The day before yesterday I was lucky enough to be invited to a Security discussion with some very senior security people in the UK. I introduced myself as an architect which led to some fairly “interesting” views of the role of the architect. There was clearly a lot of feeling that people starting off with an “architecture” base were pretty valueless in real life and people starting with a set of technologies / issues and refactoring an architecture from them were doing something useful. I hope I am in the latter camp.
It was clear to me that we do however need some sort of security architecture which has to include both the technical sort of stuff I blogged about earlier and also less security technology focussed areas such as:
Present and projected threat analysis / risk mitigation.
Security and auditability.
Alerting and patching.
There were also some interesting specific areas of interest that came up the discussion too such as:
Anti Virus / Malware strategies.
Spoofing / phishing / farming strategies.
This last one seemed to me to be the most immediately pressing area which needed some innovative thinking. An addin to the client which did host change detection and warning seemed like a simple and effective solution to this.
There seems to be a general lack of strategy/architectural security information/community in the industry. I've seen so many papers and such like which fail to provide information that can be acted upon.
Information Security is clearly a buisness risk decision and yet most people think security is a Firewall or cryptographic/authentication device!
Having experience of security assessment I've found that most security risk can be mitigated by good architecture together with security awareness training for users and effective policy & procedures.