Cloud computing and security

With the increasing adoption of cloud based infrastructures, it has become more important than ever to make sure that the security architecture is well thought through. A thorough risk assessment is needs to be put in place to examine multiple technical, procedural, and organizational issues.

Gartner describes cloud computing as being "scalable" and "elastic", and provided as a service. Since its easier to scale nowadays, it is fairly important to analyse and take into consideration a number of risk assessment challenges that cannot be fully addressed with process oriented evaluations.

Complexity and Exposure complicate assessment

As shown in the figure above, the computing model is mapped into a two dimensional model. This complexity ranges from complexity running on 1 host to distributed across a large number of hosts.
Relatively less information is needed to assess the security posture of systems that are run by corporate staff, using familiar technology. The blue area in the middle refers to the risk compromise area. The services in the upper right yellow area are complex and highly exposed. Here the administrators are strangers and virtually everything happens in the public domain. Ref: https://www.gartner.com/doc/1324114/analyzing-risk-dimensions-cloud-saas

Best Practices - Security Architecture and Enterprise Architecture

The more closely aligned the security architecture is to enterprise architecture, the more effective it will be. It should be a goal of an organization to complete the integration of security into EA .

Gartner  highlights a lot of best practices when it comes to security architecture that i want to highlight in this blog

• Security Architecture should be a continuous process
• It improves over time, and is improved with the experiences an organization gets over time
• The templates are created / developed in order to maintain compliance within the organization
• The design should be enabled by iteration with increasingly detailed levels of abstraction

Leveraging both the architectural principles and the methods in the security program of the organization can enable improvements in business alignment, maintain consistency and reuse. However it is a complex strategy that requires experience, practice and patience. 

Ref: https://www.gartner.com/doc/790521/aligning-security-architecture-enterprise-architecture

In my next part of the blog, i will talk about how security is increasingly getting important in cloud space. I will spend some time analyzing the risk involved with cloud and SaaS computing, and use case models for choosing security - appropriate SaaS (Software as a Service)

Enterprise Security Architecture - Overview

Security is always a hot topic. In today's blog i will reflect on how much security is essential for an enterprise. Without security, any organization whether small or large is prone to breaches. We hear every other day about the breaches in health companies, credit card numbers stolen, all this is a result of not a well thought out security layer in a companies infrastructure.
Whenever an organization starts their web presence that involves transactions, storing or transferring PII (personal data), they have to make sure to set up a well defined security layer that makes sure that the organization is protected from the phishing scams and breaches. That the data is well protected as it contains customer sensitive information.
According to the content in one of my class notes, there are five main areas of security for consideration

• Computing Security: Type of security that focuses on secure operations of the computers.
• Data Security : Ensuring that the data is secured and is protected from tampering.
• Application Security: Trying to prevent the errors and breaches in the security that can occur through errors in the design, development or deployment of an application.
• Information Security
• Network Security: Refers to the protection of network resources from unauthorized use. Intranet/ internal network security is essential for a company. This is essential because most of the companies assume that the breach in the security comes from external sources, but what they forget to take into consideration is the compromise that happens from within the system.
• Isolation: this is where the concept of firewalls come into picture.  This is to isolate certain apps from the others. These help in isolating the apps from general usage or unauthorized success.

Depending on what the focus of the organization is, a combination of these security areas will be helpful to create a well defined security layer that will protect the enterprise from the outside breaches.

According to Wikipedia "Enterprise Information Security Architecture is the practice of applying a comprehensive and rigorous method for describing a current and/or future structure and behavior for an organizations security processes , information security systems, personnel and organizational sub units, so that they align with the organization's core goals and strategic direction."