In reading the Lesson 5 material on security architecture, I
found a couple of the articles especially interesting.
In the ISSS “What is Security Archtitecture” I found a well
rounded explaination of a security architecture, with one big difference from
most other explanations. In the condenced
definition at the beginning of the article, it specifically DID NOT include “documentation”
in the definition. This has become one
of my pet peeves. It seems in academic circles
at least, most of the definitions of various architecture domains refers to it
as the “documentation” of various characteristics of the organizations
environment. However, most organizations
balk at paying for documentation, as in and of itself, documentation does not
provide value. But I argue, along with
the ISSS, that an architecture is the Design of various aspects of an
organization. I also further argue that
an architecture is not just the design, but also other implemented aspects of
the organization that can be repeated efficiently in multiple parts of the
organization to support business strategic goals. For example, common goals are cost efficiency
and agile response to changing environmental change. The paper also touches on how to ensure
security architecture alignment to business strategy
The article “Analyze the Risk Dimensions of Cloud and SaaS
Computing” also caught my eye as our company has made Cloud hosting of our
applications a high priority. We have struggled
with some of the things mentioned.
The discussion of the difficulty of assessing risk with the
various levels of external exposure and traditional vs cloud hosting was a
different look at familiar topics for me.
However, the section “Identify and Analyze the Chain of
Providers” I found interesting not for the content directly (discussing the
need to evaluate all the layers of vendor involved in the cloud service), but
in what I believe this relates to in reality.
One of the early knocks against cloud was the perceived risk of not
having the physical infrastructure and data under your own company’s control
and further, potentially mixed with other cloud providers’ clients. Especially in an IaaS Cloud model, what is to
say other clients’ applications hosted on the same cloud infrastructure was not
malicious? I agree that there is some
increased risk, but not as much as perceived.
In reality, most organizations have already outsourced most if not all of
their IT work to contractors and consultants.
These resources may have various contractual clauses to hold them
accountable. But, how is that situation
much different than the Cloud hosting model?
The administrative resources are already exterior to the company.
No comments:
Post a Comment