Archive for the ‘Architecture’ Category

We need to talk about IT

It has long been a truism of security practitioners that security is not an IT problem. This is an attempt to lift the gaze of the security team from technology to the wider business. A laudable and useful goal. However, IT is a security problem.
(more…)

Cross-Domain Gateway Functions

Cross-Domain Gateways are a concept from multi-level government and military networks that are increasingly being deployed into traditionally flat commercial networks. I’ve spoken before about ‘trust zones‘ and the concept of choke-points between trust zones concept combined with a view of the threat exposure for each trust zone underlies the need for cross-domain gateways. (Domain is the historical term commonly used in government and military settings for zones of trust.)

There are a wide variety of applications to which cross domain gateways can be applied and a wide variety of gateway patterns and designs. However there is a common set of possible gateway functions that such patterns and designs can commonly call upon.
(more…)

Documenting an As-Is Security Architecture, part two

This is a continuation from part one.

Documenting current environments

This activity is focused on identifying the physical and logical environments in scope for the business architecture.

A logical and physical model will be created to hold entities describing physical facilities, wide area networks and systems that store, process or transmit information assets that fall within scope of the business architecture. It is likely there will be gaps identified and that these will need to be investigated with stakeholders and partners. This is a model that will evolve with more detail as the projects move into delivery and suppliers are contracted and systems are implemented. (more…)

Documenting an As-Is Security Architecture, part one

This is the first of a two part post, part two is available here.

The following list is a set of activities that need to completed at least once to document an existing As-Is security architecture view for a business architecture and then need to be maintained over time through repeat reviews.
(more…)

Security and Systems Engineering

In my experience when a business brings security people into their systems engineering process they are trying to solve a problem. Usually there has either been a painful security incident or some security testing pushed them over the edge and they feel exposed. Sometimes they are undertaking a big enough change or the security implications of a change are so obvious that they realise they need to ensure security is covered off.

However, while the senior management of the business is looking to solve the security problem there is commonly confusion amongst the system engineering teams, the new security team and the middle management of the business about what it is they are asking for and what it is they are getting. (more…)

Twitter RSS