Defining what Security Architecture is and isn't

We had the pleasure the other day of featuring on Secarmor's Podcast series 'Hacked Off' talking to Holly Grace Williams who hosts and runs the show. During the show, we discussed a core service we offer, security architecture and trying to demystify what is and how it benefits businesses.

It got us thinking, security architecture is quite hard to explain to most people given we often think of cyber security consisting of penetration testers and security operation analysts and nothing else. So, where does security architecture fit into the area of cyber security and importantly, within a business function and how can it benefit your business in improving your cyber security posture?

Before we dive into how security architecture can benefit your organization, let's take a deep dive and try and demystify what areas security architecture covers.

Speaking on the 'Hacked Off' podcast led me to come up with the analogy of a 3D cube that consists of six faces, each face representing an area in which security architecture covers part of the role a security architect assumes. Note, this is by no means the correct or standard definition, but a way of breaking down the layers of a security architect to explain how they differ in the industry of cyber security.

So using the cube analogy from the above image, we have as follows the areas that make up a security architect:

1. Security Assurance

2. Security Governance

3. Security Testing and Management

4. Technical Architecture Analysis

5. Security Risk Management

6. Resilience and Reliability

So let's break the above areas down somewhat more to further elaborate our understanding.

Security Assurance:

Security assurance is all about making sure something conforms to a specific set of standards and/or frameworks. Every business should always have a form of security assurance whether this onboarding new third-party suppliers, products or providing a service offering (quality assurance). With an increasingly sophisticated array of supply chain attacks, security assurance can provide control in evaluating what a business consumes in the form of a service or product. What information do you share with third-parties, or how will information be protected when exchanged between your business and the third party? Maybe, you are consuming a product such as a SaaS offering and need to integrate your IT systems with the SaaS product, and therefore how do you know the supplier has undergone the correct procedures for making sure the SaaS platform is secure and will not lead to your data or systems becoming compromised? A security architect can provide technical insight into both the process being used for onboarding to evaluating the actual supplier or product and this where we leverage the technical knowledge of an architect to identify potential security issues based on the information presented to them.

Security Governance:

Governance is about supporting your business or organization by ensuring policies and procedures have been defined and are adopted from the top to the bottom. Examples may be the adoption of a cyber security framework such as Cyber Essentials or ISO27001. The role of a security architect is often to ensure an adopted strategy is in place and is supported by the relevant stakeholders and then is implemented by the various departments to ensure compliance with such frameworks. Governance also covers the adoption of new projects internally within your organization, e.g. ensuring the relevant requirements expected from a security function are identified and tailored to the project to ensure over-arching compliance is being full-filled.

Security Testing and Management:

Whilst security testing and management will fall into the boundaries of a vulnerability manager and/or via a penetration test company (usually out-sourced for independent and compliance reasons), the security architect will often be required to support the evaluation of vulnerabilities. If vulnerabilities are identified within your organization, a sense check is needed to impact assess and in most cases, additional security controls might be needed such as implementing changes that will require a security architect to guide you on implementing a sensible solution. Furthermore, should you require a system to be penetration tested, experience indicates the scope and engagement works best when you allow a security architect to define the scope and system definition for the penetration tester to work effectively. The role of the security architect ensures value for money and any remediation required are supported with a 'best fit' option.

Technical Architecture Analysis:

The core role of the security architect is to ensure that a system can be broken down into architecture decomposition as we term it. By this, we mean the ability to understand the different domains a system is made up of. For example, a project deploying a series of web applications and microservices on a Kubernetes engine in Google will consist of many components being defined, such as access for developers, infrastructure engineers and the customers or consumers. Data of different classifications will likely be consumed, processed and transmitted or stored within the system and will need various forms of security protection. The system is exposed and hosted on a public cloud system so is visible in some way to anyone and will also need forms of defending to prevent unauthorized access.

Without listing all the various domains considered: data, defense, reliability, access and monitoring are things that need to be considered to protect and maintain the systems online to ensure business continuity. This is where a security architect can review these different domains and perform analysis to ensure: compliance, by ensuring that the design meets the intended compliance rules such as segregating PCI-DSS data into the relevant environments. Furthermore, understanding the deployed system and making sure it does not have any associated security risks is also undertaken by a security architect. In this fashion, we may use a powerful tool known as threat-modelling which models the potential types of cyber attacks the system is likely to be targeted with and then provides an analysis of what risks actually remain, allowing an organization or project the ability to mitigate before a system has gone live.

Finally, the security architect can also provide guidance on good design pattern approaches when a product or system is being designed such as best approaches in the authentication procures being used by the product or system.

Security Risk Management:

Risk management is a core requirement when trying to comply with a security framework such as NIST 800-53 or ISO 27001. Risk management is important to any business given it provides the ability to examine and elaborate technical risks that occur daily but require translating at a business risk layer. The security architect can and may support active risk identification and is often required to support the security functions in an organization to ensure that risks that are prevalent to the confidential, availability and integrity (CIA) security triangle are being evaluated. Likewise, the role of a security architect can also help a business in evaluating security risks and determining the correct impact to a business by performing that translation process, communicating to senior stakeholders the outcomes of a risk to the business, e.g. the potential for a data breach which may lead to a large fine to the business.

Resilience and Reliability:

Whilst reliability and resilience don't necessarily stand out as being part of the security architects role, reliability supports the availability side in the CIA security triangle. Reliability is an area that forms a hybrid role of the security architect with the teams in either IT or engineering, but effectively support the business continuity and disaster recovery (BC-DR) approaches your organization may require ensuring services are maintained.

Resilience is about being able to defend and whilst this often falls on the security operations area, security architects are often needed to ensure they can support resilience through the integration of products or services to support detection, protection and defending.

So, Security Architecture Helps Then?

So, we've tried to break down what a security architect is and what areas form the basis of a security architect, which is in by no means the true definition of a security architect but built on how we support Clients based on experienced working with major FTSE, start-ups, fintech, e-commerce, retail, insurance and Critical Infrastructure Clients.

Security architecture provides a pivotal cog in the machine that is cyber security and is often referred to as the glue in any security function given the diversity of the role. We hope you enjoyed this breakdown, and if you require further information as to how we can help your business or organization by the provision of our security architecture professional services, then please contact us via our website or email us: contactus@completecyber.co.uk