization has is an essential driver that in turn, influences the architectural design. The metrics used in the organization are the Key Performance Indicators or KPIs that measure the value and performance of business attributes. The architect must leverage KPIs to understand the organization’s risk tolerance of business drivers and design the security architecture within acceptable levels.
Threat Modeling is the practice of developing scenarios that create a risk that causes damage to the organization. Understanding threats, both current and emerging, build awareness of business risk. For example, threats can be unintentional or intentional. Accidental threats are natural hazards, while intentional are deliberate acts against the business. With each, the measurement of the likelihood of these threats helps create a prioritization based upon their impact. There are several threat modeling tools available supporting methodologies such as STRIDE, P.A.S.T.A, and Vast.
Conducting a threat modeling exercise is a routine process that is often confused with penetration or pen testing. Threat modeling is focused on prevention, the significant business impact on operations while pen testing is detection-based finding vulnerabilities on the organization’s infrastructure specific to applications, servers, or network devices. They are both used in an overall architecture design analysis that helps measure an organizations security posture and gap identification.
Existing Controls and Gaps
When designing an architecture establishing the business risk is vital, which involves understanding the existing security controls and mitigating the risk associated with the gaps. Most organizations follow industry standard security frameworks such as ISO 27002, NIST 800-53 or hybrids for specific sectors such as the North American Electrical Reliability Corporation (NERC), the Health Information Trust Alliance (HTRUST), and the Payment Card Industry Data Security Standard (PCI DSS).
From the chosen framework, a review of the controls and a maturity level assessment for each control as implemented in the organization is conducted. When all of the data is collected surrounding risks, trusts, relationships, threat, and control effectiveness, the inherent risk to the organization is represented in the analysis. The security architect is now positioned to identify gaps and provide necessary improvement in managing risk within acceptable business risk thresholds. In addition to leveraging this information, security services can be created, delivering controls that work together with a business service. A litany of security-as-a-service designs can be tailored and implemented for specific business initiatives.
The Road Ahead
As organizations move into the complex world of cloud technology, the Internet of Things security architecture is a vital ingredient to manage business risk. Not all cloud providers are created equal, and they only provide certain platform services to build an organization’s environment. As with traditional on-premises, cloud, and hybrid designs, the security architect will offer design patterns and best practices to ensure optimal security services to meet business initiatives.