Cybersecurity within Architecture

First, let’s take a high-level look at all the sub-functions that should be addressed as part of cybersecurity architecture. The following image captures much of what the cybersecurity architecture function entails.

Figure 5.1: Sub-functions of the cybersecurity architecture function

Understanding IT Architecture

Let’s take a step back and ensure that we fully understand IT architecture within an organization. IT architecture is defined by Gartner as:

”A framework and set of guidelines to build new systems. IT architecture is a series of principles, guidelines, or rules used by an enterprise to direct the process of acquiring, building, modifying, and interfacing IT resources throughout the enterprise. These resources can include equipment, software, communications, development methodologies, modeling tools, and organizational structures.”

Source: https://www.gartner.com/en/information-technology/glossary/architecture

In short, IT architecture provides standardization to ensure that new vendors who are onboarded, new solutions that are deployed, and the transformation of current services that are modernized all conform to the policies, procedures, and best practices defined by an organization. Although the Gartner definition provides a great overview of IT architecture, I do believe it could be updated to include securing as a process throughout the enterprise. I’m not sure when this definition was created, but it could have been a while back before the need for updated and improved cybersecurity.

Understanding Security Architecture

Now, let’s take a look at the definition of security architecture from the National Institute of Standards and Technology (NIST) glossary. There are a few definitions from different frameworks, but I tend to lean more toward this definition over the others:

An embedded, integral part of the enterprise architecture that describes the structure and behavior for an enterprise’s security processes, information security systems, personnel and organizational sub-units, showing their alignment with the enterprise’s mission and strategic plans.

Source: https://csrc.nist.gov/glossary/term/security_architecture

Essentially, the definition of architecture from a cybersecurity perspective falls into the broader architecture strategy for an organization, along with aligning with its broader mission and strategy.

Importance of Embedding Cybersecurity within Architecture

Now that we have a better understanding of the broader IT architecture definition along with the cybersecurity definition from NIST, you can see why embedding the role of cybersecurity architecture into a broader architecture program is very important. As new vendors are onboarded, new solutions are built, and current services are modernized, we must ensure that cybersecurity is reviewed, discussed, approved, and embedded early in the process. If cybersecurity is missed as part of the process, solutions will be deployed throughout an organization with significantly increased risk.

Benefits of Embedding Cybersecurity within Architecture

There are many reasons that cybersecurity must be embedded directly into the broader architecture review process from the beginning, including the following:

• Provides a chance to review all the security controls early.
• Ensures that architecture diagrams and documentation are provided with the correct details, specifically relating to cybersecurity.
• Ensures that solutions and vendors are complying with policies and procedures.
• Enforces defined cybersecurity standards.
• Ensures that security testing is conducted and reviewed.
• Allows for a more proactive approach versus reactive.
• Increases collaboration across an organization.
• Provides the ability to collect all relevant information on solutions and vendors for more efficient governance.
• Reduces complexity and overall risk within an organization.
• Ensures that the strategy is being followed.
• Allows for the correct resources to be engaged early.
• Ensures greater success.

Detailed Architecture Review Process

As part of a detailed architecture review process, you are going to need a lot of details in relation to requirements from a cybersecurity perspective. This will include detailed reviews of the solution being proposed and the cybersecurity controls that will be in place. The type of documentation that will need to be reviewed includes technical specifications, architecture documents, build sheets, and any other relevant documentation that can be reviewed through a cybersecurity lens. In addition to the documentation, you will also need the business and/or vendor to complete the detailed requirements of the solution being deployed – for example, what the data type/classification is, whether encryption is used, whether identity can be integrated, what the network controls are, etc. We will cover these in more detail in a later section, Architecture Review Process.

Required Architecture Diagrams

On a broader level, you are going to need architecture diagrams that capture the entire environment and some of the more specific technical areas. Having access to these is essential for the cybersecurity team. If they don’t exist, they will need to be created as these diagrams are the foundation for understanding the footprint of the environment that needs to be protected. For example, you will want to capture diagrams for the following (if applicable), at a minimum:

• High-level architecture of the environment
• Network architecture
• Application architecture
• Identity architecture
• Device architecture
• Database architecture
• Infrastructure architecture
• Collaboration architecture

The following is an example of the high-level architecture that represents your environment. As you get deeper into each area, your architecture diagrams should contain more detail to help better understand the cybersecurity controls in place. Bear in mind that this high-level architecture will not contain a lot of detail and will need to be customized to your environment.

The idea is that you have something tangible that represents what the basic architecture looks like and can be shared with a broader audience.

Figure 5.2: Example of a high-level architecture diagram

Cloud Services Architecture

As more continue to adopt cloud services, you will need to be familiar with the architecture for these environments. For example, three of the more common cloud providers each provide an architecture center for reference:

• Microsoft Azure: https://learn.microsoft.com/en-us/azure/architecture/
• AWS: https://aws.amazon.com/architecture/
• GCP: https://cloud.google.com/architecture/

If you are running your environment in one cloud provider, becoming familiar with the architecture becomes a much easier task.

Though, the reality is you may have multiple cloud environments and/or a hybrid environment to oversee.

This creates a lot more complexity and challenges with the architecture, as you will need to be familiar with multiple architectures, potentially involving different cloud providers in addition to a legacy, on-premises data center. This is another reason why there is a need to make your strategy as simple as possible.

Cybersecurity Architecture Documentation

In addition to the general architecture, you will want to know if there is any cybersecurity architecture documentation available from a cloud provider, SaaS provider, or vendor that you work with. I’m confident that every organization has some form of cloud provider or SaaS environment within their portfolio these days. With this being the case, it is important that you have access to their cybersecurity architecture diagrams. A great example of this is the Microsoft Cybersecurity Reference Architecture, which you can find here: https://learn.microsoft.com/en-us/security/adoption/mcra. This reference architecture provides details on all the cybersecurity technologies and capabilities available with Microsoft. If you use Microsoft products within your portfolio, the following architecture diagram provided in the Microsoft Cybersecurity Reference Architecture material provides all the capabilities that are available from Microsoft to protect your environment. This is a very valuable slide for an organization that strategizes on the Microsoft platform.

Figure 5.3: Microsoft Cybersecurity Reference Architecture capabilities

Image source: https://github.com/MicrosoftDocs/security/blob/main/Downloads/mcra-december-2023.pptx?raw=true

As you can see, there is a lot involved with architecture, and it is important you have a basic understanding of the general architecture requirements along with the cybersecurity architecture needs. Having a good, dedicated cybersecurity architect on your team will make a significant difference within the broader cybersecurity program. Their role serves as a critical one that will be required to partner with the broader architecture function (if one exists) and the business as a whole, as they learn to better understand their needs and ensure cybersecurity is discussed and included at the beginning of any project, not becoming an afterthought. Now that we have a better understanding of the role of cybersecurity in architecture, let’s review what an architecture review process entails and what role cybersecurity plays within the broader process.