The value of security architecture

Chikonga Maimbo, Security Consultant (chikonga@fortian.com.au) | Aug 1, 2019

Sometimes, it’s useful to go back to first principles and ask some fundamental questions. In this post, I want to revisit the basics around security architecture: what it is, why we do it and what are the benefits?

This article aims to provide a brief definition and overview of security architecture and highlights three outcomes that support the value of good security architecture to businesses, including why security architecture should be considered a key component of a security programme. The article does not go into the details of the “how” of security architecture which is likely to be the subject of a follow up article.

Introduction

In 2009, Bel et.al wrote an article on security architecture titled "Security architecture: a new hype for specialists, or a useful means for communication" where the authors sought to answer the question on the value of enterprise security architecture1. More recently, Dr Anton Chuvakin, a well-respected Gartner Research Director asked the question, "In 2018, What Is Security Architecture?" in which he alludes to a misunderstanding of what security of security architecture is with some organisations equating security architecture with network security architecture2. The responses to Dr Anton Chuvakin's blog post provide for some interesting reading on security architecture perceptions.

So, is there really a business case for security architecture or is it just another expensive undertaking with very little value in supporting business objectives? Why would organisations require enterprise security architecture? What value do they get from either hiring a security architect to look into their enterprise security architecture or to undertake a system specific security architecture review?

Defining Security Architecture

Let's start with a definition. While there is no single definition of security architecture, the following provides a reasonable explanation. "A security architecture is a prescriptive document that uses a set of coherent models and principles efficiently and flexibly to guide the implementation of the information security policy of an organisation"3

In other words, security architecture can play a significant role in the implementation of security policy. As such, security architecture attempts to reduce complexity, enable understanding, support risk management efforts and provide insight into complex problems. It does this by introducing structure while leveraging models and principles that can be practically and easily interpreted by stakeholders across the organisation which could include designers, architects, security specialists and the business.

A well-defined security architecture must be transparent, coherent, comprehensive and usable to stakeholders while containing an appropriate view for each stakeholder in the target group.

It should be noted that security architecture is typically not developed in isolation from other architecture areas. For example, a well-defined security architecture, whether at system or organisational level should be tightly coupled to enterprise architecture, solution architecture, business architecture and application architecture. It's also worth noting that a security architecture does not describe specific solutions or technology.

Three Security Architecture Outcomes

Three important (but not exhaustive) security outcomes that highlight the value of security architecture are:

  1. The application of a business and technology context to security;
  2. The translation of security policies into measurable security outcomes; and
  3. Improvements in communication and insight between stakeholders.

1) The application of a business and technology context to security

The business context involves consideration of an organisation’s values, mission, strategic objectives, risk appetite, legal and regulatory compliance obligations and governance principles.

Effective security has demonstrable value to the business, takes into consideration the business context and supports the management of operational risk.

Security architecture introduces an understanding and appreciation of the business context to security and sets the tone for security outcomes that will be defined in later stages of the security architecture process. It should ultimately aim to enable traceability of security outcomes back to the organisation's mission, risk profile and risk appetite.

The security architecture process includes a structured approach to the identification and classification of critical assets, pattern development and modelling - all of which lead to the application of appropriate, proportionate and cost-effective security controls to reduce or mitigate risk to an organisation’s critical assets. This leads to a natural progression towards the prioritisation of controls based on asset value while considering the business's risk appetite and ensuring that risk is managed appropriately.

This enables an organisation to progress beyond focusing purely on identifying and remediating or mitigating technical vulnerabilities and related threats to developing security outcomes from an understanding of the business context.

2) Translation of security policies into measurable security outcomes

It goes without saying that having well written security policies and standards that clearly establish foundational information security principles is a good outcome for any security organisation. Translating policy into measurable security outcomes that map back to business objectives and risk profile is even better.

The implementation of security controls driven by vendor pitches and best practice guidelines rather than risk-based business objectives, risk appetite and related security policies will result in a disconnect between controls, policy and business objectives.

One of the challenges I've observed is how some organisations become overwhelmed deploying and managing point solutions driven by the latest tool or in reaction to a security audit. In these cases, the disconnect between information security policies translated into specific and concrete outcomes can be significant.

Security architecture enables the alignment between business objectives and security outcomes resulting in the effective translation of security policy into measurable and concrete outcomes. Establishing clear traceability is fundamental when seeking funding for security programmes from executives due to the fact that security is sometime seen as more of a cost centre that provides little value or benefit to the organisation.

3) Communication and insight between stakeholders can be improved through security architecture

As mentioned previously, security can sometimes be perceived as a cost centre with little contribution to business objectives. There can be several reasons for this. One of these is the perception that business stakeholders find it difficult to understand how security maps to business objectives and how security contributes to the organisation as a whole. This is compounded by the communication difficulties that some security professionals have in expressing alignment between security activities and high level business objectives.

Security architecture enables a view and vision of information security that is common across an organisation. This is achieved by clearly presenting design principles, behaviours, security control implementation and adaptive solutions all mapped to back to business requirements, business strategy and business risk appetite. Security architecture also seeks to establish common information security definitions enabling a common language for internal and external communication. Done right, security architecture can be a very useful communication tool to provide the business with an understanding of the alignment between security expenditure, risk and business strategic objectives.

In conclusion

Security architecture is about laying a critical foundation for the implementation of appropriate business driven, risk focused security controls that clearly and unambiguously align security activities to business mission and objectives.

The greater the complexity, the greater the need for security architecture and a more structured approach. Security architecture has the potential to enable insight by bringing together policy makers and designers to a common understanding to ensure risk-based security programs are aligned with business objectives.

Further reading

  1. https://www.pvib.nl/kenniscentrum/documenten/expertbrief-security-architecture/downloaden
  2. https://blogs.gartner.com/anton-chuvakin/2018/08/31/in-2018-what-is-security-architecture/
  3. https://timreview.ca/article/713