Starting point

Most corporate networks consist of a wide variety of applications that have been implemented as and when required. Often they are not or not sufficiently aligned with the enterprise architecture (system architecture). It may even happen that individual systems work against each other without it being noticed at first.

 

Task of a Security Architecture

The task of a security architect is comparable to that of a traditional architect. He analyses the conditions on site and takes into account aspects such as the development plan, the condition of the property, the climate and the customer’s wishes. From all this, he develops the building plan (the strategy) as the basis for the construction.

Security architects also first collect information about the current situation and the requirements. Then they develop comprehensive security strategies based on the company’s goals, system requirements and employees’ expectations. These are tailored to the company in order to protect critical infrastructures and sensitive data. To do this, they work together with managers, risk managers, the IT security officer and other employees.

 

Aim of a Security Architecture

The goal of an IT security architecture is to protect the entire company from security risks. In the best case, problems do not arise in the first place. It takes into account a wide range of security aspects such as compliance guidelines and standard requirements right from the start. This is more cost-effective than installing information security at a later stage.

Risks are assessed and divided into protection classes. Not every threat has the same impact on a company. The measures are therefore adapted to the degree of potential damage.
A security architect thus works out a suitable and appropriate defence strategy together with a company’s IT security experts.

 

IT security and risk management

In information security risk management (ISRM), risks related to information technology are considered. An ISMS (Information Security Management System) is particularly aimed at protecting the confidentiality, integrity and availability of company data. It includes certain standards that are easier to implement when a well thought-out security architecture is in place.
The standards make it easier to ensure that all important points of the IT Security Act are observed and that information of all kinds is protected. They cover not only digital data, but also files and external data carriers. They also look at additional threats such as water or fire damage, theft and, of course, cybercrime.

 

Procedure for implementing security

 

1. Analysis of the current situation

A security architecture must not only consider individual security threats. It must also include compliance guidelines and specific risks in certain environments. In Industry 4.0, IoT connections increase the requirements.
Therefore, all involved IT systems, data flows and interrelationships are documented first. The requirements of the stakeholders are also recorded. This creates a comprehensive picture of the existing IT landscape.
This also reveals existing gaps that can be closed in the new architecture. A reference architecture helps to adapt the new processes to one’s own company and to implement them.

2. Implementing IT architecture

The planning must now be put into practice. Concrete measures are therefore defined. Not all of them have to be equally strict, however.
The effort should always be based on how worthy of protection the respective information is. It is important to document the measures, which can be worked out in more detail over time.

3. Enforcing and monitoring IT architecture

Enforcement can only be successful if the documents are made binding for all employees. There are always processes that need to deviate from the defined measures. They should nevertheless follow the specifications as closely as possible. In addition, the changed measures must be documented.

4. Keeping IT security architecture up to date

New technologies or changes in the company entail adjustments to the IT security architecture. It is therefore not a rigid set of rules, but must be regularly reviewed and changed. If it is lived properly, it can effectively increase security and bundle forces. In this way, it makes optimal use of operating resources.

5. Responding to incidents

Despite the best IT security architecture, security incidents can occur. Then it is important to assess the situation and take appropriate countermeasures. This way, damage can be limited and further damage can be avoided.
Once the incident has been resolved, the existing protective measures must be analysed and adapted if necessary. At the same time, it should be checked whether the reporting channels and detection measures have worked.

 

Advantages of an IT security architecture

Most applications use the same mechanisms for security. Central security structures facilitate management and provide transparency. Here are some examples

By means of standardisation, an IT security architecture creates transparency and clear responsibility. Standardised components can be used uniformly by many applications in IT. This reduces costs.

A practised IT security architecture allows components to be rearranged if necessary. At the same time, it makes it easier to quickly inform all responsible offices about changes. This simplifies the implementation of new projects or the training of employees.

Last but not least, a well-documented IT security architecture serves as proof of regulated processes. Among other things, this is a prerequisite for ISMS certification.