Optimizing your Cyber Security - How vital is IT Architecture?

Optimizing your Cyber Security - How vital is IT Architecture?

In today’s highly connected world, it is rare for a single platform, system, or device to do everything. However, in this modern landscape, we live in a thriving ecosystem of “best-in-class” applications expected to share data and be accessible anywhere, any time, and on any device. The ubiquitous demands on today’s enterprise systems and the need to “have it now” have pushed security and architecture to their breaking points. Architecture is often overlooked as a critical component of the overall security position, targeted to achieve seemingly impossible timelines. Or it falls prey to compromise on time or costs.

In the early days of IT development, it was necessary to use existing piping to deliver information between systems. EDI-style drop files were prevalent over “Omnibus” communication pathways like an FTP server or network file location. While these pathways were easy and quick to set up, they created pathways not only for your data but also, for bad actors to use to spread malicious code.

A slight improvement came from SQL-to-SQL connections allowing databases to connect and share information directly. Unfortunately, this kind of “Omnibus” connection was also easy for bad actors to abuse and manifest malicious pathways into your data and systems.

Dawn of RESTful APIs

About 22 years ago, a scientist named Roy Fielding invented RESTful APIs, and since that spark of intuition, we have not looked back. You can think of an API as a mediator between the users or clients and the resources or web services they want to get. It is also a way for an organization to share resources and information while maintaining security, control, and authentication—determining who gets access to what. Now, it has taken some time to understand the impact of this standard in the technology space. Anything close to the “cloud” was still essentially something that lived in “futurists” imaginations. But, in today’s world, this technology has become necessary.

Like any technology, you can design it insecurely, so care is needed to develop REST APIs based on security principles. This is where architecture plays a significant role. Architecture establishes best practices and provides a forum for society to learn and evolve better standards as bad actors evolve counter measures and ever increasingly imaginative ways to breach your well thought out architecture. Today, “Purpose Built” architecture is a pillar of security that has stood the test of time.

By developing integration pathways between systems that are specific and purposeful, you are ensuring that they cannot be used for malicious intent.

Omnibus connections need to be avoided at all costs. If you intend to share customer information, then that is all that should be possible through that integration. A pathway that can share the customer number through a file-drop allows you to “share files.”  A file could be executable and used to attack other systems. But a REST API allows you to share a deliberate connection that can only share an 8-digit customer number, if that is all that is required. The only malicious misuse of this pathway would be to share meaningless streams of 8-digit numbers. Thus, making it impossible to use to attack other systems. 

Principle of Least Privilege

Sharing the minimal amount of data and highly restricting the interface or integration to its specific operating parameters creates a near-impenetrable barrier for abuse. Ensuring that the API is only accessible via HTTPS (Secure Encrypted Connection) and has enforceable governance on use completes the security triangle (see diagram below on Principle of Least Privilege, which states that a subject should be given only those privileges needed for it to complete its task. Further, the function of the subject (as opposed to its identity) should control the assignment of rights.*). 

If there is no need to execute an API endpoint more than once a day, restrict its use to once a day. This prevents DDOS attacks or similar actions that consume resources wastefully. Do not try to “Plan Ahead” and provide more data than is needed. Be specific about your integrations and only transmit what is needed. This ensures that the data transmitted has business value and redundant data cannot be exploited if unintentional exposure occurs. Take steps to safeguard the integration and restrict access to its intended use through IP Security, Whitelisting, Encrypted Certificates, Authorization Tokens, or similar access control.

Purpose-built integration points and Architecture by Design principles require every connection and data point to have business value and purpose. Assembling a best-in-class enterprise solution following these simple guidelines defines the level of risk you are at and gives you a solid foundation to protect using industry proven measures. 

The architecture experience in AMCS 

A critical first step by AMCS to deploy the AMCS Platform for our customers is designing the Global Architecture AS-IS and TO-BE diagrams. These diagrams precisely outline the customer’s journey from their current architecture to their final architecture with the AMCS SaaS Cloud Platform. As with any enterprise-solution, integrations are a necessity for success and positive business outcomes. Common integration pathways from the AMCS Platform include interfaces to accounting and general ledger systems. Most customers expect a default template, out-of-the-box connector capable of talking to their accounting system. While in principle this is available, each implementation goes through a distinct architectural review allowing us to configure our connector to meet the requirements of the security triangle. We ensure that only necessary information is included in the integration, it is restricted to authorized systems and personnel, and is executable only as much as is needed. Each integration point undergoes this same architecture review to ensure that the global architecture for our customers is purposefully built and limits potential risks.

In summary, the benefits of optimizing your cyber security through improved architectural design are wide-reaching: reducing your security risk profile – the spread of malware and cyber attack; driving better compliance and behavior across the organization, supporting greater user productivity and better data security and audit classification.

To learn more about AMCS and our approach to Cloud Architecture and Security please read these relevant blogs:

• AMCS Security Infographic by Brian Hayden, AMCS VP Information Systems
• IT Security Checklist for Waste and Recycling Companies by Carlos Silva, AMCS IT Principal Security Engineer
• Is Cloud Secure? by Brian Hayden, AMCS VP Information Systems
• API Accelerator Program – How AMCS Platform is enabling an Interconnected Ecosystem by Evan Schwartz, AMCS Chief Enterprise Architect
• Security threats are growing by Brian Hayden, AMCS VP Information Systems

*Reference link