Open in app

Sign in

Write

Sign in

My Enterprise Security Perspective

Kunpeng
7 min readJun 26, 2023

--

translated from https://iami.xyz/my-enterprise-cyber-security-architecture/

0x00 Preface

Originally, I planned to start a few new articles to introduce the security architecture, as I happened to have looked at some frameworks in the past few months. So, I decided to summarize first and then write several articles on different aspects when I have time in the future. This article is limited by personal experience, and there may be some one-sidedness in the content. Readers still need to think more. Let’s talk with pictures↓

0x01 Starting with Enterprise Architecture

I plan to start with enterprise architecture. Understanding the enterprise is not the beginning of security, but it determines the extent to which security can be achieved.

  • TOGAF provides a general methodology from business architecture to IT architecture. ITIL provides guidance for implementing information technology infrastructure, and ITSM is a framework for guiding IT service managemen.
  • TOGAF provides a four-layer architecture in BDAT. Here, I treat T as the Infrastructure layer.
  • For some products, the definition in IAAS and PAAS is relative. For example, DB can be part of PAAS or SAAS. Of course, for financial enterprises, the general requirement is On-Prem. In addition to compliance, private clouds can also be built on public cloud infrastructure. IAAS, PAAS, public and private here are defined by their business nature.
  • To deliver services, we need to focus on Customer Centricity (trusted, sustainable, faster delivery services, and maintaining relationships between customers as appropriate). This approach should also be borrowed in enterprise security work, with a continuous delivery attitude for both internal and external business.
  • In the process from IAAS to SAAS, CSP can provide more and more functions, and we manage less and less. But IAAS not only involves basic security but also requires data security for HW/SW, storage, databases, and other daily scenarios for customized defense.
  • GRC is often the first issue faced by products externally and the driving force for internal IT architecture to change.
  • In business architecture, strategy, operations, and technology are indispensable.
  • The so-called architecture is a framework that complies with various rules and then provides constraints for new businesses. Business can be external or internal. For the security department, the direct business customers are other departments within the enterprise.

0x02 Revisiting Security Architecture

  • The following factors drive enterprises to change in terms of security: compliance, public safety, goodwill, and financial security. For enterprises, the business directly faces pressure from regulatory compliance and internal risk management. Business drives IT to change, which in turn affects business change. In terms of policy and compliance, the business form is obviously determined.
  • Here, the security governance in IT architecture is simply divided into three layers: basic security, application security, and data security. However, it should be noted that the business system of the office network may not necessarily be deployed in the Office, and the DC may not only be the production (site) business. In the case of remote office, the office network (Corp) business may not be deployed.
  • CIS provides the most accurate Control Set at the Infrastructure level. ISMS is a part of ISO27001, providing an information security management guidance framework.
  • Things like logs and monitoring at the basic operation and maintenance level are not necessarily led by the security team, and of course not limited to basic security. Applications also need to log and monitor, which is a common requirement. Similarly, there are audits, account management, and authentication integration.
  • Looking at the landing process of an application vertically, the business can be split and processed, either by processing order or by business type for application design. After the design of the application is completed, a certain system architecture is adopted, which refers to the specific components used, such as Nginx, Tomcat, lvs, gateways, etc. Then, according to the system architecture, apply for the corresponding VM and deploy it directly in the corresponding data center. Of course, the deployment method after cloudification will be smoother.
  • Some TAL, CAL, CAS, DAL in the system architecture may not be available in most enterprises…..
  • Security operations, security management, and security technology are the three aspects of security. We need to be able to provide corresponding policies, standards, guidelines, and standard operating procedures to the outside. In this process, a certain degree of automation should be achieved, especially in the operation process.

Here is a guide to architecture treatment in TOGAF, and the framework details of TOGAF can be referred to.

  • Determine the scope and clarify the objectives. Get the corresponding output through a series of inputs and steps.
  • Evaluate the resources or resource pools needed. Our goal is to deliver a service, which can also be a product, or a physical object. After evaluating the needs, achieve the goal through different methods, such as business procurement, internal digestion, outsourcing research and development, or having the manufacturer do it, etc.
  • Clarify stakeholders, points of contact, and roadmaps.
  • Establish a daily communication plan, manage projects well, and iterate quickly in Scrum meetings.
  • Designing the architecture requires determining high availability, scalability, and capacity assessment work.
  • When doing things at different levels, the architecture to consider is different, such as WAF and bastion machines in basic security, mainly focusing on the design and deployment of physical architecture and system architecture. If it’s KMS, CA, etc., the application architecture and system architecture need to be considered, and then corresponding to Zones, VMs, and various infrastructure such as LB, DB, etc. The above is still limited to the services provided by the security department. If it is the architecture design provided for the PD team in the SDLC, the focus is somewhat different.

0x03 Collaboration and Organizational Structure

Not all, the previous experience between local life and Alibaba Group security and the current interaction between China and Global are not the same.

  • The left figure is a common division of security functional departments in enterprises. When the concept of a group is in place, the security functional departments evolve more completely.
  • There are definitely differences between the CRO line, CTO line, and CSO line.
  • Is it necessary for the collaboration between departments within the technology center and the coordination of work between first-level departments to have a unified point of collection? For example, collect needs from inside and outside the technology center through Devops.
  • KPIs are used to constrain people, OKRs constrain individuals’ goals for projects, and Scrum manages the rapid iteration of projects.
  • Find stakeholders and then request resources from the corresponding resource pool, consume resources. If PMO is needed, request PMO, if R&D is needed, request R&D, have manufacturers do it, outsource it, do it yourself, etc.
  • Find the project interface person, coordinate related resources uniformly, and track the progress of the project.
  • Leaders/managers should have leadership, truly inspire and motivate the team, not PUA. At the same time, manage upwards well, otherwise, it would be embarrassing if the hard work below is not recognized.
  • The perspective of the leader is actually effective and should be able to support the achievements below. Quantifiable results are beneficial to everyone, and multi-party collaboration in enterprises can often achieve a win-win situation, but most people encounter more situations of fighting and blaming.
  • Attitude is always the first, technology is secondary, but technology vision and depth determine what can be achieved. One should blame oneself for the heart of others, but also stay away from fools.
  • The three lines of defense required for financial security are not easy to reflect in the organizational structure but have a virtual defense line concept that runs through different departments.
  • Large enterprises will do their own security research, develop products based on the landing of security technology, and then promote them internally, forming a Core Product without reinventing the wheel.
  • Different enterprises have different natures, leading to different security requirements and construction. The pressure from inside and outside the enterprise drives a matter.
  • The butt determines the head. Do your own job well. Lifelong learning is a personal matter, which has little to do with the enterprise. It is okay to take advantage of it, and it doesn’t matter if you can’t.
  • Language and communication are actually important soft powers. Choose your skill points well and cultivate your skill tree. Don’t grow crooked.

0x04 Summary

In the evolution of enterprise/enterprise security, we find problems, propose solutions, and then encounter new problems and propose new solutions. But the most important thing is that we must have the ability to quickly learn and find problems and propose solutions in areas that are unknown or unexplored. Whether it’s management or security technology, security operations in enterprise security are an endurance race.☯️

Enterprise Security

--

--

Kunpeng
Kunpeng

Written by Kunpeng

10 Followers
51 Following

Keep things simple, Learning & Doing

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams