Security Architectures

As the enterprise evolves by leveraging new technologies such as bring your own device (BYOD) and the cloud, security architecture needs to be redefined to remain effective. Many services are moving out to the network edge and beyond. There are security issues that must be considered, as often these are tied to internal systems. These significant changes to the traditional network and security architecture results in the need to go back to the blueprints and develop an agile architecture. Understanding the complex data interactions in the enterprise by developing trust models is a requisite exercise, and will be explained in detail in this chapter.

Security architecture models

The typical security architectures range from a generic layered approach, where only connected layers may communicate with each other, to complex source and destination zones, allowed protocols, and specific communication channels permitted per endpoint type to advanced models based on data risk. Data risk is comprised of understanding what data needs protection including from whom and what, based on loss probability.

The data-centric security architectures emphasize enterprise data, where it is stored, how it is transmitted, and the details of any data interaction. Once all pertinent enterprise data and associated systems are identified, the required security mechanisms can be designed and implemented. Placement of the systems may not be a concern if the security mechanisms are based on the risk profile built by the previously learned information. The next sections will cover how the components of the security architecture are developed.

Security as a Process

Security is a process that requires the integration of security into business processes to ensure enterprise risk is minimized to an acceptable level. This chapter will introduce the concept of using risk analysis to drive security decisions, and to shape policies and standards for consistent and measurable implementation of security. Ensuring the security team is involved in IT policies and standards development, and the enterprise change management process is key to reducing risk to the enterprise, especially when changes include firewall policy modifications, business partner connectivity, changes to network architecture, and defined policies and standards. Additionally, exceptions to defined standards and policies must be managed by a method that requires remediation so that the end solution becomes compliant. Security as a process is an approach that highlights the integration of security and business initiatives to reduce the security impact of implementations and changes to the enterprise environment. Resources for topics covered in this chapter can be found in  Risk Analysis, Policy and Standard, and System Hardening Resources.