Organizations are changing the way security architecture factors into IT operations and engineering design, requiring a stronger focus on broad governance, cloud and DevOps workflows, automation and more. This piece explains how the security architecture function is evolving and the key initiatives to put in place now to better prepare the team for the future.
Changes in the Security Architecture Function
The roles and responsibilities of the security architecture function are certainly changing in today’s business and IT operations environments. For example, security architects must now:
- Be responsible for aligning with DevOps and other teams on a much more consistent basis, helping to develop strategy, controls models and processes for consistent support.
- Know more about cloud- and software-based infrastructure than ever before, and they need to help coordinate a wide variety of sometimes disparate teams and agendas related to cloud-focused initiatives. Architects with cloud experience, knowledge and certifications will find more opportunity to work with development and engineering teams going forward.
- Have a deeper understanding of modern IAM tools and practices than ever before: Identity has become such a core pillar of modern technology deployments that a lack of awareness and understanding of the tenets of IAM, both in and outside the cloud, will hinder security initiatives and priorities.
- Move into consultative roles within the business, with short-term involvement in projects (primarily in the earlier stages). Most organizations have relied on a security architecture model that is predicated on longer-term asset deployment, not short-term architecture that changes very rapidly. Short, pointed internal engagements with a security architecture “consultant” makes more sense during rapid design changes in more cloud-based operational models.
Download: DevSecOps Best Practices Checklist
In addition, security architects must also focus more on several distinct areas of controls and processes to ensure alignment with current IT operational trends, such as:
- Automation: Increasingly, we’re seeing a shift to more automation through security orchestration, automation and response; extended detection and response; and other initiatives. Building playbooks and workflows that align with concurrent controls and architectural models will be something architects are expected to understand and do.
- API integration: In many ways, web services have completely taken over in terms of applications and services exposed in both cloud and on-premises deployments. To that end, many products and solutions are now tying into RESTful APIs and service-specific API models. Security architects must fully understand how APIs allow services and controls to “hook together” in many ways—a skill that also commonly aligns with the automation initiatives mentioned previously.
- Shift-left focus: For many years, security teams would come in after the fact to assess and recommend/implement security controls. Today, the need to embed controls in deployment pipelines and more automated workflows is increasing, and architects need to evaluate how controls can be embedded earlier in the development and deployment processes to make sure they’re included in architecture design.
- Zero trust: More a philosophy than a specific technology or set of controls, the concept of “zero trust” really means “minimization of trust” in both the networking and identity arenas. Architects must be comfortable with concepts like step-up and adaptive authentication, behavioral access and flexible identity validation, with systems, geography and other factors playing a role in user access to resources.
How Security Architecture Should Engage with Business and IT
Today’s security architecture teams and functions must be much more integrated with both business stakeholders and IT operations than ever before. In keeping with the concept of security architects as internal consultants, here are some of the following governance changes and updates proving effective in many client organizations:
- Security architecture councils: To get a wider variety of stakeholders engaged in architecture decisions and policy/control design, the use of a “council” or “center of excellence” model is sometimes effective in getting people on the same page consistently.
- Multidisciplinary threat modeling exercises: Threat modeling can be very useful in getting technical and risk teams together to discuss proposed designs and look at possible risks and mitigation tactics. Based on experience, these sessions should be held in a “scrum” model with short, quick objectives that can be achieved in 30 minutes or less.
- Architecture champions: In large, complex organizations, it may be helpful to designate “champions,” or people within a business unit or team who can convey security architecture policies and desired requirements to the teams they work with daily. This can help offset hiring and operational constraints in the security organization and enable security to work with a wide variety of stakeholders more rapidly.
How will Security Architecture Change in the Future
Major changes are happening in the realm of security architecture. To ensure your program is able to evolve successfully, it’s important to focus on:
- Architecture alignment with many teams: To be effective in the future, security architects will need to be aligned with threat management teams (to be apprised of the threat landscape), engineering and DevOps teams (to keep abreast of cloud and software-defined initiatives), and security operations teams (to ensure controls and process design meet day-to-day requirements). Working with risk, compliance and business stakeholders will also be critical.
- More emphasis on DevOps and cloud: The future of infrastructure is cloud-based for most organizations, and this means architects will need a sound skill set in each/any major cloud provider in use (AWS, Microsoft Azure, Google Cloud Platform, etc.), as well as cloud security principles like IAM, guardrails, infrastructure as code and more.
- Short-term, consultative workflows: The days of long-term architecture initiatives are dying out, because technology is changing more rapidly than ever before. This is not true for all organizations or initiatives, but security architects will become more like “internal consultants” than long-term advisors down the road.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.