Network architecture exists at the odd juncture between physical and virtual infrastructure, requiring interfaces and adaption on both sides. Consequently, information security specialists working in architecture have to incorporate knowledge of both physical and electronic security in their analysis and designs.
This has spawned an entirely new class of cybersecurity jobs that includes network security engineers and infrastructure security architects.
Because a career in information security architecture requires insight into almost every aspect of a business, these jobs are generally reserved for experienced information security experts with advanced degrees.
The Big Picture: Where Cybersecurity Intersects with Business Objectives
Just as information system architecture is expected to consider the big picture when designing supporting structures to accommodate larger business goals, network security architecture is oriented toward aligning information security practices with business objectives.
This requires giving consideration to a number of factors that are typically outside the purview of most security staff:
- Business strategy and planning
- Technology industry trends and developments
- Threat trends and risk categories
These considerations span all aspects of an organization’s information systems design. Establishing a clear, overarching company-wide architectural design eliminates departmental silos that all too often result in gaps that hackers can exploit.
During both the design and build phases of a network, there are many points related to security architecture that engineers and architects consider:
- Ensuring that physical network deployments can be secured against taps and damage
- Compartmenting network segments into progressively more secure layers to protect critical data
- Analyzing corporate data stores and sources to locate them in the correct network layers
- Designing virtual networks which allow an appropriate degree of logging and monitoring
- Collecting software inventories to ensure that the company’s attack surface is clearly understood
- Analyzing external links to partners and public networks to identify threats, then installing the appropriate defensive measures
Establishing the Trust Domain in the Architecture of Information Systems
The basic building block of secure network architecture is the trust domain, a segment of a system in which users and processes are authenticated and verified to a sufficient degree to be trusted with the data and systems operating on that segment.
Once these complex, sometimes nested, sometimes interrelated domains have been mapped onto the day-to-day operations of the business and the data it generates and stores, architects work directly with security and information assurance engineers to implement the mechanisms required to enforce those trust domains.
This process includes:
- Overseeing physical network installation
- Designing and promulgating security policies and procedures for users and network administrators
- Ensuring access control and identification mechanisms are in place to adequately validate users
- Providing training on aspects of the system design to administrators and users
Frameworks Support Security Infrastructure Design
If it sounds like designing a secure enterprise network and system architecture is a daunting task, it is.
In addition to facing the day-to-day complexity of information systems, security architects also have the harder task of peering into the future to determine the likely progression of technology and threats in five, ten, and even twenty years time, and then building out an infrastructure that can remain secure within that horizon. The amortization of information technology investments does not always allow for immediate updates as new technologies are developed or new threats identified. Enterprise systems installed today may not be paid off for a decade, and must remain secure over that timeline.
A number of security architecture frameworks have emerged in the past decade to provide templates for designing secure systems that can stand the test of time.
Framework Solutions Come From the Public and Private Sector
National governments and militaries were quick to get in on the framework business to address security concerns that exceed those of most modern businesses. Both of these architecture frameworks have security provisions built in and are available for free:
In the private sector, Sherwood Applied Business Security Architecture (SABSA) provides an alternative to federally-developed frameworks, offering framework certification and training for a fee.
The Beginnings of Network Architecture Security
In the beginning, information technology was formless and empty, a seething void of random programs, unorganized cables, and tractless data silos floating in the ether of memory. Then, no one could find anything and upgrades were impossible and users and executives were vexed and wroth. And so the network administrators said, “Let there be organization!” and there was planning and documentation. And the Chief Information Officers (CIOs) saw it was good, and they called it “Information and Network Architecture.”
Network and information systems architecture and engineering emerged from the snarls of organic network growth and information system silos that came during early waves of technology adoption in large organizations. At the time, systems that could be put together quickly to support a small department or branch office could not easily be integrated into larger structures. Costs and unforeseen complications exploded, burying IT departments and users alike.
Despite significant investments in technology, business productivity stagnated in the 70’s, 80’s, and 90’s– a troublesome fact that became known as the “productivity paradox” after the title of a seminal paper on the subject by MIT technology professor Erik Brynjolfsson.
Enterprise architecture was the response, a planning and engineering process described at a series of National Institute of Science and Technology workshops in 1989. Enterprise architecture sought to envision an ideal technology infrastructure and lay out a series of steps in which it could be built methodically and efficiently. And so order was drawn from the void, and information technology investments began to pay off in the early years of the 21st century, resulting in growth and improvements in the field of information security.