Network Architecture Review

A Network Architecture Review is a detailed analysis of relevant network artifacts (e.g. network diagrams, security and regulatory requirements, technology inventory, exposed applications and APIs, public/private cloud utilization) to ensure that the network elements and overall solution architecture optimally protect critical assets, sensitive data stores and business-critical interconnections.

Key activities include:

• the business goals as they relate to the enterprise public/private/hybrid cloud infrastructure;
• the contractual obligations, laws/regulations, and internal/third-party objectives relating to the data being stored/processed/transited (e.g., PCI/CMMC segregation requirements, CSA STAR, ISO 27001, a “zero trust” model)
• the key applications and services that need to be exposed to employees, contractors, and business partners;
• key controls integral to securing the network, applications and critical data (e.g., firewalls, multi-factor authentication, Network Access Control, Cloud Access Security Brokers, Web Application Firewalls, key management/encryption, vulnerability/asset/configuration management, logging, incident response, data loss prevention (DLP), vendor risk management); and,
• results for previous risk assessments, gap assessment, penetration tests, and/or security incidents.
• Assess the current/planned architecture and security controls against relevant frameworks (e.g., ISO 27002, CIS Critical Security Controls, OWASP ASVS).
• Perform technical testing as required to validate the design, operation and effectiveness of the architecture (e.g.,, segmentation testing, data exfiltration, penetration testing, firewall configuration/rule-base review)
• Formally report results and relevant findings, and generate a gap remediation plan. Where possible, the report will also include: root cause analysis, peer-group benchmarking, good practice benchmarking, executive summaries, and technical summaries.
• Analysis against relevant standards, laws/regulations, and prevailing good practice; and,
• Formal reporting on the process, gap analysis, relevant findings, and mitigation roadmap. Where possible the report will also include: root cause analysis, peer-group benchmarking, good practice benchmarking, executive summaries, and technical summaries.
• The predominant benefits realized by a Network Architecture Review are:
• Minimizes the risk (and potential of a security incident) by verifying the design and operation of the key architectural and operations controls intended to secure key systems, applications, and data;
• Provides independent/objective assurance to key stakeholders including regulators, clients, and third-party auditors (e.g., ISO 27001, SOC2, SEC); and,
  Ensures compliance with key regulations and contractual obligations.

Network Architecture Review: Best Used

When you are planning or have made significant changes to the network or key applications and require assurance that the necessary security controls are in place to address said changes; and,
When you require assurance that new/increased information technology risks relating to external changes (e.g., deployment of a new application, compliance with a new law/regulation, migration to the cloud (IaaS/SaaS/PaaS) are mitigated to an acceptable level.

Network Security Downloadable Resources

• Our Proven Penetration Testing Methodology
• Penetration Testing Whitepaper
• Firing a Network Administrator