Analysts make the case for enterprise security architectures

Gartner IT Security Summit: An enterprise security architecture is an important part of a long term strategy and can help mitigate the risks when data is used in new ways.

One evening not long ago, a business traveler between flights was making use of his time in a Hong Kong airport lounge by plugging his USB drive into one of the lounge's computers and toiling away on a number of different files.

We need security architectures that will help us think of how to address problems of the future ... but we also need security architectures to help us solve problems today.
Tom Scholtz,
vice presidentGartner Inc.

But when it was time for the traveler to rush to his gate, he left the USB drive and its sensitive files behind, unknowingly exposing his organisation's sensitive data to any opportunistic passerby.

Fortunately, the device was recovered by Gartner Inc. vice president Tom Scholtz, who recounted the story this week at the research firm's IT Security Summit. Scholtz made the point that businesses must design, develop and implement security architectures that can mitigate the inherent risks that come with workers taking data with them on the road or using it in new ways.

"We need security architectures that will help us think of how to address problems of the future," Scholtz said, "but we also need security architectures to help us solve problems today."

While security architectures can be defined in a number of ways, Scholtz essentially described them as the policies, processes, components and systems that encompass an enterprise security program. Security architectures ideally provide more insight into how data and devices are secured and more choices in how they can be used.

Scholtz said the ideal security architecture development paradigm consists of three major levels: conceptual, where policies and processes come together; logical, where interactive technological components take shape; and implementation, where systems are built and integration happens.

This method enables an architecture to grow as a result of an organisation's true needs; "So you can do high-level planning and separate that from the [various] technology religions," Scholtz said.

Security architectures:

Gartner tells IT security pros to learn language of risk 

Gartner IT Security Summit: Corporate execs often miss the importance of risk assessments because their IT officers dump too much tech jargon on them

Security Blueprint: A formalised security architecture diagrams how you should handle the changing threat and regulatory environments.

The Architectural Model: This security architecture clickable diagram depicts the elements of organisational security architecture and how they interact with each other.

Using role management in provisioning and compliance: Role management provides the necessary framework for enterprises to efficiently govern access to sensitive data based on workers' jobs. However, many organisations fail to rescind unnecessary access privileges when employees change roles.

Getting a security architecture aligned with an enterprise's overall architecture is hard because it's difficult to find the resources to look beyond individual projects and focus on the big picture, said Thornton Dyson, a Houston-based enterprise architect with a government agency. But the advantages of building security into the development lifecycle make the effort worthwhile, he said.

"Security is often tagged on at the end of the [application] development process," Dyson said. "And [during] the readiness review, the security team gets hit with a black eye because it seems like security is holding things up."

Advancing a security architecture agenda would help that problem, Dyson said, but getting non-security IT pros to buy into the concept takes work.

"It's a challenge. You stand up and talk about it whenever you can," Dyson said. "You make elevator speeches or talk about it at parties. But there's some indication that they're beginning to pay attention."

Separately, Scholtz strongly urged security professionals to consider their budding architectures from three unique viewpoints: organisational, business and technology. The U.K.-based analyst said this ensures that it is compatible with the goals of the organisation, the priorities of business managers and with other relevant technologies.

Scholtz's other security architecture best practices included avoiding a fixation with any particular organisational structure or format, ensuring that a choice of technologies is a constant option, and above all remembering that an architecture should never remain static.

"We're talking about a collection of models that we should use as tools to develop the best solution on a case-by-case basis," Scholtz said.

As for that abandoned USB drive, Scholtz said he turned it over to airport authorities, but likes to tell the story to illustrate one of the many common security problems that a mature architecture can help mitigate.

"It's not about the data stick," he said, "but who receives the data."

Read more on IT risk management