Information systems security architecture
And the architecture of information systems (IS) security depends on the risk model and on the organizational structure of the enterprise. The task of building an optimal system is solved on the basis of achieving the set goals and rejecting redundancy.
The concept of IS security architecture and its tasks
The organization solves the problem of building an ideal network architecture based on the key business objectives. One solution will be acceptable for a trading company, the second - for fuel and energy corporations solving the problem of global digitalization: from using neural networks to building digital models of oil rigs and wells. In both cases, the business objectives and the amount of dedicated resources become key factors.
In a normal situation, in the absence of a developed business digitalization strategy, the problem of building an optimal architecture of information systems arises when:
- the tasks of different departments in the field of IP are not coordinated, which gives rise to software conflicts due to the lack of a unified system for monitoring risks and managing IP;
- users and management do not consider the IP system to be optimal;
- it is necessary to calculate the cost of implementing data protection tools and the financial result from their use;
- there is no ideology for the development of the information system, there is no understanding of the goals and directions of its development, the types of software required or its update.
If a unified strategy for building a security architecture for information systems has not been developed, a number of problems arise:
- The IT department is underfunded, which reduces the overall efficiency of solving problems in the company;
- users and managers are dissatisfied with the fact that key tasks are not being solved, data is not properly protected, due to the lack of monitoring systems, failures constantly occur, important information is lost due to malfunctioning of key modules, mail filtering systems are not configured;
- the system does not meet the requirements of regulators, for example, the FSTEC RF, in the field of personal data protection, which causes problems during checks;
- the system does not meet the business objectives, for example, the problem of remote monitoring of sensors of industrial equipment or housing and communal services systems is not solved;
- inconsistency in the work of various departments leads to hiccups and delays in solving information security problems.
An additional risk is the inefficiency of the investments made in the creation of individual elements of the network architecture.
Methods for building an ideal architecture
The information systems security architecture is based on two components: the information security architecture as a whole and the organizational structure of the enterprise. But it has specific features associated with the threat model developed for the organization. It takes into account the risks:
- virus threats and hacker attacks;
- leaks of personal data;
- leakage of confidential information;
- safety of state secrets;
- malfunction of the entire system or its elements due to technological or software failures.
Information in electronic form and on paper is subject to protection. Important information is contained in video conferencing and video sessions, voice applications and IP telephony. The system should take into account these risks and provide protection against:
- insider actions;
- unintentional errors by users or system administrators;
- external risks.
You can control the actions of system users with confidential files automatically using SearchInform FileAuditor.
Experts believe that the development of a system of protection against information security risks should occur independently of the development of a general IT architecture of the business, which will allow solving important tasks separately, concentrating on specific goals. A mismatch between security and business goals occurs when:
- business interest in using cloud technologies that increase the risks of loss or leakage of important data;
- using project and group methods of working on important decisions, which does not allow identifying the responsible user;
- application of common communication channels for several users and groups;
- active interaction with clients without taking into account information security risks.
All this excludes the possibility of creating a single common security perimeter, and the implemented solutions contradict the general direction of business development. But the information security service often forgets that it exists for the business, and not in spite of it. Inaccuracies lead to:
- overlapping protocols on the firewall;
- obstruction of Internet access for individual employees;
- blocking access to websites important for business.
The result is that information security departments are beginning to be called business prevention departments, that is, they interfere with the business, and not contribute to it. It is impossible to change the organizational structure of an enterprise or business processes for the implemented information security system; on the contrary, it must correspond to them with an information security system.
The first step in the formation of a security architecture is the development of a strategy, which is a sequence of stages in achieving goals and the resources used. Three groups of resources - human, financial and time - need to be coordinated. Therefore, the development of a strategy cannot be entrusted to separate departments, it should be controlled at the level of the company's management. It is it that determines what is the highest priority - a short time to create a system or minimizing the resources spent.
The strategy describes the desired architectural elements that must ensure its functioning:
1. Information. Information arrays and types of data provision are indicated, among them - text, video and audio files, oral information, data on paper. This section defines the degree of importance of the data, the level of their protection.
2. Infrastructure. This subsection of the document describes material objects where data to be protected is present. These are computers, physical media, peripheral devices, locations of documented information, for example, a registry in a polyclinic, where patients' medical records containing personal data are located.
3. Information systems that contain confidential data: ERP-, CRM-, SCM-, SCADA-systems, billing programs, business applications, accounting programs.
4. Information security. The section describes what security tasks are being solved and what tools, software solutions, for example, DLP systems, will be used, it is supposed to install a ready-made software product or develop your own solution.
5. Information security service. It describes the structure of the unit responsible for maintaining the elements of the security architecture of information systems, its tasks and responsibilities, methods for assessing key performance indicators.
It is necessary to take into account the directions of business development and the software market as a whole, the proposed actions of regulators. It is required to monitor changes in threats. In terms of costs, it should be borne in mind that the software market is changing, and the direction of "software as a service" (Software-as-a-Service, SaaS) is gaining popularity. It is required to take into account the industry specificity, the proposed changes in regulatory acts within the framework of the state Doctrine of information security. Solving these issues will help build an optimal security system and IP architecture and reduce overall enterprise costs.