Build a Secure Architecture Review program

A Secure Architecture Review is essential for safeguarding an organization’s IT infrastructure against evolving cyber threats. By systematically evaluating the design and implementation of systems, this review identifies potential security gaps and ensures the integration of robust security controls.

For the longest time, I wanted to pen down my thoughts on my experience with Secure Architecture Review and various benefits that it offers for all organizations. Through this article, I present a structured approach that can be used by organizations to understand the requisites, workflow and implementation considerations for a Security Architecture Review program, thus enabling them to either set up a new program or enhance an existing program.

Here are the guiding principles I use for a Secure Architecture Review:

This next diagram articulates my understanding about the overall flow and stages for developing a Secure Architecture Review program.

Process flow for creating a secure architecture program

Now, let’s delve into the individual stages one-by-one.

Establish a controls catalog

This stage involve 2 primary activities as follows:

1. Understand security requirements for all assets

Identifying security requirements for all IT assets involves understanding the specific needs and vulnerabilities of each asset, from hardware and software to data and networks. By defining clear security requirements, organizations can implement targeted controls that mitigate risks and ensure compliance with regulatory standards. Comprehensive security requirements help in preventing unauthorized access, data breaches, and other cyber threats, thereby maintaining the integrity, confidentiality, and availability of IT assets. In an increasingly complex threat landscape, a structured approach to identifying security requirements is essential for building a resilient and secure IT environment that can adapt to evolving risks and challenges.

2. Create a comprehensive controls catalog

Creating a security controls catalog for all IT assets is essential for systematically managing and mitigating security risks within an organization. This catalog serves as a comprehensive repository of security measures designed to protect hardware, software, data, and network components. By detailing specific controls — ranging from encryption and access management to monitoring and incident response — the catalog provides a structured approach to safeguarding IT assets against diverse threats. Developing this catalog involves identifying potential vulnerabilities, aligning controls with industry best practices and regulatory requirements, and categorizing controls based on asset type and criticality.

For organizations which are unfamiliar with security controls, NIST 800–53 serves as an excellent starting point for creating an extensive catalog. It is structured around a comprehensive set of security and privacy controls, categorized into families such as access control, incident response, and risk assessment. Each family includes specific controls and enhancements, providing detailed guidelines for protecting federal information systems and ensuring compliance with regulatory requirements

Create an asset risk profiling mechanism

Asset risk profiling involves evaluating the potential risks associated with individual assets within an organization’s IT infrastructure. By assessing factors like asset value, criticality, and vulnerabilities, organizations can prioritize security measures and allocate resources effectively to mitigate risks and protect against potential threats.

In this process, it is crucial to determine a set of parameters that would serve as the foundation for calculating the risk value of an asset. Based on the risk value, asset should be categorized into multiple levels. The level structure can differ in each organization, but in my experience, having a tiered system such as Tier 1–3 can be a good starting point. The parameters may also be different based on organizational needs.

I’ve compiled a list of commonly used parameters as a reference:

Key parameters for asset risk

Identifying and designating stakeholders responsible for profiling assets is also an important consideration for organizations. Again, the approach for this exercise varies within organizations, but a general rule of thumb is identify and designate a person(s) with the right mix of business and cyber risk knowledge to conducting this exercise.

Create Asset to Control mapping

The mapping of controls to IT assets, in my view, is the most critical step in the entire process of setting up a secure architecture review program. Once a comprehensive catalog and asset risk profiling mechanism is established, implementing this mapping enables organizations to tailor the controls based on the risk tier an asset belongs to, and the nature of the asset.

This mapping serves as the foundation of the review execution as it allows the reviewer to determine the subset of controls that apply to an IT asset. The outcome of this process are detailed control baselines, that provide insight on the security measures required for a particular asset in scope.

This step also allows us to identify the common controls which would be mandated across all assets in the organization. This can be considered as a minimum security baseline for the assets.

