Security Architecture Best Practices

As with other architectural designs of homes, buildings, and blocks, security architecture is a layout of cybersecurity models, guidance, structure, standards, and policies designed to protect the company’s digital infrastructure. The purpose of security architecture is to align the security framework of an enterprise according to its business requirements. The enterprise may want to upgrade its current security standards or build a robust digital infrastructure from the ground up. In any case, security architecture designers gather up the business requirements, just like typical architecture designers do, and prepare a security architecture blueprint while fulfilling all business requirements. Most organizations have unique blueprints for their security architectures because of the differences in their business requirements. However, some organizations may share some basic practices.

Here are a few core elements that are mandatory for security architecture, regardless of business rules

The initial stage of the security architecture design focuses on hardening or uplifting the security of the overall system and network across different corporate layers. During this stage, security architecture designers take a comprehensive look at the system as a whole and identify key vulnerabilities and areas that require improvement.

Some primary concerns of network designers during this phase include but not limited to:-

• Ensuring the security of lower networking layers by analyzing network closets, conducting penetration tests, hardening, and securing VLANs, and implementing layer 2 and layer 3 NetFlow. This will secure the trenches of the corporate environment.
• Identifying and analyzing traditional security architectural deficiencies. This is important for perimetric security and the prevention of frontline exploitations.
• Having a “Build it once, build it right” mindset allows security architecture designers to design a hardened frontline of security architecture from the beginning rather than retrofitting it later. They also presume all the possibilities of attack and follow the “zero-trust” model to cover all the possible security holes in the architecture blueprint. A well-defended security architecture is one of the core reasons that the information system of the enterprise can perform all its operational functions effectively.

The purpose of this stage is to harden corporate networks and their components such as firewalls, switches, routers, and application proxies. IPv6 is also among the core components of networking and is considered as the next-generation internet protocol. As per the reports of Google, IPv6 carries the burden of around 23 percent of internet backbone traffic but organizations continue to adopt or reject it. During this phase, the network designers will be looking for

• Auditing, hardening, as well as resolving security issues related to routers and SNMP Protocol.
• Network security depends heavily on firewalls, so properly configured and properly selected firewalls have a better chance of protecting enterprise networks.
• IPv6 is often misunderstood in enterprises. Network designers should clearly define the usage and implementations of IPv6 addresses in the network design. They should also highlight the routers, firewalls, and tunneling protocols that are used in the IPv6 configuration.
• Proxies are another tool in the arsenal of security architecture designers to mitigate cyber threats. Different types of proxies such as SMTP proxy, web proxy, explicit and implicit proxy, and forward and reverse proxies can help in improving the security posture of an enterprise.

Security frameworks in many organizations include network-based security technologies such as antivirus, application control, data loss prevention, and intrusion detection and prevention. While it is good to have these technologies in your corporate infrastructure, relying too much on these technologies leads to a very preventive-focused environment and creates a gap between threat detection and threat prevention. You can fill this gap by utilizing already existing old security controls with a modern mindset and thinking outside of the box, while also improving both prevention and detection capabilities.

Security controls like catching phishing attacks via cousin domains, generating alerts for intrusion detection, using network metadata to identify unauthorized access, SSL/TLS certifications, and SSL decrypt monitoring are some of the primary focuses of security architecture designers during this phase.

There is no doubt that some data is more valuable to an enterprise than others. During the data-centric security design phase, the architecture blueprint designers focus to identify and provide security solutions for the sensitive data within an organization. Usually, this sensitive data is scattered all across the enterprise information system, and it gets further complex if the data is controlled by a full application stack involving multiple services. Instead of investing in security infrastructure as a whole, a data-centric approach identifies the mission-critical data and deploys security controls around it.

As opposed to the “trust by verifying” approach, zero-trust architecture relies on “verify then trust”. During this stage, designers harden the infrastructure parameters using advanced defensive techniques like encryption and authentication, to prevent cyber-attacks while keeping the authorized assets fully functional. A zero-trust approach demands that the trust be proved by providing enough security for the corporate infrastructure to fight modern sophisticated attacks.

Security Reference Architecture (SRA) is AWS’s concise architectural guide that offers examples and design considerations derived from their experience with enterprises dealing with cloud security. The enterprises can use AWS SRA to deploy AWS security services in their three-tier web architecture and manage it in their AWS accounts. The AWS SRA is also designed to complement AWS security foundations that counts

• AWS Cloud Adoption Framework
• AWS Shared Responsibility Model
• AWS Well-Architected

• Security Foundations
• AWS Organizations and Account Strategy
• AWS Security Reference Architecture
• IAM Resources
• Code Repository for the AWS SRA

AWS Well-Architected is a framework offered by AWS to its customers and partners for evaluation of their security architecture and implantation of designs that are capable of scaling over time. The enterprises can use AWS Well-Architected to build a cloud architecture that is high-performance, secure, efficient, and resilient. From the AWS Management Console, you can get AWS Well-Architected for free to identify high-risk issues, evaluate your workloads regularly, and record your improvements. The AWS Well-Architected is based on five pillars

• Operational Excellence
• Security
• Reliability
• Performance Efficiency
• Cost Optimization

Microsoft Azure Well-Architected Framework offers a wide range of security controls to protect network traffic moving from on-premises to Azure-hosted sources or vice versa. Unless you implement security checks, attackers can breach your defenses by scanning public IP addresses. MS Azure security tools can be used to detect, contain, and respond to a breach in your cloud deployments. Microsoft also provides you with high-impact security recommendations that you can follow to secure your MS Azure services.

Software-Defined Wide Area Network, or SD-WAN, is a virtual architecture for providing connectivity and services between different data centers, cloud instances, or remote locations. SD-WAN enables organizations to leverage any combination of transport services like LTE (Long Term Evolution), broadband internet services, and MPLS (Multiprotocol Label Switching) to securely access user applications.

Organizations can use the existing networking components such as switches, routers, or virtualized customer premises equipment, aka vCPE, for the deployment of SD-WAN. SD-WAN provides a secure and centralized control that can intelligently direct traffic over the WAN for high application performance and a high-quality user experience. This can not only lead to increased business productivity but can also help saving IT costs. The four central components that make up the SD-WAN are

• Edge Connectivity Abstraction
• WAN Virtualization
• Centralized Management
• Elastic Traffic Management

Similarly to traditional architectural designs of buildings, security architecture blueprints also play a crucial role in an enterprise’s cyber security framework. Properly designed, built, and implemented infrastructure can better withstand evolving and sophisticated threats. By utilizing commercial security service providers such as Amazon and Microsoft, along with standard security architecture design principles, your organization can have highly hardened security infrastructure.

Talk to a Cybersecurity Trusted Advisor at IRM Consulting & Advisory

Check out our Marketplace