Thank you for Subscribing to CIO Applications Weekly Brief
Security Architecture in Theory and in Practice: Why security should be considered among the main pillars of the organizations enterprise architecture
Marco Morana, Head of Security Architecture, JPMorgan Chase & Co.
While BIATA domains represent the traditional view of E&A, these domains alone no longer provide a sufficient model for addressing today’s modern architecture challenges. Among the main challenges for E&A there is digital transformation, application modernization and application lift and shift to the cloud. The traditional E&A domains of technology, infrastructure, application and data are still the foundational but need to extend to include other domains such as security, performance, integration and service that span across the traditional E&A domains.
Specifically, the focus on the security architecture is key to influence architecture risk decisions on each new initiative and project within the organization. This resonates with stakeholders in information, business and technology driving moving to the cloud initiatives considering security risk and compliance as one the top barrier(s) to fully achieving the promise of cloud.
The most common well architected cloud framework(s) today, position security as one of the main pillars. Organizations whose focus are programs such as digital transformation, modernization and cloud migration should use these security architecture frameworks to model their E&A organization from people, people and technology/tool perspective. A cloud security architecture skilled workforce is essential and can be fostered by external hiring to fill roles such as heads of security architecture and cloud security architects as well as with focus in training existing workforce in acquiring cloud security certifications.
From a process perspective it is important to build a security architecture practice around security architecture reviews that are executed by security architectures together with stakeholders among the different domains of business, infrastructure and technology. Well established security architecture practices ensure that applications are designed following security architecture principles, have documented non-functional requirements, architecture diagrams and data flows. In alignment with a well architected framework the security architecture review need to focus on the fundamental security components of the cloud architecture such as Identity & Access Management (I&AM), Permission & User Entitlement Management, Infrastructure Security, Data Protection in Transit and while at Rest based upon Data Classification and Detection Of Security Events including Monitoring and Alerting.
Well established security architecture practices ensure that applications are designed following security architecture principles, have documented non-functional requirements, architecture diagrams and data flows
One important aspect to consider in establishing a successful security architecture practice is to follow a security strategy that is aligned with the business and technology strategy aligned with C-level view of where E&A should be positioned including security to achieve the organization business and technology goals. Above all it is sustained management commitment that act as multiplier to the investment in people, process and technologies and tools is what constitutes a recipe for success!