Cyber Security (Security Architecture)

SECURITY ARCHITECURE

Security architecture describes the structure, components, connections and layout of security controls within an organization’s IT infrastructure. Organizations have different types of security architectures that determine the particulars of various subsystems, products and applications. These particulars will in turn influence an organization’s approach to defense in depth, or the practice of layering defenses to provide added protection.

Security architecture shows how defense in depth is implemented, as well as how layers of control are linked. It is therefore essential to designing and implementing security controls in any complex environment.

Each component of a given system poses its own security risk. Because the topology of security architecture varies from one organization to another, there are a number of different variables and risk to consider when addressing the topology of a particular organization. This section will discuss those variables individually, along with best practices for successfully managing their related risk.

The Virtual Organizarion

Outsourcing, both onshore and offshore, is increasingly common as companies focus on core competencies and ways to cut costs. From an information security point of view, these arrangements can present risk that may be difficult to quantify and potentially difficult to mitigate. Typically, both the resources and skills of the outsourced functions are lost to the organization, which itself will present a set of risk. Providers may operate on different standards and can be difficult to control. The security strategy should consider outsourced security services carefully to ensure either that they are not a critical single point of failure or that there is a viable backup plan in the event of service provider failure.13

Much of the risk posed by outsourcing can also materialize as the result of mergers and acquisitions. Typically, significant differences in culture, systems, technology and operations between the parties present a host of security challenges that must be identified and addressed. Often, in these situations, security is an afterthought and the

security manager must strive to gain a presence in these activities and assess the risk for management consideration.14

 The Security Perimeter

Many current security controls and architectures were developed with the concept of a perimeter—a well-defined (if mostly virtual) boundary between the organization and the outside world. In these models of cybersecurity, the focus is network- or system-centric. In the system-centric model, the emphasis is on placing controls at the network and system levels to protect the information stored within. An alternative model is data-centric, which emphasizes the protection of data regardless of its location.

With the advent of the Internet, outsourcing, mobile devices, cloud and other hosted services, the perimeter has expanded considerably. Consequently, there are significant new risk and vulnerabilities to confront in this

hyper-connected and extended environment. The perimeter, then, is an important line of defense that protects the enterprise against external threats, and its design should reflect a proactive stance toward preventing potential risk.

An important component of the security perimeter is the Internet perimeter. This perimeter ensures secure access to the Internet for enterprise employees and guest users residing at all locations, including those involved in telecommuting or remote work. In order to provide security of email, front-end mobile and web apps, domain name system (DNS), etc., the Internet perimeter should:

• Route traffic between the enterprise and the Internet

• Prevent executable files from being transferred through email attachments or HTTP responses

• Monitor network ports for rogue activity

• Detect and block traffic from infected internal end points

• Control user traffic bound toward the Internet

• Identify and block anomalous traffic and malicious packets recognized as potential attacks

• Eliminate threats such as email spam, viruses and worms

• Enforce filtering policies to block access to web sites containing malware or questionable content

The perimeter should also provide protection for virtual private networks (VPNs), wide area networks (WANs) and wireless local area networks (WLANs).

For VPNs, this protection should be threefold:

1. Terminate VPN traffic from remote users

2. Provide a hub for terminating VPN traffic from remote sites

3. Terminate traditional dial-in users

VPN traffic is first filtered at the egress point to the specific IP addresses and protocols that are part of the VPN

service. A remote user can only gain access after being authenticated.

For WANs, security is provided by input/output system (IOS) features. Unwanted traffic can be blocked from the remote branch using input access lists, and IP spoofing can be mitigated through L3 filtering. Organizations that are very concerned about privacy may choose to encrypt traffic on their WAN links.

Interdependencies

As previously discussed, modern IT architectures are usually decentralized and deperimeterized. This includes a growing number of cloud-based platforms and services, as well as a shift in computing power and utilization patterns toward intelligent mobile devices such as tablet PCs or smartphones. As a consequence, both the number of potential attack targets outside the organizational boundary and the number of attack vectors have grown. Conversely, the degree of control over deperimeterized environments has been significantly reduced, especially in enterprises permitting partial or full integration of user-owned mobile devices (i.e., bring your own device [BYOD]). These changes have important ramifications for security architecture.

In distributed and decentralized IT architectures, the third-party risk is likely to increase, often as a function of moving critical applications, platforms and infrastructure elements into the cloud. For platforms, storage infrastructure and cloud-based data repositories, the focus of cybersecurity is shifting toward contracts and service level agreements (SLAs). Simultaneously, third-party cloud providers are facing an increased risk of attacks and breaches due to the agglomeration and clustering of sensitive data and information. In addition to concerns about third-party services, there is significant legal risk. Enterprises experiencing a loss of sensitive data may not be in a position to bring an action against the perpetrators because the cloud provider often has to initiate legal action.

Regardless of the generic information security arrangements made by an enterprise, there are often exposed areas within IT architectures. Cybercrime and cyberwarfare perpetrators continue to aim at “weak spots” in architectural elements and systems. In contrast to indiscriminate and opportunistic attacks, APTs and cybercrime always rely

on preparatory research and insight into the target enterprise. This, in turn, raises the level of exposure for weak or unsecured parts of the overall architecture. These vulnerable spots include legacy systems, unpatched parts of the architecture, “dual persona” use of mobile devices and many others.