Hello All. Here is wishing everyone a very Happy and Safe Diwali. Diwali is a festival of lights, and this is a time to get together and celebrate. As we celebrate, we also say a silent prayer of thanks to the countless police, defense forces and cybersecurity specialists who are holding the fort and letting us celebrate through their continuous effort to keep us safe. This series is dedicated to all of you out there who are working hard to keep the attackers out.
Thank you for reading through this and as I had mentioned earlier, this is a series. This article is the next in the series. Your feedback means a lot and I appreciate the comments coming my way. In case you have missed the earlier articles, the links are below.
Create the Security Architecture on the basis of the Policies we defined.
We now have the policies documented and approved. Next, we need to design our Security Architecture so that the necessary controls within the policy are working adequately and giving us the sense of the security that we require.
Everyone equates Architecture design to a Technology and Product architecture. Actually, an architecture is much more. An architecture revolves around multiple areas as mentioned below
- Organization Structure with roles and responsibilities
- Re-defining the network layer to get more granular and segmented in terms of security
- Identify various configuration that needs to be changed in the existing technology, people skills and making use of what we have
- Governance enablement for any changes – check for impacts etc
- Decisions on what can be available from external networks for Employees, Vendors/Suppliers, Customers and defining the solution accordingly.
- Identify weak areas and use specific products that are required. Here, we can start with open source products initially, get the controls and process tuned right, and then look at commercial products which can deliver on your baselines and do more. That way, your commercial investments cannot fail and you have the surety of a return on investment.
- Monitoring the effectiveness of the deployment in a continuous manner – either in real-time (usually done by security skilled staff/ companies) OR in scheduled intervals (done by Auditors)
- Re-skilling the people – for responding to an emergency, knowledge for better usage of the tools and processes available
- Generating awareness for end-users on what changes will impact and what they can do if they need something
The sum of all of the above is what gives you and defines your Security Architecture. Only a technology design does not help since it ignores many of the other elements required for a successful rollout.
The beauty with defining such architectures is that, since we are using a risk/ policy based approach; it is tough for us to go wrong OR have a different level of security than what we want. The different level of security can be higher OR lower, both the scenarios impact us. Higher security at times hinders business. e.g. email on personal mobile phone is not allowed; this will make us helpless when an email comes in the evening after office hours requiring a response before office hours start next day. This will hinder us in doing business. On the other hand, weak security controls allows malicious intent-people to breach our defences and steal/ damage our information. E.g. USB is allowed for all. Malware at many times make their entry via this route of being there through the flash drive. This malware (sometimes called ransomware) can steal data, or block us from getting into the system without paying money to whoever is asking for it. Such incidents are damaging in terms of time lost, reputation damage due to confidential data leakage. Hence, both scenarios are unpleasant and both need to be avoided.
Design of the architecture is a long term solution roadmap and hence needs that extra attention to define it carefully. Get into each parameter as mentioned above and you cannot go wrong. You should invite external expertise, however, align them to your policies so that the design is such that it works well. Many providers focus only on products since that is their core strength and many providers focus only on the Governance part. Hence you need external experts on both sides and you are the bridge providing the cohesion.
Next article, we will explode Step 3 – Do a Risk Assessment and Identify risks
Till then, stay safe and if you need emergency response/ help, shout out to
In case you have missed the earlier part of the series, it is at