In this somewhat unconventional blog post, I will be giving you an insight into my work as IT security architect within the InfoGuard consulting team. Have a look over my shoulder and learn about my personal practical tips. All the people and companies are strictly fictional, and any similarity to any real-life person or company is purely coincidental!
IT security architecture, an external assessment is requested
My working week begins with a request from a client for an assessment or a second opinion of his IT security architecture. To make it possible for me to put together a realistic offer, I analyse the client's business activities and requirements. What industry is the client working in – finance, pharmaceuticals, administration etc.? Based on this, the standard frameworks can be identified, on the strength of which the customer's IT security architecture can be tested and assessed. The goal is to determine what the IT security architecture needs to fulfill given the anticipated risks inherent in the company's business. This is because IT security architecture does not mean that all IT security architectures are the same! A variety of factors such as the company size, IT affinity and of course the budget are all important. Our process model is adapted to suit the current conditions based on these parameters and the costs are calculated on them too. Hopefully, the client will be willing to accept this proposal.
Optimally integrating new system components into the IT architecture
After my first (and sometimes second) coffee, I start work on my current project mandates. I often work directly at the client's premises and, if necessary, call in support from colleagues. However, for more complex projects, we also work as a team. Right now, much of the work can only be done remotely, but experience has shown that this can work well.
I am currently working on a contract with a medium-sized Swiss industrial company. They are planning to procure standard software for production planning and control (PPS). As is often the case, the solution is a good fit with the existing processes in the company, but not the existing IT landscape. This is why it is worthwhile to clarify the issue of integration before procurement takes place. Common solutions like: “Let's use the application in a cloud container provided by Provider XY” are tempting and absolutely legitimate, but if exceptions become the rule, this can lead to uncontrolled growth. This rarely comes even close to ensuring security, availability and serviceability.
As a first step, I worked with the client to identify the protection requirements for the processed data, potential regulatory requirements and the risks, and then identified the appropriate option that should be implemented. Included were:
- the network zones where the application is running,
- the security arrangements for the various parts of the application,
- the necessary audit information, and
- the specifications for monitoring, operation and, where applicable, requirements for development.
After that, we discussed how to integrate the application into the customer's authorisation tool (Identity and Access Manager). We also discussed how the processes related to the new application for user administration, incident management, patching, data backup and much more in terms of security issues would look like.
My first tip: Do not forget about taking care of processes, because – you snooze, you lose...
There is one important aspect that is often overlooked – processes. Cars and bicycles are regularly checked and serviced, and this is exactly what you should do with the components (in this case the PPS software, the container, the infrastructure etc.). Put in place a process with people responsibilities for periodically maintaining and looking after your components.
When IT security architecture fails to keep up with growth
Over the course of the week, my experience is called upon to assess the IT architecture of a service company with international offices. The company has grown over the years and the IT architecture had been inadequately documented. The IT management team has concluded that the current state of affairs was severely hampering their ability to meet the demands of the business. They want to improve this situation and reduce IT security risks at the same time.
In these situations, what is clear is that an outsider’s view is very useful. After reviewing the existing documentation and workshops with the client's knowledge carriers (this can also be done via video call), I gain a broad overview. The challenge now is to establish the state of the IT security architecture in a structured way, and identify where improvements should be made. To do so, I examine the following aspects, among others:
- What will be needed in the future (components, function and architectural model)?
- What is already in use at many existing IT components?
- What should be being used by many components, but will not be?
- Are there components that always generate commotion?
- Where is there a good cost-benefit ratio?
- Is there any external pressure to replace or introduce a component?
- Do we have the knowledge or a partner available to provide the client with support?
- How can we minimise the impact of the changes to ensure seamless operation?
My second tip: Use existing frameworks for your IT architecture
There are frameworks (such as OSA, SABSA, TOGAF, etc.) as well as guidelines that provide support with designing a good target architecture. Designing the route to achieve the goal is one of IT security architects' core tasks. Experience, knowledge and a well-developed gut feeling play a crucial role here. Based on this experience, good IT security architects know what works and what doesn't in a given environment. Once the client is also convinced, these are the right conditions for successful implementation.
Network and zone concepts – Less is more
With clients from government administration, the project is structured in a similar way. This particular client wants us to work out a new network and zone concept. The appropriate network and zone concept is defined based on the protection requirements and the risks. Different security mechanisms are effective in the individual zones and zone transitions, which are defined. At the end of the process, an optimal solution should be available for the specific requirements, working in the sense of “reduce to the max”. This is because every network zone that is not absolutely vital reduces operational costs.
