AUGUST 2022CIOAPPLICATIONS.COM9cloud security architects as well as with focus in training existing workforce in acquiring cloud security certifications. The centrality of security architecture as one of the pillars of the E&A also strives by adopting a shared responsibility model between information security teams that have ownership of the governance of execution security architecture processes firm-wide and the engineering teams that execute these processes using available tools/technologies. A best example of a shared responsibility model is in execution of DevSecOps where security and engineering teams collaborate to make security an integral part of the entire application life cycle that is during design, coding, testing and operations. Specifically for the security architecture domain a strong partnership between architecture teams and cyber-security teams is critical to ensure that the design of the applications complies with both information security policies and standards but also is designed as security at start as built in rather than bolt on.From a process perspective it is important to build a security architecture practice around security architecture reviews that are executed by security architectures together with stakeholders among the different domains of business, infrastructure and technology. Well established security architecture practices ensure that applications are designed following security architecture principles, have documented non-functional requirements, architecture diagrams and data flows. In alignment with a well architected framework the security architecture review need to focus on the fundamental security components of the cloud architecture such as Identity & Access Management (I&AM), Permission & User Entitlement Management, Infrastructure Security, Data Protection in Transit and while at Rest based upon Data Classification and Detection Of Security Events including Monitoring and Alerting.Security architecture design reviews for projects during development and testing can be addressed early on avoiding design flaws of becoming show-stoppers for production deployment. As the practice matures over time from ad-hoc consulting engagements to following a consistently managed architecture review process. The effectiveness of the security architecture can be measured in the quality and consistency of the security architecture reviews in identifying design flaws early on. Maturity improvements in security initiatives that include activities that are part of the security architecture domain such as architecture analysis, threat modeling, can also be measured as capability levels against peers by adopting models such as the Build Security In Maturity Model (BSIMM). Where at level 1 an organization will have established a practice with activities such as "engage with architecture teams" and "Integrate and deliver security features" it could mature to a level 2 where activities such as "leverage secure-by-design components and services" and a level 3 activities such as "require use of approved security features and frameworks".One important aspect to consider in establishing a successful security architecture practice is to follow a security strategy that is aligned with the business and technology strategy aligned with C-level view of where E&A should be positioned including security to achieve the organization business and technology goals. Above all it is sustained management commitment that act as multiplier to the investment in people, process and technologies and tools is what constitutes a recipe for success! WELL ESTABLISHED SECURITY ARCHITECTURE PRACTICES ENSURE THAT APPLICATIONS ARE DESIGNED FOLLOWING SECURITY ARCHITECTURE PRINCIPLES, HAVE DOCUMENTED NON-FUNCTIONAL REQUIREMENTS, ARCHITECTURE DIAGRAMS AND DATA FLOWS
< Page 8 | Page 10 >