Security is Design

Security is Design

Welcome to 2009, and welcome back to my blog. This year’s focus is on using network architecture to create information security.

I come to this after reading some reports from Gartner Group: Three Lenses Into Information Security; Classifying and Prioritizing Software Vulnerabilities; and Aligning Security Architecture and Enterprise Architecture: Best Practices.

The first report posits that designing or architecting security is one of three lenses thru which to view InfoSec (the other two being process-focused and control-focused). Why this emphasis on architecture? The primary reason is that most vulnerabilities are not within the software themselves, but within your implementation.

“Gartner estimates that, today, 75% of successful attacks exploit configuration mistakes.” Furthermore, few of us have the skills, time, and license to modify the software to address the remaining 25% of the vulnerabilities. Thus the largest positive impact an InfoSec professional can have on security is thru planning and architecting the system design.

The secondary reason is that retrofitting system architectures with security after the fact is time intensive and service invasive. It often requires stopping work during the change implementation. It may require altering the work after implementation. This has a tangible cost. Gartner puts it thusly: “The careful application of security architecture principles will ensure the optimum level of protection at the minimum cost.”

The bottom line is that emphasizing security architecture in the original design minimizes costs and vulnerabilities.

Posted by