There are probably many of you who are taking a look back at the working year when the New Year is gently knocking on the door. What was it that kept me and my clients busy? A good starting point for me is always looking back at the client mandates that it was my pleasure to carrying out in 2021. This blog article is a (more concrete) continuation of the article “The (not so) day-to-day job of a security architect”. The topics covered here do not claim to be representative of all the concerns of our security architecture clients, but they do provide an insight into the issues and challenges they have been facing. Here are some examples...
The assignments lasted a few days to a few months, which indicates that our clients have different needs and questions in security architecture services. Some want answers to specific questions while others focus on comprehensive security architecture matters. Typically, the second kind of assignment takes longer.
Sometimes I had to smile to myself when clients asked me whether Zero Trust was a real thing or a “conceptual fantasy”. In fact, that was actually one of the most frequently asked questions in 2021 about zero trust!
I also deal with Zero Trust as part of my lecturing work at the Lucerne University of Applied Sciences (HSLU). The Zero Trust concept is definitely neither a fantasy nor a flash in the pan. However, Zero Trust is also not something completely new; it is a shrewd combination of known and established security features, made up of:
The status information is transferred into a rating/points system (points system). It is only possible to access a resource if the accessing resource (user or service) has at least as many points as those required for access.
This makes it possible to securely operate IT environments that cannot be directly controlled by the company – for example, cloud and remote work by employees. In Internet of Things (IoT) environments, it is also helpful to use the zero trust approach.
Zero trust is gaining in prominence. Used correctly, it saves companies a lot of time and effort and increases the security level. In the zero trust providers' marketing brochures, it is usually made to look simple, with implementation at the push of a button, as it were. However, it makes sense to conduct in-depth clarification and analysis before zero trust is introduced.
Headlines in the daily newspapers about companies being hit by ransomware attacks have increasingly prompted clients to critically question their existing security architecture. Every company is an individual, and so is their IT. Companies can be moving to the cloud, industry specifics may play a role, the business sector may be national or international, etc. An industrial company has different assets to protect than an online shop or a bank. Various vulnerabilities in the security system can add up to significant gaps. A healthy dose of professional judgement is required to assess the risks involved.
Reassuringly, the vulnerabilities identified can usually be remedied with the right resources and knowledge, as well as adapted security components and processes.
In recent years, we have seen a trend among clients to rely on pure cloud or hybrid setups. Companies (or their business activity) are looking for the most appropriate services in the cloud, e.g. social media, storage, data processing, backup, etc. Sooner or later, this leads to a set-up based on different cloud stacks (e.g. Azure, Amazon Web Services, AWS, Google Cloud Services GCS). Welcome to the multi-cloud environment!
The multi-cloud environment also needs to be monitored. To do so, the events must be linked (correlated) with each other. For example, because a “server name” has a different designation in the different cloud environments or the server name is structured differently, attributes and contents must be transformed (normalised) so that correlating queries are possible.
The earlier on companies deal with these issues, the smoother the path to migration will be. It is challenging to realign an evolved multi-cloud environment in terms of monitoring and governance.
In the aftermath of COVID-19 and the wave of people working from home, companies were partially implementing their plans and infrastructures for remote work / working from home in emergency mode. Consequently, various consolidation efforts were required this year. Pre-existing set-ups were subjected to an audit in order for corrective action to be taken, where necessary.
Although the integrated products and solutions have many different features, from a “security” perspective they are not all mature, desirable or useful. Here the key is finding the right balance between functionality and the level of security required.
You must recognise this too – doing jobs that are particularly enjoyable because they involve areas that are particularly interesting to you or where you cut your teeth before you experienced a sense of achievement? Often these jobs come out of the blue. Our clients usually want clarification on a very specific issue. One of the challenges is to organise prompt backup within InfoGuard when our own knowledge is pushed to its limits.
For our clients, it is helpful and a relief to be getting skilled support from InfoGuard on difficult or controversial issues, and in return, we remain abreast of clients’ issues and understand what is currently playing on their minds.
However, for many people, it is not quite as clear as it would be for a house exactly why “security architects” are needed. As a guideline, clients who contact us with questions about security architecture are looking, for example, for:
As you can see from this “Architecture Digest 2021”, the life of architecture professionals in cyber security remains enthralling. It is very satisfying when clients are able to celebrate a success as a result of our contribution, experience and work.
We recommend that our clients with plans for 2022 contact us as soon as possible because we don’t have a bottomless pit of cyber security architects! This can be done very easily here: