Adaptive Security Lifecycle

Security as a Business Enabler

Infrastructure and the environments in which they operate are dynamic and continually evolving over time, especially in our rapid deployment world. Many fast-tracked organizations start out with a well-designed, orchestrated and secure architecture but organically, like Firewall rules it devolves and diverges into increasing levels of complexity and fragmentation.

Security Organism

Applications and systems grow exponentially creating increasingly complex connectivity and relationships that result in a spiders web of interfaces across domains. Complexity leads to insecurity, increased risk of human error and, a substantial increase in the cost of operations and maintenance. The result dramatically impacts the organizations ability to deploy rapidly and efficiently and move forward with agility.

Security done right is a business enabler that dramatically reduces total cost of ownership (TCO)
providing a tangible Return on Security Investment (ROSI).

IT complexity and fragmentation replaced by an adaptive modular and flexible architecture enables agility and
improves your competitive edge — so the business can refocus quickly as new opportunities emerge.

Security is a process, not just a product or technology issue.”

Adaptive Security Lifecycle Process

System technology and users, data and information in the systems, risks associated with the system, business drivers, and security requirements are ever-changing. Many types of changes affect security: technological developments (whether adopted by the system owner or available for use by others); connection to external networks; a change in the value or use of information; or the emergence of a new threat.

Creating an adaptive modular architecture leads to agility and flexibility as the organization grows. Like  keeping your room tidy there needs to be a healthy amount of chaos and innovation on the edge with a continual process of consolidation, integration, organization, and so on into the core. Organizations across various regulatory requirements have fallen into the trap of only seeking compliance – which can be far from being secure. Security is part diplomat, part salesman, part an art.

ASAL

In addition, security is never perfect when a system is implemented. System users and operators discover new ways to intentionally or unintentionally bypass or subvert security. Changes in the system or the environment can create new vulnerabilities. Strict adherence to procedures is rare, and procedures become outdated over time. These issues make it necessary to periodically reassess security architecture.

An adaptive security lifecycle process develops an architecture that is refreshed on an annual basis. The first step in the process is to develop the current state (see below). The results of the security baseline that were formed in a previous blogs, together with the assessment conducted (current infrastructure environment), are analyzed. Factors such as the perimeter, hybrid cloud(s), data center(s), DMZs, Virtual Private Networks (VPNs), virtualization, intranet, extranet, partner connections, remote access, and access to assets, are considered to develop the current state and security risk profile.

Adaptive Lifecycle

Adaptive Security Architecture Methodology

The next step is to develop the security architecture (see: Develop Security Architecture blog), which creates the goal state. This process takes the current state and security-risk profile documented previously and adds the business drivers, prioritized requirements, policy, legal constraints, and so on. From this step, a formal security architecture is developed and shared with the stakeholders to gain consensus.

The final step is to compare the current state with the goal state and to identify the projects that are required to transition the current infrastructure and realize the architecture. From the migration strategy workshop (see: Security Architecture Implementation blog), together with the business units and stakeholders, the viable projects are selected based upon their dependencies, priorities, available resources, and budgets forming the annual plan of infrastructure improvements.

During the next planning year, the process is repeated and the architecture updated with new business requirements, new technologies, new solutions, and so on. A follow-on assessment of the current infrastructure captures improvements together with any new threats, vulnerabilities, and exposures, and documents the new current state and security-risk profile. Performing a gap analysis and migration strategy planning workshop contrasting the new current state and goal state allows an updated plan to be developed for that year.

Architecture Evolution

Adaptive Architecture Value Proposition

Over time, it can be seen (see: Adaptive Architecture Evolution above) that the security architecture is used as a baseline for consensus and direction but that it is active and capable of being updated. This process allows the security architecture to adapt to support the needs of the business. It evolves and sets future objectives. It enables an iterative evolution towards compliance across an applicable regulatory and standards-based Master Compliance Framework.

Security Governance

At the same time, the annual plan sets the stage for the projects that need to occur that year, and the improvements begin to converge towards and track with the architecture. Finally, with the proactive asset, risk, and policy management and infrastructure improvements, the security-risk profile is also managed, resulting in risk reduction. In this manner, not only does the security architecture drive the IT and network infrastructure direction, but it also enables the illustration of tangible results, winning continued support for the program.

The next blogs will cover the Application & System Zoning as well as Application Architecture Taxonomy to untangle the spiders web of complex critical applications and relationships for zone placement, policy and, controls.

Thanks for your interest!

Nige the Security Guy.