The security of an application, network or operating system, and their associated functionalities relies primarily on their architecture and design. Which is why an Architecture and Design review is critical in helping you analyze and validate your organization’s overall security. We recommend that this security review be undertaken at the outset, when you set out to design your applications for instance, and before deployment. This will allow you to identify and rectify potential vulnerabilities before they are exploited. The cost and effort of a review, and resultant changes to architecture and design post-deployment can be high.
The goal of an Architecture and Design review is to assess applications and the network from a security perspective, ensuring that flaws are uncovered before they develop into vulnerabilities. Some of the aspects that are reviewed include, but are not limited to, trust boundaries, data flow, entry points, and privileged code. An ideal Architecture and Design review happens at multiple levels—network, operating system, web server and web application.
The best reviews kick off with a Threat Model, built to identify and list the key threats. Threat modeling is a structured way of identifying, measuring, quantifying, and addressing security risks from an attacker’s perspective. Most importantly, the Threat Model prioritizes threats in terms of their criticality, thus ensuring that time, money and effort are directed towards those threats that have the potential to cause considerable damage.
Your review process should cover:
• The security policy of the organization and how this applies to, and is incorporated within the systems and applications
• Business requirements to ensure that they incorporate supporting security requirements
• Compliance with the regulations that apply to your business, and controls that facilitate this compliance
• Data flows and network topology
• Intrusion points, routers and firewalls
• The technologies and tools that the solution uses and any inherent vulnerabilities in them
• Application security controls and their implementation
• Administration, management, and provisioning
• VPN and remote access
• Web farms, if any
• Disaster recovery plan and processes
A Secure Architecture and Design Review: Must Do’s
As mentioned at the beginning, it is ideal and preferable to perform an Architecture and Design security review before developing and deploying your systems. However, this is not to say that one cannot be done for existing applications. You may choose to undertake such a review for any reason—to comply with emerging standards, to validate security around critical business operations, etc. Even when conducted at a later stage, this review is an effective way to not only validate security processes around your applications or network infrastructure (new and existing), but also to identify potential vulnerabilities within the overall organization. Additionally, the review can go a long way in helping you improve future designs.
ABOUT HAPPIEST MINDS
Happiest Minds enables Digital Transformation for enterprises and technology providers by delivering seamless customer experience, business efficiency and actionable insights through an integrated set of disruptive technologies: big data analytics, internet of things, mobility, cloud, security, unified communications, etc...