Know your Environment!

Information technology systems are typically complex solutions that include various technologies and products, implemented over time with components added as new needs arise.  In order to identify security weaknesses and vulnerabilities, Secure Ideas recommends performing a security assessment to obtain a complete understanding of the environment.  Unlike a penetration test, which is adversarial and invasive, a security assessment is a cooperative exercise in which Secure Ideas works with clients to review each component of the environment, evaluating the architectural design and controls that encompass the overall security posture.  

Architecture_Review

Our Goal

The goal of this evaluation and assessment is to include findings related to vulnerabilities and concerns associated with the infrastructure and applications, together with real world, practical recommendations for improving the security of the client’s systems and procedures. 

Interview Topics

A security assessment allows Secure Ideas to perform an analysis of technical architecture by reviewing documentation and conducting interviews. The interviews will focus on understanding a client’s design and the reasons for various design decisions.  Each interview will consist of one Secure Ideas staff member interviewing the client’s relevant personnel for between 60 and 90 minutes via phone conference call, or in some cases, onsite at a suitable client location.  Topics covered in security assessments reviews generally include:

Authentication & Access Control
Architecture_Review

Authentication & Access Control

Authentication and Access Control is essential in protecting data from any malicious actors. Architecture reviews are necessary to ensure that an appropriate access policy is implemented along with the appropriate authentication protocol to allow users to access systems, applications and data. It is important to thoroughly assess all existing protocols and measures within the architecture, verifying that only authorized personnel have permission to access certain information while maintaining user privacy; this way, organizations can be confident their data will remain secure.
Get a Quote
Security concept Lock on digital screen, illustration
Encryption and Key Management

Encryption and Key Management

With the increasing importance of securing data, encryption and key management have become a critical component of any organization’s Architecture Review.  Encryption helps protect data by ensuring the confidentiality and integrity of information shared within or outside an enterprise.  Additionally, having a comprehensive approach to key management ensures that the appropriate individuals have access to encryption keys when needed without compromising security protocols.  Organizations should therefore review their Architecture regularly to ensure all necessary components for secure encryption and key management are in place.
Get a Quote
business documents on office table with smart phone and laptop computer and graph financial with social network diagram and three colleagues discussing data in the background
Security Policy Enforcement

Security Policy Enforcement

Having a secure information infrastructure with adequate policies is essential in any organization.  Security policy enforcement can not only assess the risks of any given architecture, but also provide measures to reduce and protect against potential threats.  An architecture review can help ensure existing data structures meet security standards throughout its lifecycle within the environment.
Get a Quote
Privacy Concept on Folder Register in Multicolor Card Index. Closeup View. Selective Focus. 3D Render.
Password Management

Password Management

Password management plays an important role in information security architecture reviews.  Such reviews provide a thorough check on the security posture of a system.  It is essential to ensure that passwords meet complexity guidelines, use two-factor authentication, and are not easily guessed.  Without proper password management, security software is unable to prevent malicious actors from getting access to the system.  An architecture review can identify any weak areas in password management and make recommendations for improvement.  Doing so helps reduce the chances of an incident or breach resulting from compromised credentials.
Get a Quote
Business woman hand typing on keyboard with secured lock concept around
Security Event Logging

Security Event Logging

Security event logging is a critical component of an effective security infrastructure.  It offers an ongoing audit of activities, allowing organizations to monitor the integrity and behavior of their computer systems.  Security teams can quickly identify when malicious activity occurs and take appropriate action. Architecture review also helps uncover weaknesses in system design which could lead to more easily exploitable vulnerabilities.  Comprehensive security event logging practices can help organizations avoid being caught off guard during a potential incident and narrow down the root cause for a faster resolution.
Get a Quote
Hand touching online network security  button and cloud, connection and contact concept
Intrusion Detection/Prevention Systems

Intrusion Detection/Prevention Systems

Intrusion Detection/Prevention Systems (IDPS) can be a powerful security tool that provides an invaluable layer of protection.  By combining network-based, host-based, and/or application level IDP systems, organizations can effectively identify suspicious activity and respond in an appropriate manner.  Architecture Review is a crucial step when deciding which type of IDP system to use; it allows for an informed decision on how the system should best be integrated into the organization's networks and systems.  By conducting Architecture Reviews, companies can ensure proper implementation of their chosen IDPS, optimize performance, detect intrusions quickly, and minimize potential losses from malicious actors.
Get a Quote
Security concept Lock on digital screen, illustration
Firewall Configuration and Policies

Firewall Configuration and Policies

Configuring a firewall with the appropriate policies is an important component of an effective security architecture.  A thorough Architecture Review should be performed to ensure that the firewall configuration and policies are in line with your desired security posture.  Potential issues should be identified and rectified to maximize the effectiveness of your firewall infrastructure. An Architecture  Review will also provide guidance on how you can tailor the existing policies for more precise enforcement, as well as allowing for greater granularity when creating additional policies in the future.
Get a Quote
business documents on office table with smart phone and laptop computer and graph financial with social network diagram and three colleagues discussing data in the background
Operating System Configuration

Operating System Configuration

Properly configuring an operating system is essential for creating a secure and reliable IT environment.  An Architecture Review is an important part of the process for setting up an OS, as it highlights weaknesses that need to be addressed in order to provide a robust framework.  Architecture Reviews provide accurate snapshot of how resources can be best utilized, giving administrators insight into potential threats and hazards they should look out for while also ensuring that all requirements are met.  Such comprehensive evaluations are critical in optimizing performance and security to guarantee the long-term health of any system.
Get a Quote

Testing Credits

Shifting left is critical to the continued security in organizations.  Most development is made better by moving security earlier in the process.  But the traditional penetration testing of web applications and APIs doesn't fit well in the earlier stages of the software development lifecycle (SDLC).

 

Secure Ideas has created a process of testing credits to help solve these issues (especially when paired with SASTA).  An organization can purchase credits to use over the next 24 months.  Combined with a self-scoping system, these credits allow an organization to work with Secure Ideas within their development processes.

si-lock-red (3)
si-lock-red (3)
si-lock-red (3)
si-lock-red (3)

Scoping

The Security Architecture Review (Security Assessment) service is scoped by conducting an in-depth conversation to determine the areas of greatest concern that should be focused on.  By gaining insight into the client’s goals and expectations for this type of engagement, where they currently stand, and where they want to end up, we are better able to scope the project.  Many times this exercise is needed due to compliance requirements and to determine if an organization’s policies, procedures, and controls are following industry best practices, so determining which control framework is best to compare against is also key in determining the scope and level of effort required.

Secure Ideas’ pricing for this service is determined based on the size of the organization, the number of relevant IT personnel and departments needing to be interviewed, and the amount of documentation to be analyzed.  The following is base pricing for a security assessment, but coping discussions are paramount in determining the effort required. 

 

Size of Organization Price-range
Small $14,400
Average $19,200
Large $24,000

Our Process

Have more questions about Architecture Reviews?