Define review workflow

With the control mapping & asset risk profiling in hand, we now come to the point where we have to define the end to end workflow that encompasses all the activities to be performed for a secure architecture review engagement. The key components of this workflow are as follows:

1. Automated or Manual engagement

This is a key question that must be addressed by the process designer. Organizations, depending on their size and budget, may choose to employ either automated or manual methods to execute these assessments. The complexity factor also may be considered while the process is being designed. Organizations may also choose to adopt a hybrid approach where, based on certain factors, they choose both automated and manual methods to perform the assessment.

2. Intake process

This outlines how an asset is going to be onboarded onto the secure architecture review process. In my experience in the cyber security field, I’ve seen organizations implement this in multiple ways - from using spreadsheets & web forms to large ITSM tools like ServiceNow. The former method works best for manual engagement while the automated engagements leverage the latter.

3. Trigger points for review

Being an important element of the workflow, this component codifies the events when a secure architecture review is to be triggered. Organizations need to analyze their system development and asset management processes to understand the key events that may require a secure architecture review. Some examples that I’ve seen in my experience are:

• Onboarding of new asset
• Change in existing asset which impacts the asset risk level

4. Asset Risk Profiling

This step is an essential part of the workflow. Organizations can utilize the asset risk profiling mechanism to categorize the asset which serves as a pre-requisite for the control selection.

5. Security Control selection

In this step, the security controls applicable to the asset are determined based on the mapping defined earlier. This can be done either manually by the reviewer or automatically through a tool which houses the controls catalog and the logic for asset risk profiling.

6. Review execution & output

Upon control selection, the reviewer analyzes the control set and seeks inputs from the asset owners and associated stakeholders on the implementation of the controls. Based on their inputs, the reviewer proceeds to make a determination on whether the asset is meeting the required expectations on a security control or not. The output of this analysis is a detailed assessment report which highlights the missing or unmet controls on the asset, along with recommendations, so that the asset owners may apply the controls to meet compliance targets.

7. Revalidation & Exception process

The revalidation of controls must be incorporated within the workflow to ensure that it articulates the need for assets to comply with the defined requirements. Also, to accommodate situations where the asset is non-compliant due to constraints, an exception process must be established in the workflow. Organizations can utilize their established security exception process to add corresponding steps within the workflow.

8. Integration with risk & issue management

The workflow must show that the issues reported during the review process are tracked through the organization’s established risk management and issue management processes to establish their consistency across the organization.

Conduct pilot

To test the defined workflows, it is prudent to develop a pilot program which enables real-word usage of the workflows and helps to identify key challenges or flaws that can then be rectified before the full-scale deployment of the secure architecture review program. Running the pilot program involves the following high-level stages:

1. Identify assets & stakeholders for pilot assessment

A common method used by organizations in this step is to analyze their asset inventory and identify a small set of assets which can maximize the coverage of the pilot assessment.

2. Plan & Execute review based on defined review workflow

Upon identification, the assessment schedule is created and the assessment is executed in accordance with the defined workflow.

3. Engage stakeholders to review output and obtain feedback

Post assessment completion, the review team engages with the designated stakeholders to discuss the challenges observed during the pilot and incorporates the feedback into the workflow.

Full-scale deployment

Upon pilot completion, organizations can finalize the security architecture review process and begin socializing the process with internal stakeholders. The production deployment of the process requires organizations to be prepared on the following aspects:

• Process documentation should be created and available for dissemination.
• Review process should be integrated with trigger points in the system development lifecycle to ensure sufficient coverage.
• Structured socialization of the process should be followed to enable measurable outcomes.
• A cadence should be established to enhance/improve the Secure architecture review program periodically.

Conclusion

To conclude the article, I would like to outline the major benefits of having a good Secure Architecture review program:

• Firstly, it enables early risk mitigation & regulatory compliance, while promoting a holistic security approach.
• Secondly, it bakes security right into the system development lifecycle, there enabling security by design.
• Thirdly, it allows significant cost savings through resource optimization & protection from data breaches
• Finally, it enhances an organization’s trust and reputation through improved security posture and incident response readiness.

Secure architecture review has become an integral part of the cyber security processes in large enterprises, and I hope to see more organizations of all sizes establish their own programs to enhance their cyber security posture.