Our review of the past year in the field of IT security architecture has already become something of a tradition. In this blog post, we show what issues were most critical to our customers in 2023 and make various predictions for the new year from our own perspective. We start by presenting the topics that were particularly important to our customers. This is followed by the “titbits” of the past year – more unusual jobs that made our work all the more enjoyable. You can find out what these were in this blog article.
Trend #1: Business intelligence and data analytics
The topic of business intelligence (BI) has been on our customers’ minds for some time. BI can be used to shed light on business-relevant issues and identify new opportunities. Unstructured data is stored in the “data lake” and analysed using artificial-intelligence-based (AI) methods. Data transformation (extract – transform – load, ETL for short) is used to generate structured data from e.g. the unstructured data in the data lake and to load it into a data warehouse. The data warehouse supports the operational business with analyses, reports etc.
Various providers now offer BI as a cloud service. This means that the required resources such as computing power and memory are available on-demand. BI projects with interfaces to the cloud are known for the tricky questions they pose, e.g. “how can data be processed in a legally compliant manner?”
Prediction: The trend towards using business intelligence services in the cloud will continue, enabling customers to shield themselves from the complexity of BI solutions and their demands on resources. We assume that BI providers will continue to intensify their efforts to develop solutions that are compliant with data protection requirements.
Contribution of the architecture team: collaboration on BI projects and introduction of the security perspective. We support customers in the decision-making process and conduct reviews of BI environments with a focus on security.
Trend #2: From DevOps to DevSecOps
Sooner or later, anyone who says yes to the cloud will likely also say yes to DevOps. This integrated approach to development and operation offers many advantages and shortens the delivery times for new software functions. As the build processes become automated with the aid of DevOps, with testing included in line with good practice, the quality of the delivered software increases.
Because there are two sides to every coin, the trickier aspects of DevOps should also be mentioned. This includes the demarcation of rights and responsibilities between developers and operations, keyword “segregation of duties”. The DevOps supply chain consists of repositories, build servers, middleware and applications as well as the artefacts created, such as runtime and configuration files. Almost everything runs in containers and virtual machines, which can also be set up on the fly.
DevSecOps adds the security facet to the DevOps chain. This includes automated and manual checks of source code for security vulnerabilities, the authorisations that ensure “segregation of duties” between developers and operations and the protection of runtime environments, repositories and configurations. Conceivable configurations should also include Infrastructure as Code (IaC), which is used to define and start up entire runtime environments – a very powerful tool, which is therefore worthy of protection. The power of DevOps is often underestimated – and with it the relevance of the “Sec” in DevSecOps.
Prediction: DevOps will continue to establish itself, especially in companies with hybrid or pure cloud development. The need for “intrinsic” security in the DevOps process, i.e. DevSecOps, will increase.
Contribution of the architecture team: collaboration on the definition of DevSecOps setups, e.g. by creating guidelines or assessing DevSecOps architectures.
Trend #3: Off to the cloud
While the discussion about data protection compliance was something of a premature show-stopper not so long ago, things have now changed noticeably. This is likely due to the fact that cloud services are increasingly being provided from Switzerland (“Swiss Cloud”) and cloud services have become a commodity.
Nevertheless, our customers want to be on the safe side and are looking for ways to combine cloud and data protection. Anonymisation, pseudonymisation, encryption, hashing and secure enclaves for databases can all play their part in meeting data protection requirements.
Prediction: The trend towards procuring applications for end users from the cloud and outsourcing complex processing to the (Swiss) cloud will continue unabated.
Contribution of the architecture team: customers often come to us with questions about specific cloud-security issues. The focus here is to establish the right cloud architecture for the customer and the corresponding setup.
We support reviews focusing on the security of applications created by customers themselves or the security of Teams, SharePoint etc.
Trend #4: Sustainability
For larger projects, more extensive investigations are carried out into how the new project will affect the IT architecture.
Customers are now more aware that imprudent planning can lead to architecture anti-patterns being implemented with lasting cost consequences (and a lot of potential frustration). The topic of “architecture anti-patterns” would fill a blog post itself. Here are a few practical examples to illustrate this – though you are expressly not advised to imitate any of them.
- Building on-prem in the cloud: cloud frameworks such as Azure are based on a predefined architecture. This is a prerequisite for being able to use general functions such as monitoring or authorisations. This applies to services created by the customer as well as those provided by the cloud provider.
To ensure that this works as desired, you don’t need to reinvent the wheel, but rather seek out the right reference architecture for your project. That way you stay on the safe side and save time.
With infrastructure as a service (IaaS), there is a significant risk that “on-prem in the cloud” will be implemented – because it supposedly “speeds up migration”. We assure you that every future deployment in this scenario will take longer than when using the appropriate architecture patterns. - Monoliths: your applications dutifully use the “model-view-controller” (MVC) model. This divides an application into a persistence layer (database), a processing or logic part (controller) and a lovely GUI. In the cloud, service orchestration – and thus containers and micro services – call the shots. This is because orchestration does not work with monolithic systems, but with granular microservices.
If you develop an application yourself and deploy it to customers or partners via interfaces, you should think about the “correct slicing of services” because only services with a granular design can fruitfully be used by others via interfaces (APIs). You don’t want to be taken to the moon and back every time the application is called, but perhaps merely driven to the launch pad to start with. - Neophyte architectures: neophytes are newly introduced plant species – and these also exist in IT architecture. “Imported” standard software often has an “idea” of what the operating environment should look like. Perhaps it has to be Unix, an exotic database or – in frequent, drastic cases – a specific interface technology such as message queues from manufacturer XY. If you don’t have anyone in the company who can maintain these components, your options are to obtain the standard software as a managed service, procure other software or establish the necessary skills. The one thing you shouldn’t do is to underestimate neophytes.
- Analysis paralysis: no, you’re not thinking too little. Quite the contrary, with the consequence that good ideas are never realised because of the manifold concerns you have about them. The benefits of cloud services and virtualisation should not be forgotten here. A sandbox can be quickly set up to show how complex the realisation of the idea really is. And the best thing about it is that you’ve made a start. Stumbling blocks such as the neophyte problem we’ve already discussed are quickly identified and a decision can be made on how to proceed.
Prediction: Customers increasingly seek to achieve sustainability by implementing the right IT architecture. The opportunity to try things out in the cloud or on-prem on virtual machines is taken, which shortens innovation cycles.
Contribution of the architecture team: support in the development and review of various types of security architectures. Our cloud engineers also carry out cloud security reviews with access to the Azure environment.
My titbits from my architecture job in 2023
On an altruistic note, the titbit is the icing on the cake of the architecture job every year. And we’re are happy to advertise it here. Simply because we enjoy the unusual customer assignments. This is our unofficial “boutique” architecture service.
Code Review
A code review had the potential to be a tasty titbit. This brought back memories of past times as a developer in the security sector. We identified possible attack vectors and discussed these with the customer.
Prediction: There will always be a need for code reviews. Automated evaluation tools do an excellent job, while a review carried out by experienced developers provides additional security for especially critical applications.
Contribution of the architecture team: code review focusing on the security of complex applications. Customers may remember that we can also review code.
What will the InfoGuard team face in 2024?
I and my colleagues from the Architecture team are always inspired by the different and exciting tasks we encounter. The opportunity to work with customers at different levels has become established. If you would like to tackle an exciting, challenging architectural project with us, please get in touch! We look forward to seeing you.
If you don’t want to miss my Architecture Digest in the coming year, subscribe to our blog updates right here and now. Register now!
