CloudSecConsulting and its security practitioners are here to architect and build the bridge that will take you to the winner side.

by Andre Fernando - Cloud Sec Consulting Pty Ltd.

This second newsletter will explore the challenges of managing organizational network security when connecting to public networks or those governed by service providers. Recent news highlights how Internet of Things devices have been used to launch massive denial of service attacks against major internet DNS service providers. While this newsletter does not focus on the news itself, it aims to raise important questions relevant to your organization's success.

"Success" is a more appropriate term than "Survival" for this discussion.

Firstly, we need to ask the right questions that align with your organization's business strategy. Does your organization possess sufficient security architecture capabilities to succeed in business?

Websites being taken offline, spear phishing, and ransomware attacks are common occurrences, and we should be prepared rather than surprised. Cybercrime is simply another form of crime, and just like in real life, we must continue our business while minimizing losses from attacks. Instead of focusing solely on risk mitigation strategies or safety nets, we encourage you to concentrate on opportunities and necessary enablers.

Our goal is to succeed in business, not to constantly worry about associated risks. We understand that real risks exist in both life and business, requiring ongoing management. Security is not a black-and-white issue but should be at a level where we feel comfortable.

As security practitioners, we help your organization identify critical security capabilities to achieve its goals. Security planning involves anticipating future needs and implementing security measures aligned with identified risks.

At CloudSecConsulting, our security architects look beyond traditional security and risk mitigation strategies. We assist you in identifying opportunity enablers to enhance the likelihood of achieving your business objectives. Risk mitigation objectives are addressed with security controls and metrics, while business opportunity objectives are addressed with security enablers and relevant metrics.

We continue to use common security capabilities and services (i.e., Information Security and Governance, Data Security, Threat Management, Access Management), but we don't define them solely as risk controls. The shift lies in how we frame the questions. Instead of asking, "What control do you need to mitigate your risk?" we ask, "What do we need to do to enable or enhance the likelihood of achieving an organization objective?"

Asking the right questions is crucial.

In information technology, security architecture provides a reference framework that guides the integration of new technology and requirements within the company. Specifically, in communication networks, security architecture serves as an integration path between your private networks and public networks, such as the Internet.

According to SABSA [Sherwood Applied Business Security Architecture], Information security architecture comprises the rules and conventions adopted during the construction of business systems, usually business information systems. It is essential for living, working, and conducting business. It considers multiple activities and provides a path for their integration, serving as the foundation for fulfilling business needs.

The defined architecture results in a set of rules that balance control and "enablers" based on perceived risk to your organization. It consists of principles, policies, capabilities, and standards that direct the development and operations of business information systems to align with and support business needs. Some rules may be defined as technical requirements, roles, accountabilities, standards, or security control practices. This framework enables large design, delivery, and support teams to work harmoniously, complementing each other to reduce risk to your business's valuable assets.

Now that we've defined security architecture, let's explore how your organization can benefit from it.

In all organizations, chief information security managers are tasked with ensuring that the senior executive level's intent and direction are reflected in the organization's security posture. Assurance is provided through the strategic alignment of information security activities with business strategy, supporting organizational objectives such as selecting security solutions that fit enterprise processes, considering the organization's culture, governance style, technology, and structure.

To accommodate the dynamics of business, technology, and environments, adopting a security architecture that allows operational flexibility is necessary. It also provides a reference point for making informed decisions when demands and environments change.

The architecture and its practices manage complexity by maintaining design integrity in a large, complex environment. It provides a roadmap for everyone to follow, reducing the total cost of ownership. It facilitates effective interaction between technical and procedural solutions to business problems. It offers a rational framework for making design decisions, solving new challenges, and balancing strategy, tactics, and operations. It helps resolve conflicting priorities and objectives, ensuring predictability, flexibility, and agility.

The security architecture provides a means to manage complexity.

Among its many benefits, we highlight the following.

• Business-driven

• Risk-focused

• Comprehensive

• Modular

• Open source

• Auditable

• Transparent

• Justifiable

• Traceable

• Reusable

Developing a security architecture requires more than just skills in architecture, design, installation, and service management. The design and implementation must consider business drivers, risk priorities, necessary processes, the organization's operating model, as well as location and time dependencies.

• The overall business goals for the system

• The functional requirements of the systems.

• The materials and or components available for constructing systems

• The environment in which the system will be built and used

• The skills of the people to build

• The skills of the people to use them

• The costs incurred and benefits delivered

Typically, the architecture will consist of three layers, with its implementation overseen by the organization's architecture committee.

The Business Security Architecture encompasses most of the contextual and conceptual analyses necessary to establish a security strategy and deployment plan.

The System Security Architecture involves detailed logical, physical, and component-level designs. At this layer, security capabilities are converted into security services (such as application, middleware, network, platform) and the necessary mechanisms and tools/products.

The Service Management Layer manages the entire architecture and service lifecycle. This layer represents the organization's operational level and resources needed to manage and operate the security services.

The business value of your architecture is realized through its existence.

The security architecture aligns with the organization's business needs and exists in response to perceived business risks. In business terms, your goals depend on valuable assets. Any action taken to enhance the likelihood of success should be recognized as a critical performance indicator of the security architecture enabler capability. Along with all other security architecture risk controls, these form your organization's security performance indicators and should be maintained as your architecture evolves.

At CloudSecConsulting, we can help you develop the right performance metrics. We will guide you in identifying the key questions that need to be addressed by your organization's leaders.

Let's integrate your security program into your organization's success. Take action now—it's never too late.

by Andre Fernando - Cloud Sec Consulting Pty Ltd.