Adaptive Security Lifecycle
May 29, 2013 11 Comments
Security as a Business Enabler
Infrastructure and the environments in which they operate are dynamic and continually evolving over time, especially in our rapid deployment world. Many fast-tracked organizations start out with a well-designed, orchestrated and secure architecture but organically, like Firewall rules it devolves and diverges into increasing levels of complexity and fragmentation.
Applications and systems grow exponentially creating increasingly complex connectivity and relationships that result in a spiders web of interfaces across domains. Complexity leads to insecurity, increased risk of human error and, a substantial increase in the cost of operations and maintenance. The result dramatically impacts the organizations ability to deploy rapidly and efficiently and move forward with agility.
“Security done right is a business enabler that dramatically reduces total cost of ownership (TCO)
providing a tangible Return on Security Investment (ROSI).
IT complexity and fragmentation replaced by an adaptive modular and flexible architecture enables agility and
improves your competitive edge — so the business can refocus quickly as new opportunities emerge.
Security is a process, not just a product or technology issue.”
Adaptive Security Lifecycle Process
System technology and users, data and information in the systems, risks associated with the system, business drivers, and security requirements are ever-changing. Many types of changes affect security: technological developments (whether adopted by the system owner or available for use by others); connection to external networks; a change in the value or use of information; or the emergence of a new threat.
Creating an adaptive modular architecture leads to agility and flexibility as the organization grows. Like keeping your room tidy there needs to be a healthy amount of chaos and innovation on the edge with a continual process of consolidation, integration, organization, and so on into the core. Organizations across various regulatory requirements have fallen into the trap of only seeking compliance – which can be far from being secure. Security is part diplomat, part salesman, part an art.
In addition, security is never perfect when a system is implemented. System users and operators discover new ways to intentionally or unintentionally bypass or subvert security. Changes in the system or the environment can create new vulnerabilities. Strict adherence to procedures is rare, and procedures become outdated over time. These issues make it necessary to periodically reassess security architecture.
An adaptive security lifecycle process develops an architecture that is refreshed on an annual basis. The first step in the process is to develop the current state (see below). The results of the security baseline that were formed in a previous blogs, together with the assessment conducted (current infrastructure environment), are analyzed. Factors such as the perimeter, hybrid cloud(s), data center(s), DMZs, Virtual Private Networks (VPNs), virtualization, intranet, extranet, partner connections, remote access, and access to assets, are considered to develop the current state and security risk profile.
Adaptive Security Architecture Methodology
The next step is to develop the security architecture (see: Develop Security Architecture blog), which creates the goal state. This process takes the current state and security-risk profile documented previously and adds the business drivers, prioritized requirements, policy, legal constraints, and so on. From this step, a formal security architecture is developed and shared with the stakeholders to gain consensus.
The final step is to compare the current state with the goal state and to identify the projects that are required to transition the current infrastructure and realize the architecture. From the migration strategy workshop (see: Security Architecture Implementation blog), together with the business units and stakeholders, the viable projects are selected based upon their dependencies, priorities, available resources, and budgets forming the annual plan of infrastructure improvements.
During the next planning year, the process is repeated and the architecture updated with new business requirements, new technologies, new solutions, and so on. A follow-on assessment of the current infrastructure captures improvements together with any new threats, vulnerabilities, and exposures, and documents the new current state and security-risk profile. Performing a gap analysis and migration strategy planning workshop contrasting the new current state and goal state allows an updated plan to be developed for that year.
Adaptive Architecture Value Proposition
Over time, it can be seen (see: Adaptive Architecture Evolution above) that the security architecture is used as a baseline for consensus and direction but that it is active and capable of being updated. This process allows the security architecture to adapt to support the needs of the business. It evolves and sets future objectives. It enables an iterative evolution towards compliance across an applicable regulatory and standards-based Master Compliance Framework.
At the same time, the annual plan sets the stage for the projects that need to occur that year, and the improvements begin to converge towards and track with the architecture. Finally, with the proactive asset, risk, and policy management and infrastructure improvements, the security-risk profile is also managed, resulting in risk reduction. In this manner, not only does the security architecture drive the IT and network infrastructure direction, but it also enables the illustration of tangible results, winning continued support for the program.
The next blogs will cover the Application & System Zoning as well as Application Architecture Taxonomy to untangle the spiders web of complex critical applications and relationships for zone placement, policy and, controls.
Thanks for your interest!
Nige the Security Guy.
Pingback: Security Series Master Index | Nige the Security Guy
Pingback: Security Program Best-Practices | Nige the Security Guy
Pingback: InPlayToday™ – Cyber Security and Network Best Practices
Pingback: Architecture Case Study – Part 1 | Nige the Security Guy
Pingback: Architecture Case Study – Part 2 | Nige the Security Guy
Pingback: Security Program Best-Practices 3 | Nige the Security Guy
Pingback: Advanced Threat Defense – Part 1 | Nige the Security Guy
Pingback: Defensible Security Posture – Part 2 | Nige the Security Guy
Pingback: Security Strategy Retrospective | Nige the Security Guy
Pingback: Security Architecture Series Guide | Nige the Security Guy
Pingback: Advanced Defense Posture Assessment | Nige the Security Guy