Pattern based security is a pre-requisite to modernized architectures

How often do we just talk about modern principles like infrastructure as code, microservices for our applications, service oriented with enterprise bus and so on and so forth? And yet how often we underestimate the work that needs to go in this to make these production ready?

In the good olden days we had a very simple architecture of client-server-database. Very centralized and very simplistic. The simplicity was the key to just keep these running in a confined network space and control the access with simple firewalls and for the more enthusiast ones have a login password check for basic authentication.

These worked brilliantly in the 1990s as connections were small and distribution was not a requirement but a wish. I also was involved in building few of such applications. The challenges in those days were about balancing cost to meet the timelines, rather than the complexity as we have today. Architecture was not so much in the limelight in the olden days as more often than not the architectures would just be drawing few flows in client- server-database set.

Times have changed very fast, distribution is a requirements and delimiting access is not considered a smart thing to do. Today client-server-database are considered a anti-pattern to modernization. Speaking about client-server-database sounds so much like the 1990's ;-)

I am a true believer that latest is not always the best, yet so often we all get carried away with technology. However, todays architecture need to be built on high-level principles of scalability with the core requirements to protect data and allowing access to inside and outside in a controlled fashion. The needs of scalable architecture are moving to a pluggable interface type of working where ubiquitous is the norm. Without spending much details on modern architecture, I want to mention that I have seen client-server, microservices and service oriented architecture all work together brilliantly well in a pluggable way in hybrid cloud models. But to do this; the architecture roots have to be very strong and security is one of the biggest pillars to have this grounded well.

A very fundament of a scalable modernized architecture is moving to pattern based security. This is a fundament also for companies looking to a hybrid cloud model as networking partitions will blur over time and the applications are more accessible and hence vulnerable than the 1990s.

The pattern based security is based on the fundament of compartmentizaion with security zones. The compartmentization is logical and achieved with security dimensions. As a simple example, lets assume a very simple service oriented architecture which has three layers namely consumer, a API gateway and a provider. The layers is already a security dimension. Then comes the famous CIA (Confidentiality, Integrity and Availability) ratings, which is another security dimension. Another security dimensions is the consumer type based on if they are internal or external. Based on your organization more security dimensions can be added.

Continuing from the few security dimensions created in the above paragraph namely layers, CIA rating and consumer type we can try to now do a table exercise to map these to security zones (I used t-shirt sizing to map security zones, but colors and names are used in a normal convention).

Layer; CIA; Consumer type; Computed Security zone

Consumer;111; Internal; Extra Small

API gateway;111; Internal; Medium

Provider; 111; Internal; Large

This table can go on to an elaborative enterprise security model. What is important is that it is clear on how many security zones need to be put in place. As a rule of thumb, there should not be more than 10 security zones.

To build the story further, every security zone must be mapped to security controls. The security controls must be based on the risk based policy of the organization(e.g. A security control for an application having confidential data may need firewall, encryption, authentication and access control list but another application without data may need the security control of only firewall). Continuing from the fictitious example above, we could translate to such a mapping of security zone and security controls:

1. Extra small security zone - Firewall
2. Medium security zone - Firewall + Encrypt
3. Large security zone - Firewall + Encrypt + Authentication + Access Control List

The aforementioned security zones and its security controls are only examples, a real one of any medium to large enterprise would be more (at rare times it could be more than 10, if this is the case then the architecture may be very complex due to other reasons not related to security).

Each of the security control much be then governed with security policies and governed with rich sets of standards, guidelines and acceptance criterion probably also dashboarded to show the weak points of the application landscape.

Such a model is a holistic approach towards pattern-based security model and has a rich scalability. Such a model allows decision-making towards a hybrid cloud strategy, enabling decisions like "what to offload into public cloud" and "what to retain in private data centers".

The pattern based security is a pre-requisite of any scalable modernized architecture to keep the complexity in control and still have a complete mediation. In addition, such a strong foundation with pattern based security also enables the higher management to allow strategic decisions on future of data centers and more importantly estimate costs better.

I can talk a lot more about this subject as it is close to my heart, but for now I want to leave you with this. Hope you enjoyed this read!