Hybrid Information System and Security: Back to reality

Everyone thinks of an architect as the designer of a building or a work of art. By analogy, the architect of an information system (IS) must take into account all environmental constraints to build a functional and resilient IS, with reasonable investment and maintenance costs. His or her role is to judiciously assemble the building blocks that will ultimately deliver digital services to users. To carry out his mission, he defines technical and organizational requirements and recommendations.

Against a backdrop of growing, protean threats, IT architects must also integrate security requirements, so that the architecture they design is that of a secure information system. One of his objectives is to design architectures not only to prevent intrusions, but also to detect them should the protections implemented fail, be compromised or ineffective in the face of a type of attack. These protections must cover both interconnections and internal exchanges. Securing an IS does not consist in installing an all-in-one box, but in identifying risks with the business and defining a strategy for dealing with them. This requires specific skills in information systems security (ISS).

While historical security models made it possible to secure the first IS within a controlled perimeter and in a digital environment where threats were rare and opportunistic, this IS ecosystem has evolved considerably as digital technology has shaped the way we work. New terms such as "Zero Trust Network" and "X as a Service" regularly appear in the technological news, without it being easy to discern a profound, truly structuring change from a purely marketing approach. This article aims to provide a few keys to understanding the situation. Among other things, the now structuring subjects of automation and detection are discussed in greater detail.

With the exception of start-ups, who may choose to deploy an IS entirely in the cloud, it is now common to find IS composed of a historical part hosted in situ (at least within a known and controlled perimeter) and a more recent part, outsourced in the cloud. These are referred to here as hybrid IS.

The aim of this article is to explain how to approach a hybrid IS architecture from a security point of view, i.e. one in which the security concepts inherited from historical models are adapted to contemporary technological capabilities and realities.