Security architecture is the structured design of systems, policies, technologies, and processes used to protect an organisation’s IT systems, networks, and data from cyber threats.  Easy to say, not quite so easy to do.

When working on a major IT infrastructure deal, the security architect would be brought in, or at least should be brought in, very early on, usually after the first logical design has been done.  What that means is that a logical design is basically a bunch of boxes on paper that represent systems with connection arrows in between, identifying data flows.  OK, I’m being a bit simplistic, but you get the idea.  Once that’s done, the security architect has something to work with to start putting in security layers.  As the design evolves, so does the security architecture.

So now let’s look at the real world.  Most SMEs are way past this phase, with their systems having grown organically as the company grows.  SME management is focused on how well the systems work for them, whether they meet the need, can the staff operate the systems efficiently, are the systems robust, etc.  Security then tends to get bolted on, often using software and/or hardware that the company’s contracted IT provider recommends, which in turn is whatever software and/or hardware that the contractor sells.

Many SMEs had set up their system before COVID, and they were often set up using what we called the Bastion security model.  That was named after the old castle design, a big wall around it with a moat and a portcullis to protect it, or in modern terms, a protected network, accessed via secure firewalling, with some sort of access control and other protections such as anti-malware.  A good model had network segregation, but I’m afraid my experience is that network segregation was often lacking.  Just to be clear, what segregation means in this instance is a breaking up of functions within the company, i.e., finance, HR, operations, management, etc., with relevant access controls of some sort.  And of course, all this on premises.

In many cases, COVID drove a coach and horses through that model.  First, it stopped people from going into the office, and owners/managers had to quickly come up with a way of working remotely through some form of remote access.  Many at that point weren’t using cloud-based systems, and in fact, there was still some reluctance to embrace cloud tech because owners didn’t trust storing their data with what they saw as being out of their control.  It took some persuasion and education to bring many of these owners/managers around.  These days, of course, cloud storage and remote access are largely the norm, but there is still the question of exactly how secure existing systems are, having often been put together rapidly and from a position of necessity rather than choice.

A realistic cybersecurity architecture for an SME should balance security, manageability, and cost. Most SMEs are now operating in a cloud-based environment, so the architecture typically centres on identity security, endpoint protection, and cloud controls rather than heavy on-prem infrastructure.  But let’s not forget monitoring and auditing, and, depending upon your business, data encryption.

Identity Layer (Core Security Control)

Identity management is core to a secure system.  It is vital to ensure that only the right people have access to the right systems.  SMEs need to consider some form of identity management, but they might feel this is expensive and unnecessary for them.  Owners and managers need to decide their own risk appetite, i.e., what they see as an acceptable, as well as what they see as an unacceptable, risk.  But it doesn’t have to be expensive.  Many SMEs will be using MS365, for example, and will be able to get a reasonable deal on Microsoft Entra ID, formerly known as Azure AD.  I know many of my colleagues in the security world will argue that Azure had its issues in the past, but it is better now.

It will help you implement controls such as:

• Mandatory Multi-Factor Authentication
• Conditional access policies
• Single Sign-On (SSO)
• Privileged identity management
• Automated user provisioning/deprovisioning

Endpoint Security Layer

Endpoints are the primary attack surface. This typically includes:

• Endpoint detection and response (EDR)
• Device management
• Encryption

Controls it should cover include:

• Automated patching
• Encryption:

• Full disk encryption comes built into Windows with BitLocker and Mac with File Vault, but it has drawbacks in that it encrypts your disk at rest, protecting your data from a stolen device, but it is unencrypted on boot up, so it isn’t much protection against an intrusion or a mistake made by an employee.
  • File-level encryption works by encrypting files that you have deemed to be sensitive and need protection.  It encrypts the files using an agent-based system and unencrypts the files when shared or accessed by someone who also has the agent and therefore the permission.  Sounds complicated, but it really isn’t, and it can be shown to you very easily.

• Application control
• USB restrictions
• Remote wipe

Email and Collaboration Security

Email is still the No 1 entry point for attacks, and using cloud-based software such as MS365 or even Google Workspace, both affordable for an SME, has security features that are highly desirable if not essential.

• Anti-phishing protection
• Attachment sandboxing
• URL scanning
• DMARC, SPF, DKIM email authentication – these all refer to entries in your DNS (your network provider should be able to brief you), which help ensure email isn’t being spoofed and is coming from a trusted source.

 Network Security Layer

Even cloud-heavy SMEs still need basic network protection.

Key components:

• Next-generation firewall
• VPN or Zero Trust remote access
• Network segmentation
• DNS filtering

Good firewall segmentation would include:

• Company devices
• Guest WiFi
• Servers
• IoT devices

Cloud Security

SMEs often rely heavily on Software as a Service (SaaS) and cloud infrastructure.  Again, this needs some controls, which could include:

• Secure configuration monitoring
• Data leakage prevention
• Access monitoring

Key policies may include:

• No public file sharing by default
• Alert on impossible travel logins
• Monitor privileged activity

Data Protection Layer

Protect sensitive data even if systems are compromised.  Controls might include:

• Data classification
• Data leakage prevention
• Full disk and file-level encryption

Policies might include:

• Prevent the sharing of sensitive records externally
• Block download of sensitive files on unmanaged devices
• Monitoring where your data is and how it transits the network, alerting to movements of data outside of the norm.

 Backup and Recovery

This is critical for recovering from ransomware and other data compromises, as well as technical faults.

Best practice:

• Immutable backups
• Offline copies
• Regular restore testing

Don’t forget cloud backups; that’s something that is often forgotten.  Check your Ts&Cs with your provider, don’t just assume they are backing up as you would require.

Security Monitoring

You need visibility into attacks, and security monitoring is something that many SMEs simply don’t consider, possibly because in the past, it was considered very expensive and over the top.  That is no longer the case.  There are systems now available specifically for SMEs.

Typical SME approach:

• Centralised log collection
• Security alerts
• Managed detection and response

Many SMEs outsource this to an MDR provider like H2.  I know you would expect me to say this, but it really is recommended.

Security Awareness and Policies

Technology alone cannot protect the organisation.  Cyber awareness training is a subject that I bang on about all the time.  It really should be a no-brainer and is arguably the cheapest quick win an SME can make.

What you need as a minimum is:

• Security training platform
• Phishing simulation
• Acceptable use policy
• Incident reporting channel

Strangely enough, we provide all of these within our managed service.

Incident Response and Business Continuity

I have blogged about this in the past.  You need to be prepared for security incidents.  This means not just having a plan to bring your systems back online and to restore your data from backups, but also having a business continuity plan to enable you to continue your business whilst the technical work is being undertaken. Test these systems and plans and make sure they work.

Key elements include

:

• Incident response playbooks
• Legal and breach notification procedures
• Disaster recovery and business continuity plans
• Security metrics dashboard

Standards

Consider adhering to a standard such as Cyber Essentials, the Government standard, which has been taken into use by many SMEs.

Summary

Security architecture is the structured design of policies, technologies, and controls used to protect an organisation’s systems, networks, and data from threats.

It acts as a blueprint for implementing security to ensure Confidentiality, Integrity, and Availability (CIA Triad) of information.  It really is something SMEs should consider and need to take advice about.  Do not rely on your network provider, they will focus on the core services they provide and the products they have deals to supply.