It seems like we read about an IT security infraction just about every day. This ought to be somewhat surprising, given the large amounts of emphasis placed on security over the past 25 years as measured by industry research, investments, resources, equipment, training, courses, certifications and books dedicated to the topic.
The problem is that most companies lack a comprehensive architectural framework for the uniform and organized treatment of all aspects of IT security.
So what is a security architecture? An architecture is a blueprint for the optimal placement of resources in the IT environment, with the goal of supporting the organization's business function.
A security architecture is a plan that describes (a) the security services that a system is required to provide to meet the needs of its users, (b) the elements required to implement the services and (c) the behaviors of the elements (including the performance goals) to deal with the threat environment.
To address security challenges in an effective manner, both of the following are needed:
1. An overall security architecture.
This is a master plan that includes security considerations for administration, communication, computers, emanations (radiation), personnel and physical issues.
Clearly, hardware IT/network components must be secure; software components must be secure; and personnel must be trustworthy (many infractions originate from within).
2. Policy specifications.
This describes how to implement and adhere to the architecture. Even if the right architecture is in place, if the policies fail the enterprise is at risk.
In addition, a robust security architecture must be based on the concept of multiperimeter protection, and it must embody the idea of separation of privilege. Layered frameworks are recommended, because layering has the advantage of defining contained, nonoverlapping partitions of the environment.