Part 4: Define, Assess and Prioritize Your Security Architecture
“And a step backward, after making a wrong turn, is a step in the right direction.”
Before we commence our discussion on security architecture as part of our security evolution, I’d like to share a recent relevant experience. While scoping out a computer purchase for a grandson I engaged in a conversation with one of the world’s largest chip makers concerning Spectre and Meltdown attacks. These exploit critical vulnerabilities in modern processors (excellent summary of Spectre and Meltdown vulnerabilities here) to steal personal data.
The sales rep of (unsaid) company assured me that they had contained Spectre and all was fine now. I expressed my skepticism as I am prone to do these days. Then, the other morning, reading Bloomberg Business Week an article on technology jumped out at me (“Millions of Computers Are at Risk of Hacks That Crack Into Their Core”, May 21st, 2018). In the article, Yuriy Bulygin, ex-Intel, was speaking about how SMM memory (System Management Mode) had rendered the sales rep’s above “all clear” irrelevant, and it goes on to say that cloud computing is specifically vulnerable here as it erased the distinctions between separate computer facilities.
My point is simply this: Most of the exposure you get about security is from advertising, sales reps and sales pitches from security vendors. They talk about layers including:
- Next Gen Firewall (for Intrusion)
- Endpoint Protection (for Detection)
- SAAS Applications (for Redundancy)
- Backup and DR (for Data Recovery)
And yes the layers they speak about are great — exactly the right approach for maximum security. But let’s not forget this will also lead to layers of invoices in Accounting also and is not in itself an exhaustive approach to achieve “best practices”.
- Governance: Security leadership goes from “top floor” to “shop floor” and along the way people are by far the weak link.
- Regulations: Policies, procedures,and best practices as, again, people are the weakest link.
- Compliance: Stepping up to industry standards , even when not mandated, allows you to say you did as well as can be expected if you are compromised.
- Insurance: Expensive and claims processes can be difficult but it sure feels good.
- Consultancy: having a “security expert” on your “rolodex” ( remember those?) is a good move as experts can see industry-wide much more than you do individually.
The Security Architecture Analysis
So with that, you are now ready to commence a security architecture analysis.
The security assessment left you with a number of projects to possibly pursue. Going about them typically is a daunting task where you probably don’t have appropriate resources handy. But remember, keep the focus on your “soft underbelly”, prioritizing assets and/or liability exposure. A good a security architect will help you with the process of dealing with risks in several possible ways:
- Deploy resources appropriately (avoidance)
- Insure or outsource (transference)
- Reduce the impact (mitigation)
- Understand the downside and do nothing (acceptance)
The Security Architecture Process
- Discuss with asset owners (C-suite, ownership) the business strategy that security needs to support.
- Review Strengths, Weaknesses, Opportunities and Threats.
- Research and review industry trends relevant to strategy.
- Review existing security to determine client style/culture.
- Document everything extensively!
- Prepare security architecture strategy after extensive consultation and review.
From here, you will proceed to product evaluations, whitepapers for analysis, (and future security assessments are inevitable).
The thing that is to be gleaned from this process is that it involves a major effort of the senior management. Not just people that work for a paycheque but those that have a real stake in the “balance sheet”.
Our next blog will investigate looking at your network (down to layer 2) with an eye to seeing “everything” so that you can determine any weak spots that could be vulnerable. It’s the “unknown-unknowns” that can hurt you.
Next Post: Examining Your Network. And don’t forget to check out the earlier posts in this series — Part 1: The Landscape of Security in 2018, Part 2: Five Areas for Complete Coverage) and Part 3: What to Expect in a Security Assessment
This is the fourth in a series of internet security posts which are intended to assist security aware business people. My name is Bruce Thompson and I have been in the telecom and IT industry for over 30 years. I have numerous security certifications from industry leading vendors and associations. If you’ve been following these blogs up to now, you impress me as a cyber security concerned person willing to pursue this field. I find speaking to people like you interesting. Please feel free to contact me anytime at 604-331-2502 or firstname.lastname@example.org