Summary. This week’s second post will review key definitions for IT security, examine some best practices, and lastly we’ll briefly look at some risks to supply chains based on digital disruption.
Key Take-Aways. I want to add two primary observations to the mainly factual information summarized below. First, security architecturenseems like it’s often an afterthought and siloed to a separate ‘department’ in many organizations. In many situations, the design team first designs the optimal business solution – optimizing functionality or minimizing cost – and security concerns are addressed secondary or almost as an “add-on”. Of course, in high-security industries, this isn’t the case, but I argue it’s best to integrate security expertise into the earliest parts of the design and implantation process. This is because nearly every vendor system contains some level of personal or proprietary information about the business or consumers, and building in security as an afterthought is sub-optimal. The second – our supply chains are vulnerable to disruptions, and we should plan for the worst instead of hoping for the best. This includes hardening the business’s enterprise architecture against the vulnerabilities we’ve listed in Section 4.
(1) Definitions. Security Governance, Security Management, & Security Operations.
It’s important to differentiate between these three terms when building, managing, and maintaining the enterprise’s security infrastructure. Governance applies enterprise-wide and generally begins with the executive level, setting guidelines, business rules, and IT regulations for all other parts of the enterprise. Generally, this is policy set at the highest level of the organization and governance offices usually reside with or report directly to headquarters. Security management is concerned primarily with resourcing (funding, personnel, etc.) to ensure security programs are properly resourced. Security management also reviews execution of the program at a more broad level – “metrics” and can direct adjustments to operations to optimize performance. Security operations is where policy and management are executed – these can include building, maintaining, and running security platforms (McMillian and Scholtz, 2013) and firewall configuration, among others. Security operations are tactical implementation of security concepts.
Source: “Security Governance, Management, and Operations Are Not the Same”, McMillian and Scholtz, Gartner, January 2013.
(2) Review. Security Architecture.
IT/enterprise architecture is generally divided into conceptual layers, and while models sometimes divide the layers differently or add sub-divisions, most models follow the same basic premise. The enterprise architecture is divided conceptually into layers – technology, applications, data/information, business, and some models add strategy as a final layer. Each layer can and should maintain it’s own architecture. So where does security architecture fit? According to McMillian and Scholtz, “the notion of ‘security architecture’ permeates all of the abstraction layers and many, if not all, of their components, applying a security focus in each case.” In other words, security is part of each layer of the enterprise architecture. As engineers and other designers are composing the architecture, security experts should be present at every stage (planning, implementation, maintenance) to ensure security architecture and governance principles are incorporated.
Source. “Definition: Security Architecture“, McMillian and Scholtz, Gartner, 25 April 2018.
(3) Security Best Practices. Recommendations for Improved Security.
In their article Top Trends in Cybersecurity 2022, Firstbrook, Olyaei, et. al. recommend moving beyond traditional views of security as a “castle-keep” and using several more interactive ways to probe, understand, and improve security architecture. The enterprise should examine its vulnerabilities with the help of several processes:
(a) Conduct ‘enterprise attack surface gap analysis’ which can determine gaps in the enterprise security system’s ability to detect and defend against external threats.
(b) Employ technologies known as ‘attack surface management’ (ASM) to better understand the internal and external connections and dependencies for IT and security. These technologies can also assist in modeling improvements and mitigating or eliminating gaps in the defense.
(c) Use simulations to determine gaps and vulnerabilities. Run realistic simulations employing a “red team” tasked with identifying vulnerabilities.
(d) Internally and amongst the IT staff, run drills – ‘response plans’ – to keep the team aware of policies and practice actions in the case of cyber security breaches or loss of service.
(4) Digital Supply Chain Risk. Analysis by Katell Thielemann.
The last several years have been extremely disruptive to supply chains globally. An additional risk (add another one to the list of COVID, climate change effects, and armed conflicts) to highly interdependent global supply chains are digital disruptions. Digital supply chain risks generally fall into four main categories according to Thielemann at Gartner:
(a) Disruption can be caused by the loss or disclosure of private information (customer data), business information (for example, schematics for a manufacturing product), and/or classified information (government sector). If secured information is breached, it can cause huge setbacks in production, loss of competitive advantage, or lawsuits and loss of money.
(b) The physical and digital infrastructure of the enterprise network is vulnerable to cyber attack (among other factors such as energy loss, natural disasters, etc.). If targeted cyber attacks disrupt a network for a prolonged period of time, the cascading effects can affect the entire supply chain.
(c) “Attacks through common commercial and open-source software used in business and IT operations”. When I think of common commercial software, I think of large corporations such as Adobe, Oracle, Microsoft. It is a natural responsibility of these software providers to maintain security as part of their product offering, but its also critical that enterprise architects and other IT professionals who integrate third-party software are not creating vulnerabilities via that integration.
(d) Most of us think of attacks against the enterprise network or its secured information. However, our fourth category of risk is the “the exploitation of security flaws in the digital products sold to customers”. If a digital business sells or otherwise provides a piece of software to consumers which has a critical security flaw – and doesn’t catch and patch the software – the effects could be both legal and monetary. The effects of such a mistake could effect every vendor in the supply chain depending on how interconnected their software is.
Source. “Top Trends in Cybersecurity 2022“, Firstbrook, Olyaei, et. al., Gartner, 18 February 2022.