I have been attempting to capture the process or to be more accurate the heuristics of how I analyse security architectures. This was originally driven by the time it took me to document my conclusions and the lack of any particularly well-suited tooling but has increasingly become an attempt to…
Category: Architecture
We need to talk about IT
It has long been a truism of security practitioners that security is not an IT problem. This is an attempt to lift the gaze of the security team from technology to the wider business. A laudable and useful goal. However, IT is a security problem.
Cross-Domain Gateway Functions
Cross-Domain Gateways are a concept from multi-level government and military networks that are increasingly being deployed into traditionally flat commercial networks. I’ve spoken before about ‘trust zones‘ and the concept of choke-points between trust zones concept combined with a view of the threat exposure for each trust zone underlies the…
Documenting an As-Is Security Architecture, part two
This is a continuation from part one. Documenting current environments This activity is focused on identifying the physical and logical environments in scope for the business architecture. A logical and physical model will be created to hold entities describing physical facilities, wide area networks and systems that store, process or…
Documenting an As-Is Security Architecture, part one
This is the first of a two part post, part two is available here. The following list is a set of activities that need to completed at least once to document an existing As-Is security architecture view for a business architecture and then need to be maintained over time through…