Summer is a less busy time here in terms of client calls [hey … you can book an analyst call for tomorrow … even with me :-)], so we get more time to think about big things.
Here is one: security architecture. Expect more interesting research from our team on modern security architecture in the near future. For now, let’s ponder the term itself.
I found this 1990s book on my shelves – it quaintly mentions “PKI” and “enterprise Java beans.” Is this what we think of security architecture today? Probably not. OK, so what DO we think of it?
First, sadly, we do see organizations that still equate “security architecture” with NETWORK security architecture. Namely, firewall zone design, NIPS placement and such. Very 1990s. But perhaps this is where their overall security is, so architecture thinking is a step up for them (as I once joked on Twitter, “What do you call people who move up to Stone Age tech? Where do they move up from?”)
Second, we do see more enlightened organizations that nevertheless have a very fragmented view of security architecture. As in: here is our cloud security architecture, and here is how we architect application with security in mind, etc. This is great, however, this avoids the question of “what is security architecture?” by letting them pick “all of the above” as a choice. In essence, they live in the world of security architectures, not architecture.
Third, we see “the framework crowd” – organizations that like SABSA or TOGAF or some other “industry” framework for security architecture. These may have a single and coherent view of security architecture, but one defined by an external party for them. This means, their security architecture is modern as long as said external party modernized the models. More on this in the upcoming post…
All this said, how do YOU define security architecture for the modern era of cloud, virtual, mobile, big data, DevOps, “AI”, etc?