Security concept & security architecture

Symbolic image for IT security plan: digital lock on printed circuit board background

Innovating. Secure. Ready to succeed.

A security concept is more than just a collection of individual measures: it is your road map that sets out how IT security in your organisation will function from that point onwards – from a technical, organisational and operational perspective. In small and medium-sized enterprises in Germany in particular, a security concept needs to be one thing above all – suitable for everyday use. It must be capable of being implemented at a reasonable cost, responsibilities must be clearly laid down and it must not slow down ongoing operations.

Whether on-prem, hybrid or cloud: we work with you to develop a security concept that includes security architecture that reflects your actual environment and provides structured support for the transformation towards cloud-first/cloud-only. The result is a vision that translates security objectives into specific protective measures (controls) and serves as a foundation for implementation and operation.

Digitalising small & medium-sized enterprises.

Mature on-prem structures, hybrid transitions, new cloud services and SaaS applications are often being used in parallel: your initial situation will determine what measures actually make sense. That is why the security concepts we develop are not abstract, but take account of your processes, your critical systems and your cloud objectives. We can then create a security framework that will continue to be feasible on an everyday basis – and act as a guide when serious incidents occur.

Chart with 6 IT security-relevant categories: Basic protection, threat detection & more

Innovating. Transforming. Succeeding.

To make sure nothing essential is missed, we structure the security concept to include six key areas. That structure is deliberately flexible: Depending on the services and platforms in use (e.g. Microsoft 365, Azure, SaaS or on-prem systems), we can systematically expand the actions, so that the concept can grow in line with your IT landscape, without needing to be redrafted each time.

Basic protection

In your security concept, we will lay down the baselines for your IT – for systems, platforms and configurations in on-prem, hybrid and cloud. This includes items such as update and patch rules, basic protection (hardening), secure standard settings and handling outdated components. This creates a foundation on which all additional measures can be effectively developed.

User account protection & access management

User accounts and access rights are two of the most important levers for your IT security – especially in cloud-first/cloud-only scenarios. We develop role concepts and authorisation concepts, log-on and access rules (such as multi-factor authentication) and a clear procedure for admin rights: As little as possible, but as much as necessary. When unitop is introduced, role concepts and authorisation concepts for specialist departments and administration are automatically included as required.

Warding off threats

In this area of security, we define the protective measures to prevent or mitigate attacks, in line with your environment. This includes items such as email protection, end-device protection and secure configurations. We then add clear standards and guidelines. This ensures that the measures consistently work together, instead of being effective in individual cases only.

Threat detection

An effective concept will not only define protection, but will also include visibility. We specify which events will be logged, how alerts and responsibilities operate and how anomalies can be evaluated centrally. That way, you will be able to identify attacks more quickly and respond in a targeted way, before more serious damage can occur.

Communication & organisation

Security needs to work well in everyday life. That is why we define roles, responsibilities, approvals and communication pathways – including awareness measures and emergency and escalation procedures. This also includes actively addressing the issue of “humans as the weak link”, by providing clear rules, training and procedures that will serve as a guide when an incident occurs.

Data & system restoration

Fully protecting against attacks simply isn’t possible. What’s all the more important is to have a concept that considers the worst-case scenario: if you are locked out of your data and systems by ransomware, you need to have backups available that are capable of being restored. In the security concept, we define parameters for a resilient recovery: protecting and separating backups, clear recovery objectives, restore tests that make sense and a procedure to provide rapid guidance during an incident. The aim is to create an architecture that not only contains safeguards, but provides a realistic guarantee that business-critical systems and processes will be recovered.

Graphical representation of a comprehensive zero-trust IT security concept

Trust is good, but verification is better.

In cloud-first and hybrid scenarios in particular, IT security often stands or falls on one point: how consistently access guidelines are enforced and what that decision is actually based upon. Zero trust means: trust is not implicit and access is only granted in accordance with clearly defined rules and continual verification.

In our security concept, we define the parameters for enforcing access guidelines in real time, including in relation to the following components:

robust authentication and evaluation of user-related risks and risks when logging on

device registration and risk assessment as the basis for trustworthy access

access control and adaptive access – depending on context and risk

data, cloud apps, on-prem apps and network

protecting sensitive information using clear rules and technical measures

visibility as the basis of detection and defence

defined responses and procedures as a means of acting more rapidly and consistently

These result in an architecture that combines security and user experience, without making operations too complicated.

How we work

We translate your vision into clear steps – from quick wins and stabilisation to achieving your vision of cloud-first/cloud-only. That way, you are still able to act, without overburdening your organisation:

Quick wins

Measures that are highly effective at a manageable cost

Stabilisation

Standards, baselines, processes & responsibilities

Cloud transformation

Parameters for migration/modernisation – security by design

Vision

Cloud-first/cloud-only architecture, including a robust operating concept

So that you can make well-founded decisions and plan implementation in a targeted way, you will receive the following documents and outcomes:

A security concept based on the 6 areas of security
Security architecture (vision): how your target environment needs to be constructed (together with priorities and dependencies)
Role concept & authorisation concept: Who is allowed to do what (including access pathways and admin rules)
Road map: Quick wins that help you achieve your vision
Operating components: Documentation, responsibilities, and emergency and communication procedures
Optional: Preparation for implementation in the form of packages of measures (technical and organisational)

Making technologies usable

When introducing and operating unitop – based on Microsoft Dynamics 365 Business Central – we take a holistic view of the security requirements right from the start. On the Microsoft platform, tried-and-tested security mechanisms can be used in conjunction with Microsoft 365 and Azure in a targeted way, to set up your unitop environment stably and securely. These include the following components: