Identify Business Needs and Security Threats
After completing this unit, you’ll be able to:
- Describe how to identify business needs and align the business and cybersecurity strategy of an organization.
- Explain how to identify new threats, breaches, and vulnerabilities in order to develop secure systems by design.
Identify Business Needs and Critical Assets
Your goal as a security architect is to solve business challenges with secure technology. You help the organization design and implement secure IT systems that enable the business to increase profits, improve customer service, or bring new products to market faster. You work with business leaders to understand their needs, and solve business challenges with the simplest, most secure technology. You work with team members across the business to set security requirements and success metrics early and ensure everyone understands the type of controls the business needs.
You first determine what framework best meets the security requirements of the organization. You consider regulations that your organization must comply with based on industry requirements. Some common examples include the General Data Protection Regulation (GDPR), Payment Card Industry Data Security Standard (PCI DSS), and National Institute of Standards and Technology (NIST) Cybersecurity Framework.
Next, you identify what critical assets the organization wants to protect. You then design and deploy security controls to safeguard the organization’s most sensitive information. Some of these controls include:
- Network segmentation: Dividing the IT environment into zones of similar risk, with protections implemented between different zones.
- Boundary protection: Implementing controls at the outer perimeter of the network, such as firewalls and intrusion detection systems, to keep malicious actors out and valuable information in.
- Authentication and authorization patterns: Ensuring users and their devices are only able to access information they truly need to do their jobs.
- Zero trust architecture: Securing the organization at every level including people, devices, and data
In identifying critical assets, you seek to understand what technologies exist in the environment, and how they are architected to work together. The technology architecture of most organizations is highly complex, involving a range of different products from different vendors, including both older legacy systems and newer deployments. While in the past most organizations focused just on protecting the boundary of their on-premise network, most organization’s today have to protect an extended environment of mobile devices and cloud technology. Information assets are no longer contained just within an organization's four walls.
Think of your job as a cybersecurity architect like the role of an air traffic controller. The air traffic controller identifies inbound and outbound airplanes and maps where they are taking off from, where they are in transit, and where they land, in order to keep passengers and crew secure. In the same way, you build a map of the environment to understand how information moves between components. They use diagrams to show where data is supposed to flow, and how to prevent it from taking alternate routes. They seek to understand where data is stored and where dependencies lie between systems.
Next, you turn to prioritize the highest value systems for further review. It’s very unlikely your organization will have the resources to assess the architecture of every system, so you concentrate on the most valuable systems that would have a high impact resulting from a loss of confidentiality, integrity, or availability (CIA). You create threat models to consider the likelihood of a successful attack, and identify what holes exist in the current architecture that need updates based on priority. You explore what technology the organization needs in the future to build an architecture that is responsive to change. Your goal is to identify and design information flows that will allow the organization to meet it’s CIA goals, while also enabling the business to access the information it needs.
The end result of this analysis is an enterprise information security architecture plan that includes policies, processes, technology requirements, principles, and models for implementing technology product specifications. It outlines current, intermediate, and target architectures in order to enable change over time. Next let’s dig a little deeper into another important piece of the security puzzle: understanding the adversary.
Identify New Threats, Vulnerabilities, and Incidents
As a successful cybersecurity architect, you’re always researching and staying abreast of the newest threats, vulnerabilities, and incident trends to ensure your organization stays one step ahead of the attackers and develop secure systems by design. Before we go further, let’s define what these words mean.
- Threat: A threat is any natural or man-made circumstance that can have an adverse impact on an organizational asset. For example, a cybercriminal can deliver malware to your user using a phishing email that lets them gain unauthorized access to a database.
- Vulnerability: The National Institute of Standards and Technology (NIST) defines a vulnerability as a weakness in an information system, system security procedures, internal controls, or implementation that can be exploited or triggered by a threat source. For example, a known vulnerability in a publicly facing database that remains unpatched can allow an adversary to illicitly access the database.
- Incident: An incident is a security event that compromises the CIA of an information asset. For example, a user loses their mobile device, and an attacker is able to use it to access their email.
Hans works as a cybersecurity architect at a consulting firm, helping organizations establish successful security solutions. Hans thinks like an attacker, always one step ahead to help his clients harden the security of their networks and systems. He starts each day by researching new threats, vulnerabilities, and incidents to make sure he’s up to speed on the most current intelligence.
One tool Hans uses is threat modeling, in which he identifies the threats and vulnerabilities in a particular IT environment, and looks for ways to exploit them. He thinks about who would be interested in compromising the system, what tactics they might use, and what their motivations are.
Hans knows that attackers have different goals that may affect what information they are most interested in getting their hands on and which systems they will target. Depending on the industry the organization is in and the data it has, an attacker may be interested in compromising intellectual property or stealing personally identifiable information (PII) such as Social Security numbers. He may have to worry about a potential adversary sabotaging a system by denying use of the system for legitimate users, or holding information hostage, such as in a ransomware attack. Let’s take a closer look at a few of these threat vectors and vulnerabilities.
- Insider threat: This is the threat to an organization from its own employees. This type of threat usually occurs when a privileged user abuses his powers to perform an unauthorized function. It can also be unintentional, such as if an employee emails sensitive information to the wrong customer.
- Ransomware: Attacks that target business critical systems with malware, encrypting files, servers and databases, and demanding a ransom be paid to unencrypt them and restore access.
- Uneven cybersecurity protections: Security is often described as a weakest link problem. Attackers probe a business network’s weakest defenses to find a point of entry. If one system or business unit is lax in implementing protections, the entire organization could be at risk.
- Unpatched security vulnerabilities/bugs: Known vulnerabilities that have fixes but have not been applied leave the business network exposed to outside attack and compromise.
- Distributed Denial of Service (DDoS): These attacks overwhelm a victim’s network resources so they cannot process legitimate traffic on their network. For example, a nation state may flood another country’s unemployment system with false requests.
These are just a few examples of the threats, vulnerabilities, and incidents that you as a cybersecurity architect take into account when thinking about the best way to secure an organization’s systems. Hans knows there is no single “silver bullet” solution that can address every cyberthreat a business faces. But he maintains awareness of evolving products and technology trends to help the organization select the mix of protective controls that will most enhance its security posture. You learn more about how to protect your organization by deploying these controls in the next unit.
Ready to review what you’ve learned? The knowledge check isn’t scored—it’s just an easy way to quiz yourself. To get started, select the appropriate word from the options provided in the dropdown within the paragraph. When you finish selecting all the words, click Submit to check your work. To start over, click Restart.
Great work! Now, how do you decide what protections to put in place? How can the organization implement a layered security approach? How are security solutions deployed across the organization? We dive further into each of these questions in the next unit, Use Layered Security Features.
- External Site: Verizon: 2020 Data Breach Investigations Report (registration required)
- External Site: Software Engineering Institute: Carnegie Mellon University: Cybersecurity Architecture, Part 2: System Boundary and Boundary Protection
- External Site: Mitre: Building Secure, Resilient Architectures for Cyber Mission Assurance