Know your Environment!
We understand that your information technology solutions are often complex, with a variety of components and technologies interwoven to create a comprehensive system. In many cases, new features and components have been added over time as new needs arise. To ensure any security weaknesses or vulnerabilities in the design are fully understood, Secure Ideas recommends performing an architecture review. An architecture review is a very different process from a penetration test. This review is cooperative, meaning that we work with your team to review each component of the environment to evaluate your organization's security posture.
Similar to penetration tests, architecture reviews can be conducted on a single implementation, such as an in-house developed application, to overarching topics like ransomware preparedness. However, because of the methodology used with this type of engagement, architecture reviews help identify issues that may not be evident during a penetration test, whether those issues are process related or technology-based. Through a series of discussions and a review of your existing documentation, we will cover a variety of different topics and compare the architecture to best practices for secure design. While the specific topics may vary, depending on what is being reviewed, there are some common themes.
Overall, an architecture review is a great way to have a third-party evaluation of the security posture your organization has taken in implementing a chosen IT solution.
Through a series of discussions and a review of your existing documentation, we will cover a variety of different topics and compare the architecture to best practices for secure design. Each interview will consist of at least one Secure Ideas staff member interviewing the appropriate group for between 60 and 90 minutes. This can be done via phone conference call or in person at your location. While the specific topics may vary, depending on what is being reviewed, there are some common themes.
Identity and Access Management
Resilience and Recovery
Resilience and Recovery plans are vital for organizations to quickly respond to outages, disasters, and certain threats such as ransomware attacks. Being proactive with backup processes and disaster recovery plans is essential to minimizing the impact of any data loss or system outages that could occur.
Security Auditing and Alerting
Shifting left is critical to the continued security in organizations. Most development is made better by moving security earlier in the process. But the traditional penetration testing of web applications and APIs doesn't fit well in the earlier stages of the software development lifecycle (SDLC).
Secure Ideas has created a process of testing credits to help solve these issues (especially when paired with SASTA). An organization can purchase credits to use over the next 24 months. Combined with a self-scoping system, these credits allow an organization to work with Secure Ideas within their development processes.
The Security Architecture Review (Security Assessment) service is scoped by conducting an in-depth conversation to determine the areas of greatest concern that should be focused on. By gaining insight into the client’s goals and expectations for this type of engagement, where they currently stand, and where they want to end up, we are better able to scope the project. Many times this exercise is needed due to compliance requirements and to determine if an organization’s policies, procedures, and controls are following industry best practices, so determining which control framework is best to compare against is also key in determining the scope and level of effort required.