There are probably many of you who are taking a look back at the working year when the New Year is gently knocking on the door. What was it that kept me and my clients busy? A good starting point for me is always looking back at the client mandates that it was my pleasure to carrying out in 2021. This blog article is a (more concrete) continuation of the article “The (not so) day-to-day job of a security architect”. The topics covered here do not claim to be representative of all the concerns of our security architecture clients, but they do provide an insight into the issues and challenges they have been facing. Here are some examples...
The assignments lasted a few days to a few months, which indicates that our clients have different needs and questions in security architecture services. Some want answers to specific questions while others focus on comprehensive security architecture matters. Typically, the second kind of assignment takes longer.
Sometimes I had to smile to myself when clients asked me whether Zero Trust was a real thing or a “conceptual fantasy”. In fact, that was actually one of the most frequently asked questions in 2021 about zero trust!
I also deal with Zero Trust as part of my lecturing work at the Lucerne University of Applied Sciences (HSLU). The Zero Trust concept is definitely neither a fantasy nor a flash in the pan. However, Zero Trust is also not something completely new; it is a shrewd combination of known and established security features, made up of:
- Information about the status of the device (posture)
- Information about the state of the requesting and requested resource (user or service)
- Mandatory authentication and authorisation, every time a resource is accessed
- Secure session management
- Constant (security) monitoring
The status information is transferred into a rating/points system (points system). It is only possible to access a resource if the accessing resource (user or service) has at least as many points as those required for access.
This makes it possible to securely operate IT environments that cannot be directly controlled by the company – for example, cloud and remote work by employees. In Internet of Things (IoT) environments, it is also helpful to use the zero trust approach.
Zero trust is gaining in prominence. Used correctly, it saves companies a lot of time and effort and increases the security level. In the zero trust providers' marketing brochures, it is usually made to look simple, with implementation at the push of a button, as it were. However, it makes sense to conduct in-depth clarification and analysis before zero trust is introduced.
Clients also asked…
- How can zero trust be made compatible with the existing architecture?
- How should zero trust be implemented (and in what order)?
- Zero trust from a single source or integration of existing components (e.g. Network Access Control) into the zero trust environment?
- What products are suitable for our company?
- Zero trust for clients or for server and data centre connections too?
- To what extent can a zero trust solution be dependent on cloud components (risk assessment regarding reliability, data protection, etc.)?
- What needs to be started to avoid remaining in “analysis paralysis”?
Ransomware and Architecture
Headlines in the daily newspapers about companies being hit by ransomware attacks have increasingly prompted clients to critically question their existing security architecture. Every company is an individual, and so is their IT. Companies can be moving to the cloud, industry specifics may play a role, the business sector may be national or international, etc. An industrial company has different assets to protect than an online shop or a bank. Various vulnerabilities in the security system can add up to significant gaps. A healthy dose of professional judgement is required to assess the risks involved.
Clients also asked…
- From a security architecture point of view, is there any need for improvement?
- What measures provide the greatest benefit?
- How quickly can we detect an attack?
- How well can we recover from an attack?
Reassuringly, the vulnerabilities identified can usually be remedied with the right resources and knowledge, as well as adapted security components and processes.
In recent years, we have seen a trend among clients to rely on pure cloud or hybrid setups. Companies (or their business activity) are looking for the most appropriate services in the cloud, e.g. social media, storage, data processing, backup, etc. Sooner or later, this leads to a set-up based on different cloud stacks (e.g. Azure, Amazon Web Services, AWS, Google Cloud Services GCS). Welcome to the multi-cloud environment!
The multi-cloud environment also needs to be monitored. To do so, the events must be linked (correlated) with each other. For example, because a “server name” has a different designation in the different cloud environments or the server name is structured differently, attributes and contents must be transformed (normalised) so that correlating queries are possible.
Clients also asked…
- Multi-cloud monitoring and interoperability?
- How can the multi-cloud environment be monitored for security incidents?
- What monitoring solutions are available (and do they meet our needs)?
- How can events be normalised, i.e. brought into a common structure?
- Which events should be monitored?
- How can the quantity of events be reduced (cost factor)?
- Can events be reacted to in an automated way?
- How can clouds be connected to an in-house or external Security Operation Centre (SOC)?
The earlier on companies deal with these issues, the smoother the path to migration will be. It is challenging to realign an evolved multi-cloud environment in terms of monitoring and governance.
Remote Work and Collaboration
In the aftermath of COVID-19 and the wave of people working from home, companies were partially implementing their plans and infrastructures for remote work / working from home in emergency mode. Consequently, various consolidation efforts were required this year. Pre-existing set-ups were subjected to an audit in order for corrective action to be taken, where necessary.
Clients also asked…
- Is the architecture for the remote working environment consistent with good practice?
- What is the interaction like between individual tools such as video calls, data exchange and storage?
- Is there a clear separation of the collaboration solution in terms of on-premises, hybrid and cloud?
Although the integrated products and solutions have many different features, from a “security” perspective they are not all mature, desirable or useful. Here the key is finding the right balance between functionality and the level of security required.
You must recognise this too – doing jobs that are particularly enjoyable because they involve areas that are particularly interesting to you or where you cut your teeth before you experienced a sense of achievement? Often these jobs come out of the blue. Our clients usually want clarification on a very specific issue. One of the challenges is to organise prompt backup within InfoGuard when our own knowledge is pushed to its limits.
Clients also asked…
- Doubts have arisen in relation to the upcoming procurement of tools/technologies, e.g. “carefree package 2.0”. Are these justified?
- Two parts of the company have differing opinions on a security architecture issue. Is InfoGuard able to host a workshop on this topic?
- Some security deficiencies have been identified during a penetration test. Where should the lever for correcting these deficiencies be deployed in order to achieve rapid improvements?
- From a security architecture standpoint, are there alternative solutions to the client's proposed solution?
For our clients, it is helpful and a relief to be getting skilled support from InfoGuard on difficult or controversial issues, and in return, we remain abreast of clients’ issues and understand what is currently playing on their minds.
A solid house needs architects – a solid security architecture needs cyber security experts like InfoGuard
However, for many people, it is not quite as clear as it would be for a house exactly why “security architects” are needed. As a guideline, clients who contact us with questions about security architecture are looking, for example, for:
- An assessment of their security architecture with concrete, prioritised proposals for making improvements
- Support with introducing or consolidating a security infrastructure
- Providing support or a second opinion when implementing projects in the security architecture field
- Clarifying open questions in terms of best practice or acting as a “sparring partner”
- Assessing potential consequences when planning the implementation of a safety component.
As you can see from this “Architecture Digest 2021”, the life of architecture professionals in cyber security remains enthralling. It is very satisfying when clients are able to celebrate a success as a result of our contribution, experience and work.
We recommend that our clients with plans for 2022 contact us as soon as possible because we don’t have a bottomless pit of cyber security architects! This can be done very easily here: