Know your Environment!

We understand that your information technology solutions are often complex, with a variety of components and technologies interwoven to create a comprehensive system.  In many cases, new features and components have been added over time as new needs arise.  To ensure any security weaknesses or vulnerabilities in the design are fully understood, Secure Ideas recommends performing an architecture review.  An architecture review is a very different process from a penetration test.  This review is cooperative, meaning that we work with your team to review each component of the environment to evaluate your organization's security posture.

Similar to penetration tests, architecture reviews can be conducted on a single implementation, such as an in-house developed application, to overarching topics like ransomware preparedness.  However, because of the methodology used with this type of engagement, architecture reviews help identify issues that may not be evident during a penetration test, whether those issues are process related or technology-based.  Through a series of discussions and a review of your existing documentation, we will cover a variety of different topics and compare the architecture to best practices for secure design.  While the specific topics may vary, depending on what is being reviewed, there are some common themes.

Overall, an architecture review is a great way to have a third-party evaluation of the security posture your organization has taken in implementing a chosen IT solution.

Architecture_Review

Our Goal

The goal of an architecture review is to include findings related to technology and processes associated with an IT solution.  These findings come with real world, practical recommendations for improving the security of your systems and procedures.

Interview Topics

Through a series of discussions and a review of your existing documentation, we will cover a variety of different topics and compare the architecture to best practices for secure design.  Each interview will consist of at least one Secure Ideas staff member interviewing the appropriate group for between 60 and 90 minutes.  This can be done via phone conference call or in person at your location.  While the specific topics may vary, depending on what is being reviewed, there are some common themes.

Privacy Concept on Folder Register in Multicolor Card Index. Closeup View. Selective Focus. 3D Render.-1
Architecture_Review

Identity and Access Management

Knowing which identities are supposed to access and interact with a solution is a key component of security.  This not only pertains to users of the solution but also those that have privileged access.  Restricting access to only those who need it and limiting it so they can perform only the actions they need at the time is the cornerstone of protecting your data and systems.  An architecture review ensures that an appropriate permission policy has been implemented, granting the right level of access in a secure manner.
Get a Quote
Network Access
Network Access

Network Access

If Identity and Access Management is the who of the question, general network access is the what, where, and how.  By limiting direct network access to specific services, systems, applications, or networks, an organization greatly reduces the potential attack vectors.  We will review what the solution exposes, what has been put in place to prevent unintended connectivity (such as firewalls, routing, security groups, etc), and what is in place that can detect any strange network behavior. 
Get a Quote
Configuration Management
Configuration Management

Configuration Management

Due to the complex nature of IT solutions, it is imperative that solutions have an expected baseline configuration and there is some way to validate that the configuration is in place.  An architecture review will determine how you detect if a solution drifts from its baseline as well as learn if the existing baseline becomes affected by some vulnerability.  In addition, we will review how you incorporate configuration changes into the baseline and track what changes have occurred, ensuring that the baseline itself is secure.
Get a Quote
businessman hand draws gear to success concept
Resilience and Recovery

Resilience and Recovery

What happens when something goes wrong? Do you have a plan to respond and recover quickly?  Quite often, solutions have removed most, if not all single points of failure.  Resilience has become commonplace.  However, what happens if you can’t rely on resilience alone?  We will review what preparation has been put in place to ensure that any data loss or system outage is minimized.  From backup processes to disaster recovery plans to testing those plans regularly, an architecture review will help find gaps in your current solution and processes.

Resilience and Recovery plans are vital for organizations to quickly respond to outages, disasters, and certain threats such as ransomware attacks.  Being proactive with backup processes and disaster recovery plans is essential to minimizing the impact of any data loss or system outages that could occur.
Get a Quote
Security Auditing and Alerting
Security Auditing and Alerting

Security Auditing and Alerting

Security auditing and alerting are essential for any organization that wants to stay up-to-date and aware of what is happening in its system.  Auditing helps to detect, log, and alert the corporation on any malicious activity or changes so that it can react quickly and efficiently.  This includes not only being able to track certain events but also being able to detect changes in the system and generate alerts on strange behavior.  We will review what type of events you track, how you track them, and how you generate alerts on any abnormalities.
Get a Quote

Testing Credits

Shifting left is critical to the continued security in organizations.  Most development is made better by moving security earlier in the process.  But the traditional penetration testing of web applications and APIs doesn't fit well in the earlier stages of the software development lifecycle (SDLC).

 

Secure Ideas has created a process of testing credits to help solve these issues (especially when paired with SASTA).  An organization can purchase credits to use over the next 24 months.  Combined with a self-scoping system, these credits allow an organization to work with Secure Ideas within their development processes.

si-lock-red (3)
si-lock-red (3)
si-lock-red (3)
si-lock-red (3)

Scoping

The Security Architecture Review (Security Assessment) service is scoped by conducting an in-depth conversation to determine the areas of greatest concern that should be focused on.  By gaining insight into the client’s goals and expectations for this type of engagement, where they currently stand, and where they want to end up, we are better able to scope the project.  Many times this exercise is needed due to compliance requirements and to determine if an organization’s policies, procedures, and controls are following industry best practices, so determining which control framework is best to compare against is also key in determining the scope and level of effort required.

 

Our Process

Have more questions about Architecture Reviews?