Security Architecture in Theory and in Practice: Why security should be considered among the main pillars of the organizations enterprise architecture

Marco Morana, Head of Security Architecture, JPMorgan Chase & Co.

Marco Morana, Head of Security Architecture, JPMorgan Chase & Co.

The foundational domains of Enterprise Architecture (E&A) traditionally have been organized in domains such as Business, Information, Application and Technology Architecture (BIATA). In successful organization(s) teams of architects in each of these domains work together and help to deliver business goals, deliver data to make informed decisions, build or acquire applications whose business logic and functionality aligns with business goals using the recommended and approved software and infrastructure technologies.

While BIATA domains represent the traditional view of E&A, these domains alone no longer provide a sufficient model for addressing today’s modern architecture challenges. Among the main challenges for E&A there is digital transformation, application modernization and application lift and shift to the cloud. The traditional E&A domains of technology, infrastructure, application and data are still the foundational but need to extend to include other domains such as security, performance, integration and service that span across the traditional E&A domains.

Specifically, the focus on the security architecture is key to influence architecture risk decisions on each new initiative and project within the organization. This resonates with stakeholders in information, business and technology driving moving to the cloud initiatives considering security risk and compliance as one the top barrier(s) to fully achieving the promise of cloud.

The most common well architected cloud framework(s) today, position security as one of the main pillars. Organizations whose focus are programs such as digital transformation, modernization and cloud migration should use these security architecture frameworks to model their E&A organization from people, people and technology/tool perspective. A cloud security architecture skilled workforce is essential and can be fostered by external hiring to fill roles such as heads of security architecture and cloud security architects as well as with focus in training existing workforce in acquiring cloud security certifications.

The centrality of security architecture as one of the pillars of the E&A also strives by adopting a shared responsibility model between information security teams that have ownership of the governance of execution security architecture processes firm-wide and the engineering teams that execute these processes using available tools/technologies. A best example of a shared responsibility model is in execution of DevSecOps where security and engineering teams collaborate to make security an integral part of the entire application life cycle that is during design, coding, testing and operations. Specifically for the security architecture domain a strong partnership between architecture teams and cyber-security teams is critical to ensure that the design of the applications complies with both information security policies and standards but also is designed as security at start as built in rather than bolt on.

From a process perspective it is important to build a security architecture practice around security architecture reviews that are executed by security architectures together with stakeholders among the different domains of business, infrastructure and technology. Well established security architecture practices ensure that applications are designed following security architecture principles, have documented non-functional requirements, architecture diagrams and data flows. In alignment with a well architected framework the security architecture review need to focus on the fundamental security components of the cloud architecture such as Identity & Access Management (I&AM), Permission & User Entitlement Management, Infrastructure Security, Data Protection in Transit and while at Rest based upon Data Classification and Detection Of Security Events including Monitoring and Alerting.

Well established security architecture practices ensure that applications are designed following security architecture principles, have documented non-functional requirements, architecture diagrams and data flows

Security architecture design reviews for projects during development and testing can be addressed early on avoiding design flaws of becoming show-stoppers for production deployment. As the practice matures over time from ad-hoc consulting engagements to following a consistently managed architecture review process. The effectiveness of the security architecture can be measured in the quality and consistency of the security architecture reviews in identifying design flaws early on. Maturity improvements in security initiatives that include activities that are part of the security architecture domain such as architecture analysis, threat modeling, can also be measured as capability levels against peers by adopting models such as the Build Security In Maturity Model (BSIMM). Where at level 1 an organization will have established a practice with activities such as “engage with architecture teams” and “Integrate and deliver security features” it could mature to a level 2 where activities such as “leverage secure-by-design components and services” and a level 3 activities such as “require use of approved security features and frameworks”.

One important aspect to consider in establishing a successful security architecture practice is to follow a security strategy that is aligned with the business and technology strategy aligned with C-level view of where E&A should be positioned including security to achieve the organization business and technology goals. Above all it is sustained management commitment that act as multiplier to the investment in people, process and technologies and tools is what constitutes a recipe for success!