NEWSLETTER #2 - Security Success Planning
CloudSecConsulting and its security practitioners are here to architect and build the bridge that will take you to the winner side.
by Andre Fernando - Cloud Sec Consulting Pty Ltd.
This second newsletter will discuss the challenges managing the security of organizations networks when connecting to public networks or networks which are governed by service providers. You can refer to what we have been reading on the news where Internet of Things devices have been used to initiate a massive denial of service attack against major internet DNS service provider. The topic of this newsletter is not to cover the news but to raise the questions that matter to you and your organisation survival.
"Survival" is quite a negative word and not in line with this paper. The right word should be "Success."
First, we need to be able to ask the right questions, or the ones that matter to your organisation business strategy. Does your organisation have enough security architecture capabilities to succeed in business?
Websites are being taken out of service, spear fishing and ransom attackers, are a common thing in the wild, and we should not be surprised but prepared. Cybercrime is just another variation of crime, and like in real life, we have to carry on with our business and try to minimise loss associated with attacks against us. We could ask and answer about risk mitigation strategies or safety nets, but instead, we ask you to focus on opportunities and required enablers.
We carry our business to succeed, not to be thinking all the time about associated risks. We all know that there are real risks associated with anything in life as well as in business that requires on-going management. Be secure is not black or white but at the level where we feel comfortable.
As a security practitioner, we assist your organisation in identifying critical security capabilities to enable you and your organisation to achieve its goals. Security planning is about thinking ahead and identifying and implementing security countermeasures aligned with identified risks.
At CloudSecConsulting, our security architects go beyond traditional security and risk mitigation strategies. We assist you in identifying opportunities enablers to increase the likelihood of achieving your business objectives. Risk mitigation objectives are addressed with security controls and metrics. Instead, business opportunities objectives are addressed with security enablers and relevant metrics.
We are still referring to the same common security capabilities and services in use (i.e. Information Security and Governance + Data Security + Threat Management + Access Management), but we are not defining them as just as risk control. The paradox is that we are shifting the way we ask the questions. Instead of just asking "What control you need to mitigate your risk?", we will be asking "What we need to do to enable or enhance the likelihood of achieving an organisation objective?"
Asking the right question is the key.
In information technology, security architecture provides a reference framework that serves as a basic guide when new technology and requirements are introduced into the company. More specifically related to communication networks, the security architecture will serve your organisation as an integration path between your private networks with public networks, such as the Internet.
As per SABSA  definition, Information security architecture is the set of rules and conventions which are adopted during construction of business systems, usually business information systems. It is needed and serves ours needs to live, to work and most important to do business. It takes in consideration multiple activities and provides a path for their integration. It is the foundation which will enable business needs to be fulfilled.  SABSA - Sherwood Applied Business Security Architecture
The defined architecture results on a set of rules to be followed which match the right amount of control, and "enablers" as per perceived risk against your organisations. A consistent set of principles, policies, capabilities, and standards that set the direction and vision for the development and operations of the organisations business information systems to ensure alignment with and support for the business needs. Some rules might be defined in the form of technical requirements, roles, and accountabilities, standards or security control practices. It provides a framework within which many members of the large design, delivery, and support teams can work harmoniously. The security architecture enables all those to complement each other towards risk reduction against your business valuable assets.
Now that we have defined what security architecture means let’s take a look at how your organization can benefit from it.
In all organisations, chief information security managers are required to provide assurance that senior executive level’s intent and direction is reflected in the security posture of organisations. The assurance can be given with strategic alignment of information security activities with business strategy to support organisational objectives such as selection requirements for the security solutions that must fit enterprise processes that take into account the culture, governance style, technology and structure of the organisation.
To accommodate the dynamics of business, technology and environments, it is necessary to adopt a security architecture that will allow flexibility in operations. It is in addition to providing a point of reference so that one can make sound decisions when a change in demands and environment occurs.
The architecture and its practices manage complexity by maintaining the integrity of design in a large complex environment. It provided a roadmap for all to follow, lowering the total cost of ownership. It enables good interaction of technical and procedural solutions to business problems. It provides a rational framework for making design decisions & solving new challenges and attaining an appropriate balance between strategy, tactics, operations. It assists with resolving conflicting priorities and objectives, predictability, flexibility, and agility.
The security architecture provides a means to manage the complexity.
Between several benefits, we like to list the following.
The security architecture development work takes more than architect, design, installation, and service management skills. The design and implementation take in consideration business drivers, risk priorities, required process, organisation operating model, locations and time dependencies.
The overall business goals for the system
The functional requirements of the systems.
The materials and or components available for constructing systems
The environment in which the system will be built and used
The skills of the people to build
The skills of the people to use them
The costs incurred and benefits delivered
In mosts cases, the architecture will be defined with three layers, and its implementation will be governed by the organisation architecture committee.
The Business Security Architecture includes most of the contextual and conceptual analysis required to define security strategy and rollout plan.
The System Security Architecture that covers the detailed logical, physical and component level designs. At this layer, security capabilities are translated into security services (i.e. application, middleware, network, platform) and required mechanisms and tools/products.
The Service Management Layer that takes care of the entire architecture and service lifecycle management. This layer represents the organisation operational level and its resources as required to manage and operate the security services.
Business value of your architecture is realised through its existent.
The security architecture aligns with organisation business needs, and its existence is in response to perceived business risk. In business terms, your business goals rely on valuable assets. Anything you do to increase the likelihood of success it should be identified as a critical security architecture enabler capability performance indicator. Together with all other security architecture risk controls, they form your organisation security performance indicators and shall be maintained as your architecture evolves.
At CloudSecConsulting, we can assist you crafting the right performance metrics. We will take you on the journey of identifying the right questions that need to be answered by your organisation leaders.
Let's make your security program be part of your organisation success. Make your move as it is never too late.
by Andre Fernando - Cloud Sec Consulting Pty Ltd.