Security Architecture Primer
May 14, 2013 10 Comments
Security Architecture Primer
The primary purpose of creating an enterprise security architecture is to ensure that business strategy and IT security are aligned. As such, enterprise security architecture allows traceability from the business strategy down to the underlying technology. However, many IT organizations have moved away from formal security architecture governance in favor of rapid deployment cycles and tactical changes which over time risk diverging into complexity and fragmentation – with unresolved security exceptions. Complexity not only leads to insecurity and the increasing potential for human error but also increased cost of operations.
The good news is that with an Adaptive Security Architecture Lifecycle process organizations can enjoy the best of both worlds – to enable business agility and tactical deployments by allowing a healthy amount of chaos and innovation at the edge together with planned iterative consolidation and integration of infrastructure into the core … guided by the security architecture blueprint which drives towards holistic convergence, integration, organization and, automation.
Back to Basics
A security architecture is a design document describing the security components that will protect the enterprise, and the ways they relate and interact with each other. It represents a two- to three-year planning horizon that defines the desired state of an organization’s extended enterprise or e-business enabled infrastructure. The architecture sets the context for planning, design, and implementation. It enables a company to evolve and to become agile, multi-functional, and competitive, allowing the seamless adoption of new capabilities and applications into a common
infrastructure.Security architecture also facilitates budgeting for security solutions and personnel.
Executives struggle with security spending because it is difficult to see any return on investment. Having a document that defines the current security architecture makes it easier to justify and communicate to non-security individuals what needs to be done and why. Associating business objectives with security in the document also assists management in understanding the need for security in the enterprise.
Policies and procedures are very important and need to be a part of every organization. But if no one knows they exist or where to find them, then they are not worth the effort it took to write them. Using one major security architecture document as the blueprint gives planners only one location to go to when addressing a security issue. The process of building the security architecture also builds consensus across functional areas and gains management acceptance. This helps with compliance and enforcement of security practices.
In summary, the security architecture provides:
- A way to evaluate applicability of new technologies, products, and services
- A framework for technology decision-making
- A macro view of IT systems and components, from the security perspective
- A statement of direction for IT
- A way to reduce and manage risk in the most cost-effective manner
- A way to facilitate compatibility and easier administration of systems
- A blueprint for future network growth
- A way to create and document consensus
- A methodology to force consideration of all design factors
- A guide for the creation of an enabling infrastructure for unforeseen new applications
The purpose of this blog is to help readers and followers to develop a comprehensive, adaptive, and proactive security architecture and roadmap program. Security architecture should be considered a living document and updated as plans are accomplished, technology changes, business requirements surface, new risks are discovered, and improvements are made to your architectural structure.
This Security Architecture series will guide readers through an Adaptive Security Architecture Lifecycle process.
Thanks for your interest.
Nige the Security Guy.