I recently posted the following comments to the LinkedIn Security Architecture forum discussing the effectiveness of Security Architecture today:



I agree with the comments which have been posted so far. As pointed out, a security architecture involves quite a number of factors - security infrastructure, policy and procedure, etc. Let me make some comments around the topic of the network security architecture.


Network security architecture discussions became a significant discussion point back in the mid to later part of the nineties when Internet connectivity was becoming the norm. Firewalls were being introduced and early network security architectures focused on the Internet perimeter. Concepts such as compartmentalisation using DMZs and visibility using tools like Cisco's Netflow were introduced. These concepts were as valid then as they are today. 


The landscape has changed and security architectures need to consider this changed landscape.


Probably the number one new consideration is that whole scene is way more complex than it was 15-20 years ago. Security managers and architects first and foremost need to understand this and ensure that adequate tools and process exist for dealing with a far more complex environment.


Application architectures are larger, more complex and more mission critical. Many of these environments have grown in an ad hock manner and are far from being optimal security architectures. They are not easy to change.


There are a lot more applications on the network today, some of these are legitimate, and some simply have no place in a business environment. Users are wishing to choose and use their own apps.


The use of SSL and TLS is widespread making it impossible to see traffic in these tunnels without decryption technology.


Mobile and personal devices are often accessing critical business system from just about anywhere.


Cloud technology is being introduced and utilised by many organisations due to the attractive cost benefits.


Attack trends have changed. Client side attacks now account for the majority of successful intrusions.


Malware sophistication has increased. But more importantly the sheer scale of the nation state sponsored espionage has significantly increased the risk for just about every organisation with business critical data.


This is certainly not an exhaustive list. My point is that it is critical for architects to have a firm grasp of the basics as well as these factors to create effective security architectures. A good network security architecture is not a silver bullet which will save you from all attacks, but it is a critical foundation on which everything else should be based. Experience has shown me that organisations who do have sound architectures in place, have been in a FAR more robust position when the bad stuff happens.