Architecture Validation

Why is architecture required?

We have repeatedly seen companies whose security architecture was incomplete despite high Costs

• They have regular penetration tests carried out.
• They monitor their IT with elaborate SIEM solutions.

However, actual protective measures are often lacking:

• A stable process to address identified risks
• Robust user management
• Hardening of software and infrastructure
• Training employees on how to handle a security incident
• Build pipelines that perform automated software audits

All these protective measures are only effective if they form an overlapping, gap-free protective wall. Far too many companies resemble a castle where one side is protected only by a simple picket fence.

To provide exactly this seamless protection, you need a comprehensive architecture that ensures the weakest link in the chain of protective measures is still secure enough to protect the entire system adequately.

Why is architecture efficient?

Above all, an experienced architect can balance the overall architecture, ensuring that:

1. All risks are known
2. Investments in countermeasures are proportionate to the respective risks

The most efficient solution is to ensure a consistent height for all walls - just out of reach for an attacker. However, in reality, we often see inconsistent approaches that waste significant resources, while other areas receive insufficient investment.

What is the architect's approach?

1. Security Analysis
   Individual and industry-specific risks are listed and assessed.

2. Develop Countermeasures
   If your website isn't a unicorn, the architect can already name a whole catalog of proven countermeasures.

3. Balance Risks and Resources
   It is easy to invest unlimited amounts of money in security, but a good architect knows how to achieve optimal security with limited resources.

4. Establish Measurability
   If you can't assess your own security, you can never be sure whether your security investments were implemented effectively.

5. Learn From Mistakes
   A good architect greatly accelerates a company's learning curve by helping to identify and optimize weak implementations of security measures - which is ultimately the core of ISO 27000.

What are typical measures taken by an architect?

Architecture is always a highly individual service, but the following examples give you an idea of the scope in which an architect's solutions may operate.

E-Commerce Company

• Canceled an expensive cyber insurance because the coverage did not match the actual potential damages, and no suitable option was offered by the insurer.
• Switched the external firewall from an inexpensive but unfortunately incompetent provider to the market leader.
• Completely abolished an over-dimensioned SIEM solution and invested the freed-up budget in employee training to better protect the application itself.
• Supplemented Microsoft Active Directory with Keycloak to efficiently and securely meet actual customer requirements.

Bank

• Replaced 700 pages of security requirements with 20 rules that the development department could actually implement.
• Replaced 1300 pages of compliance guidelines with concise summaries tailored to each department's needs.
• Initiated regular training for all involved departments, conducted by an internal team of instructors.
• Established an annual hackathon in which employees attempt to break their own security measures.

Insurance Company

• Clarified unclear responsibilities and eliminated duplicate measures.
• Consolidated multiple firewalls into a single layer that could be properly maintained with the available resources.
• Established risk and incident management processes to evaluate individual security measures.
• Implemented the basics of ISO 27000, particularly creating a central body to evaluate security measures.
• Enhanced the build pipeline with security audits and conducted corresponding employee training; replaced external code reviews with internal reviews.
• Extended the security concept to include the mainframe (z/OS).

What is the first step toward a secure architecture?

Ask us! In an initial - free - consultation we clarify the most important points that should be addressed and then provide you with an individual offer if needed.

With this low-threshold offer, we want to make it easier for you to get started, because architecture is often (wrongly) considered the most expensive measure. In our experience, however, it is the most efficient!