Designing and Building a Security Architecture

The challenge of maintaining security across different offices, projects and systems can be daunting. Many businesses develop a patchwork of tools and procedures, often applied retroactively, that’s difficult to keep updated and typically involves a lot of duplicated effort. A security architecture is an opportunity to work across projects in a consistent, systematic and structured way. It becomes easier to align business goals, communicate clearly about risks and requirements and support fast-paced change and innovation safely. For all the potential benefits to be realized, you need a solid foundation built upon careful planning and a clear roadmap to create and continually improve your architecture.

A Common Language

To increase visibility and foster a better understanding of security, establish standard terms and principles at the outset and avoid jargon. Your security architecture should provide multiple and simplified views of complex information, where certain aspects are highlighted and others hidden, depending on the context and the viewer. Create different layers that break the architecture into digestible forms for various audiences.

  • Conceptual views focus on the business perspective for non-technical audiences.
  • Logical views dig into process, technology and people for business process owners.
  • Physical views describe the IT infrastructure for subject matter experts.

This process makes it possible for everyone to view and discuss the architecture. As knowledge and experience grow, you will develop more views for different scenarios; remember that it’s better to have a small number of views that everyone understands rather than a comprehensive set that nobody understands.

Establish Objectives

It’s crucial to set clear objectives that are aligned with business goals before you begin to design your architecture. Explain the value that the organization expects to gain through consultation with business unit leaders, project sponsors and IT staff. Focus on where costs can be reduced and efficiencies enhanced.

Analyze how security architecture is currently being used to discover what frameworks are in place, who is using them and for what purpose. You must determine what structures are in place, what expertise is available and how coordinated the existing architecture is. A comprehensive picture of the current situation enables you to identify which projects stand to benefit most from your security architecture, which can contribute views and elements and, ultimately, where changes can reap the greatest reward.

Determine Approach

Armed with objectives, it’s time to drill down into the current state of your existing architecture and projects. Analyze and document the core characteristics and components. Consider, for example, that a new business system must offer better access control than existing elements, or that the range of security solutions in use must be reduced to a manageable number.

Explain how the future state you’re aiming for would look in comparison to the current situation. For example, you might roll out multifactor authentication to improve access controls and reduce information risk. The final task here is to enumerate precisely what needs to change to realize your vision. Conduct a gap analysis and identify any input, processes, tools, roles and training required.

Develop Architecture

A vital element of an effective security architecture is to make the creation of new architectural content efficient and repeatable. Each view or element should be something that any business unit or project can potentially use. Set out a clear process for updates that includes an implementation plan with a breakdown of the time and resources needed.

When you develop new content, map the changes to people, information, and business applications. Define operating standards, roles, responsibilities, configurations, and new terms or definitions. Consider what expertise and resources are required to properly test a new element and reduce risk by performing a trial in a less critical project before rolling it out more widely. Employ vulnerability scans and penetration testing and identify any gaps in your workforce or talent.

Employ version control when you roll changes into the architecture so that you can roll back quickly if the new element clashes with preexisting systems, processes or technologies. It’s also important to set targets and define metrics to make benefits transparent. Look at cost reduction and operational metrics, such as IT support calls and incident response times.

Review and Revise

The metrics you established in the final development phase can be used to show the effectiveness of new elements in your architecture. Measures such as reduced administrative overhead or reduction in IT support calls should be translated into business terms to highlight the projected overall cost savings. This data should be shared and discussed with key stakeholders across the business to identify what worked well and what didn’t to better inform future projects.

The findings should trigger agreed-upon modifications to information security policies and the security architecture as needed. Action plans should be assigned with metrics attached and completion dates set. This process will ensure your security architecture grows and improves over time.

Squeezing the most value from existing security solutions and realizing security objectives can support greater agility and innovation in your business. Ultimately, a well-designed security architecture will enhance understanding, simplify decision-making, improve efficiency and contain costs.

Avatar photo

Steve Durbin

Steve Durbin is CEO of the Information Security Forum, an independent, not-for-profit dedicated to investigating, clarifying and resolving key issues in information security and risk management by developing best practice methodologies, processes and solutions that meet the business needs of its members. ISF membership comprises the Fortune 500 and Forbes 2000.

steve-durbin has 3 posts and counting.See all posts by steve-durbin