When designing your cybersecurity defenses for the new normal, it’s important to look beyond the technology. You’ll need a true architecture-led approach, one that’s driven by your business needs.
The global pandemic has jolted many organizations into a new reality where virtual and remote become more important than physical and local. Security architectures deployed over decades have suddenly become irrelevant. Concurrent to this, organizations are looking inward and challenging themselves by asking, “How do I justify new investment in tight economic times? In fact, how do I justify an entirely new security architecture for this remote work reality?” To answer these questions, organizations are considering a variety of vital initiatives, including adopting more zero-trust, cloud-based monitoring systems (so PCs can be protected anywhere), and making the shift to as-a-service and consumption-based services.
But can the challenges we currently face be solved without throwing more technology at them? It’s time to take a step back and analyze how we can use existing tools more effectively. By developing policy, process, and procedure, current tools may be able to help address the challenges experienced in this new normal. We should also revisit the way we handle enterprise architecture to ensure we can address new challenges in a holistic and methodological fashion.
This blog examines why all enterprises must take an architecture-led approach to IT security risk management, in order to keep their defenses relevant as the threat landscape expands and becomes more complex.
It’s time to take a fresh look at security
Before discussing security architecture, let’s examine enterprise architecture, a phrase that means different things to different people. American businessman and consultant John A. Zachman pioneered the concept back in the ’80s, defining enterprise architecture as the discipline that bridges strategy and implementation. A widely used definition, attributed to Gartner, is along the same lines: enterprise architecture translates business vision and strategy into effective enterprise change.
Security architecture is an essential discipline of enterprise architecture; a unified security design must address the needs and risks of an organization. And just like enterprise architecture, security architecture must be embedded in all layers of the organization; it is not merely the focus and responsibility of security architects. Its greatest supporters should be the organization’s management, yet architects often struggle to gain management support and involvement.
An enterprise-wide, comprehensive view
To overcome this challenge, you must inspire business leads by advising them on novel and innovative architectural and security possibilities. When attempting to gain management support, it helps to provide a comprehensive framework of enterprise and security architecture costs, for example. Many executives are stuck in quarterly, expense-based, financial reporting logic. Neither enterprise nor security architecture should be considered an expense, as both are an investment. Additionally, they cannot just be measured in terms of savings or investment in a certain accounting period. They must be evaluated on their return on investment (ROI), which runs across several future accounting periods. This type of detailed evaluation is key in today’s environment, where financial means are limited.
Additionally, solutions should not only be directed at resolving a problem but should guide management to approach problems differently. For example, architects can use the recent pandemic as an eye-opener to show new security possibilities around intelligent and remote workplaces; cloud- and subscription-based services; and persistent data and IP protection mechanisms.
First things first: Design is vital
Before building or renovating a house, architects must base their design on the owner’s exact requirements. The same is true for an IT project. Enterprise architects plan their design based on security requirements covering confidentiality, integrity and availability.
It makes sense that security requirements should be considered from the beginning of a project. Correcting the design of security controls or throwing in extra controls after the fact may leave systems vulnerable to attack. It may also hide current security weaknesses, or create additional ones. This can partially be dealt with by ensuring that security architectures and controls are created with flexibility and extensibility in mind.
When the pandemic hit, many enterprises needed to race against time to install additional controls. Imagine the benefits they could have realized by having flexible, extensible boundary protection and a secure remote workforce architecture already in place.
Let’s look at HPE’s architectural methodology
At HPE, we support an enterprise and security architectural methodology called the Global Method for IT Solution Architecture (GM ITSA). This methodology is based on years of experience and best practices. It ensures that business needs drive the functional, technical, and implementation aspects of the enterprise architectures we create for customers. Using the GM ITSA methodology, we can also structure our security architecture and transformation work. It allows us to make architecture (and specifically security architecture) more of a repeatable science rather than an art. And because our methodology is repeatable, customers receive more value for their money.
Security architects must consider the input from all stakeholders who interface with and work with or are somehow linked to the new architecture or solution. In HPE’s GM ITSA architectural methodology, this strategy is reflected in four viewpoints: the business, functional, technical and implementation views. Each view builds on the previous one (in the order shown above). Ultimately, the requirements defined in the different views can all be linked back to a clear business need. The business view is the view that summarizes the needs and drivers of the business owners of the new solution or architecture.
For example, today’s business owners are especially worried about reputational damage caused by malware attacks or data loss (business view). These concerns drive departmental and project owners to put more emphasis on remote workforce protection, which affects the security of the IT tools these workers use (hardware and software). It also affects the protection of remote workers’ identity and, most importantly, the protection of corporate data (functional view). Architects, IT designers, and implementers can then translate these requirements into additional host protection, novel security operations and management, strong authentication, data loss prevention, data encryption, and integrity protection controls and solutions (technical and implementation views).
Get it right the first time with HPE
The new demands associated with the global pandemic have pushed organizations to new working and operating models, while putting even more emphasis on financially responsible investments. IT and security architects play a pivotal role in this transformation. For security, it is important to architect for change and to put the environment in a secure state from the start – often, you won’t get a second chance. With our wide experience and deep knowledge of best practices and methodologies, HPE Pointnext Services can you help you securely and safely adapt your environment for the new normal.
Learn more about IT security risk management services from HPE Pointnext Services.
Jan DeClercq
Hewlett Packard Enterprise
twitter.com/HPE_Pointnext
linkedin.com/showcase/hpe-pointnext-services/
hpe.com/pointnext
Jan_De_Clercq
Security Chief Technologist, WW HPE Pointnext Services Security Practice
