Guidance for Improving the Security Architecture/Engineering Relationship
Organizations seeking to better align engineering and security architecture teams should focus on building cloud and IAM skills, documenting threat models and architecture patterns, and consistently engaging in a consulting model.
This piece explains how the architecture role is changing and where architects should focus to ensure they build a strong relationship with the engineering team.
How the Security Architecture is Changing
There are a number of changes occurring in the enterprise today in regard to how security architecture works with IT operations and engineering teams. For example, the security architecture role is seeing some big changes, and today’s architects must now:
- Be responsible for architectural direction and advice for both on-premises and cloud infrastructure: In essence, architects are expected to have a comfort level with all manner of technologies in use and planned, and this can be very complicated (or even impossible, depending on the scope and scale of the environment). Gaining an understanding of DevOps, secure cloud engineering, cloud guardrails and any number of different cloud-brokering services is essential for architects in their roles going forward.
- Have a sound comfort level with IAM: This should happen either through alignment with a dedicated IAM team or by having some degree of expertise within the architecture group, and then working with DevOps and engineering.
- Be able to advise on controls “owned” and potentially managed by other teams, such as development, DevOps, cloud engineering, security operations and monitoring, among others. One of the most valuable skills for architects today is familiarity with and some expertise in building and implementing controls in infrastructure as code.
- Become more like consultants: Security architects are moving into consultative roles within the business, with short-term involvement in projects (primarily in the earlier stages). Most organizations have relied on a security architecture model that is predicated on longer-term asset deployment, not short-term architecture that changes very rapidly. Short, pointed internal engagements with a security architecture “consultant” makes more sense during the rapid design changes we see in more cloud-based operational models.
READ: How to Structure the Information Security Function
Focus Areas of Security Architecture
When security architects align with engineering teams, they should put emphasis on the following concepts:
- Automation: Building more automated and integrated controls through pipelines and in data center and cloud environments can help streamline the goals of both security and engineering teams. Most engineering teams are now looking at security orchestration, automation and response (SOAR), extended detection and response and a variety of other automation mechanisms to streamline processes.
- API integration: APIs are everywhere (especially in development and cloud infrastructures), so this should be an area of focus for all teams today.
- A shift-left focus: Integrating controls earlier in the DevOps pipeline is definitely a key element of architecture and engineering alignment today. For other types of security engineering, this may not be as applicable.
- Secrets and privilege management: With the changes occurring in engineering for cloud and more automated workflows and pipelines, privilege management becomes an even bigger issue than in the past, because automated privilege allocation is needed
for both DevOps pipeline tooling and engineering users. Embedded IAM privilege policies are needed throughout cloud infrastructure for both cloud-native and third-party services, as well.
Create a Security Architecture Committee
The best approach to engineering and architecture alignment is to build an internal architecture committee or working group that includes member of both teams and meets weekly, at least. This allows the teams to:
- Put forth ideas: Discussing ideas from members of both teams makes them feel empowered and helps strengthen the relationship.
- Share different design models for specific applications and infrastructure under development: This helps prevent either team from being surprised down the road.
- Decide which acceptable architecture standards should be documented and consistently met: Once again, giving everyone a say helps foster buy-in and ownership.
Best Practices for Documenting the Security Architecture
Documentation of security architecture in a modern environment should focus on several key concepts:
- Defined standards for controls and services: By far the most important type of documentation to build and maintain is a set of defined and approved standards for controls and services that need to be in place and enforced. This is best accomplished with executive stakeholder support and a governance model that facilitates a variety of teams’ input to their development, while keeping regulations and compliance in mind.
- Threat models: Having conversations about threat modeling is a useful way to better align with engineering teams. Documenting these threat models and revisiting them on a regular basis can be an effective approach to building a library of controls, architecture, threat surface and remediation tactics. Tools like Threat Dragon from OWASP and Microsoft’s Threat Modeling Tool are good, free options that can help.
- Architecture patterns: The most tactical type of documentation to develop and maintain for engineering and architecture teams is a set of “patterns” that act as overlays of controls within application and infrastructure engineering workflows and deployments. These can be application-specific or modeled within a certain type of environment (e.g., Kubernetes, Microsoft Azure, Google Cloud Platform and so on). An example might be a new container-based application that includes a service mesh security architecture pattern with a sidecar container for policy and mutual TLS coordination, etc. Many SOAR tools can help capture playbooks and workflows that help with this.
Tips to Align Security Architecture and Engineering
Security architecture and engineering share many of the same goals and it is essential they work together seamlessly. To successfully align security architecture and engineering, focus on these core concepts:
- Skills development: To be successful with modern engineering teams, architects will almost certainly need a grounding in cloud, DevOps, containers and serverless, IAM and infrastructure as code. Understanding how these types of tools and services work helps make discussions more productive and allows for improved collaboration.
- Automated and integrated secrets and privilege management: DevOps and engineering, as well as cloud runtime deployments, make extensive use of identity policies that often require some advanced privileges and different types of secrets for authentication and authorization. The more integrated (usually via APIs) and automated these tools and controls are, the better coordinated architecture will be with engineering builds.
- Documented standards, threat models and architecture patterns: Capturing these is important to building a sustainable architecture function and being able to repeatedly evolve the types of security controls and designs in place.
- Short-term, consultative workflows: The days of long-term architecture initiatives are dying out, as technology changes more rapidly than ever before. This is not true for all organizations or initiatives, but security architects will be more “internal
consultants” than long-term advisors down the road.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.