Assessment of architecture with the subsequent development of the target architecture
And the week just carries on! A healthcare SME would like an assessment (a gap analysis) of its existing security architecture. This needs to take into account the current regulations and best practices in the healthcare sector. The relevant issues are identified based on a recognised framework (e.g. ISO/IEC 27001:2013) and additional relevant industry standards. However, asking the right questions is one thing – coming up with recommendations for the customer is another. These recommendations are then worked up based on the issues, industry conditions, best practices and our experience, and the implementation plan to improve IT security is defined.
My final tip: Combining an assessment of the IT security architecture with the development of a target architecture
In my experience, I recommend the combination of an IT security architecture assessment and the subsequent development of a target architecture to fill the gaps that have been identified. In order to develop the target architecture, the ACTUAL existing architecture must be assessed and the implementation of the TARGET security must be defined. This is the way to catch two birds with one stone!
The IT architect as a moderator
Before the weekend can begin, my moderation and mediation skills are called upon. Yes, that’s right, it’s because two departments of a financial services provider have different views on the way to implement security functions. In order to resolve the differences in assessment, an explanatory order is to be drawn up and discussed in a workshop setting with representatives from both departments. This will enable the pros and cons of the different assessments and points of view to be hammered out, and for an optimal, (coordinated) solution to be found. These questions show that, alongside all the technology and IT architecture, the “human factor” should not be underestimated.
Security assessment of a locking system from an architectural perspective
As I have said, as an IT architect I do not just deal with IT matters. For example, a large service company is looking to renew its locking system. We were asked to assess the architectural concepts and conduct critical interviews with the suppliers regarding the security of the individual components. This requires an integrated, interdisciplinary team approach. It is essential to have a thorough understanding of the specific subject matter of the fascinating world of locking systems, because it is important to know the specifics of each individual system and to take into account the functionalities of physical security. The report's findings are discussed in workshops and additional measures are then implemented.
My personal highlights as an IT security architect
Occasionally, clients want to evaluate new technologies and technology trends and assess whether and in what way they could add value to the business. I really enjoy these assignments, as I get to discover new aspects of the work and get to think about what future benefits they could bring to the company. These kinds of assignments have included assessing a mobile device management system, evaluating cloud migration scenarios, encryption and data distribution architectures, anomaly detection, deployment architecture, multi-factor authentication and evaluating future-oriented remote access products.
All well and good... and expensive
You are probably thinking, “That’s all well and good, (hopefully) interesting and the job seems to be fun. But these projects are expensive!!” That may well be true, but a well thought-out IT architecture allows you to create real added value. You can:
- Make changes in a safe, agile way in order to react to market needs before your competitors can.
- Get a security certification for your IT and gain a market advantage.
- Increase your security level and thereby reduce the attack surface. And, if you get caught in an attack, you can demonstrate that you have done everything possible in terms of IT architecture.
And because this is a blog from my own personal point of view:
“When you have got your IT security architecture under control,
you can save your energy for other topics.”
There is a justified question as to the reasons why an IT security architecture drops in quality over time. This is my personal assessment based on my work over the last few years:
- Time pressure and shortcuts: The attempt (or temptation) to opt for rapid implementation that is not in sync with the existing IT security architecture.
- Underestimation: even standard software requires a standard architecture model that is the right size for the company.
- Components are not designed to be reusable: Lack of interfaces leads to redundant implementations of functionalities or entire programme parts.
- Lack of cloud strategies: Clouds are introduced gradually and ultimately, on-premises, hybrid and cloud do not mesh. This can also lead to regulatory problems with regard to data storage in the cloud.
InfoGuard will assist you with your IT security architecture
As you can see, my work as an IT architect is absolutely fascinating and varied. I am sure that there are real IT security challenges in your company as well – and we can help you with them! We are fascinated to discover your challenges. This can be the development of target architectures and the respective implementation priorities, the assessment of existing security architectures or the development of zone concepts, via specific questions relating to on-premises, hybrid and cloud, through to the moderation of workshops or even as “IT Security Architect-as-a-Service”.
You benefit from our knowledge in a range of disciplines, such as engineering, the Security Operation Center (SOC) and cyber defence as well as from our cooperation with leading educational establishments. For example, I teach IT security architecture at the Lucerne University of Applied Sciences and Arts. The “professional gut feeling” developed over many years of experience in the field of IT security architecture should not be underestimated. Are you converted? Then get in touch! My colleagues and I will be glad to assist you.